This New CCPA Law Will Have a Huge Effect on California Residents
In a world where internet freedom is further restricted almost daily, and data is more precious than gold, the California Consumer Privacy Act (CCPA) is a breath of fresh air.
Rather than taking control of data out of the hands of users and placing it into those of service providers, the CCPA promises to give consumers in California greater privacy and more control over the personal information that companies and websites store, sell, and share.
While the law will only protect Californian residents, when it comes to businesses being CCPA compliant, it will extend far beyond the state borders. Companies like Google are already gearing up for the CCPA which could prove costly for businesses but may well prove beneficial in the long run and “could help improve business’ capacity to produce and bring research to market as well as increase firm capacity for product innovation”.
What is the CCPA?
Coming into effect in January 2020, the CCPA is a new piece of privacy legislation designed to protect the rights of Californians and give them greater control over their personal data. It will also mean an end to data sharing, forcing companies to become savvier about collecting their own data. On the other hand, that shift in data handling could mean some hefty fees when it comes to covering compliance costs.
Not only will the new legislation give consumers the right to know exactly what information a business collects but it also “requires businesses tell consumers what data its collecting and gives consumers the right to say no to the sale of their personal information”. The CCPA is a step in the right direction in terms of both net neutrality and data sharing.
The CCPA is placing power in the hands of consumers and giving them the right to sue for data breaches even if their information wasn’t compromised. It also means that social media users will be able to ask for their data to be deleted. In other words, if you posted something embarrassing on social media when you were a teenager that you regret when you enter the job market, you can ask to have them removed.
The CCPA extends to protect children aged 16 years or younger who must opt-in before any of their personal data can be collected. Companies will also have to make sure that, in the event of a minor opting in to data collection, the person giving their consent is indeed that child’s legal guardian or parent. Minors must also be allowed to opt-out of the sale of their personal information at any time.
With additional legislation requiring that all privacy policies are updated to reflect the changes to how data is being collected, shared, or sold, the CCPA is promising greater transparency to all Californian consumers.
The CCPA promises to deliver the following:
- Improved data privacy for individuals
- Increased trust between consumer and company
- Marketing strategies will be based on reliable data
- More accurate data collection processes
- An important step towards the future of data privacy
If private data was the oil of the internet, then the CCPA is the first step towards solar.
What Does It Do and Why Should I Care?
The CCPA is designed to protect all types of personal information, including:
- Personally identifying data like your name, postal address, email address, driver’s license number, IP address, social security number, account name, etc.
- Commercial information including records of services or products purchased or your retail histories and buying preferences
- Biometric information like fingerprints, facial shape, voice recognition, etc.
- Online activity including your search and browsing histories, and any interaction you had with specific sites or online advertisements
- Geolocation information
- Educational information that’s not available publicly
- Employment-related data
- Any information such as consumer profiles which have been constructed using any of the information categories listed above
Not only will the CCPA protect the collection, storage, sharing, and selling of such data but it will also mean that compliant companies must be completely transparent about the type of information they collect and how they use it.
The hope is that such regulations will mean an end to data harvesting fiascos like the Facebook Cambridge Analytica scandal that gathered personal information about millions of Facebook users without their consent and used it for political advertising.
Who Has to Be CCPA Compliant?
Any business operating on a for-profit basis that handles personal information about Californian residents or employs people in California are affected but only if they meet one of the following thresholds:
- A business with annual gross revenue of over $25m
- A company that shares or receives the personal information of 50,000 or more consumers, households, or devices each year
- Any business that derives at least 50% of its annual revenue from selling consumer data
That’s the simple part. It gets significantly more complex as we dig deeper into its far-reaching implications. For starters, the CCPA affects any company doing business with a Californian resident which means multinational superpowers like Amazon, Facebook, and Google will all have to climb onboard. Furthermore, the CCPA legislation could also affect parent companies which will have to comply if they have a subsidiary operating within California.
What Does This Mean for Users?
For consumers, the CCPA promises great things and indicates a monumental shift in how data is viewed and handled. By forcing companies to be completely transparent and divulge the particulars of what information they collect, while also giving users the right to have that data deleted or stop it from being sold, the CCPA is surely a step in the right direction in terms of individual privacy.
On the other hand, however, some activists feel it doesn’t go far enough. According to Samantha Corbin, a representative of the Electronic Frontier Foundation, the CCPA will do little to prevent “third-parties gaining unfettered access to mountains of data, as Cambridge Analytica infamously did with Facebook”.
Others suggest that the CCPA is fundamentally flawed resulting from “the abbreviated legislative process last year”. Coming from the Internet Association, which represents multinational giants like Uber, Microsoft, Facebook, and Google, however, you might want to take that with a pinch of salt.
It’s certainly not all clear-cut, however, and a quick read of Google’s article on the subject throws up the first red flag. “CCPA does recognize certain exceptions to the definition of ‘sale,’ such that not all transfers of personal information are sales.” For example, transferring personal information to a “service provider” under the law is not a “sale”. It is therefore up to the user to understand the difference between a data transfer and a data sale and perform the necessary opt-out accordingly.
Others suggest the CCPA represents something of a double-edged sword, giving consumers the benefit of sharing more information about themselves with companies they’re loyal to while risking placing that data in the hands of companies with sloppy privacy policies.
Overall, however, advocates like Elizabeth Galicia of Common Sense Media, believe, “The Consumer Privacy Act will allow consumers to take control of and make informed choices about their own data, control that fosters a healthy relationship to technology and overall digital wellbeing”.
Research indicates that Californians are more than ready for these changes, with surveys revealing the following statistics:
- 97% of Californians support legislation that requires companies to get consumers’ permission before they can share their personal data
- 89% believe that tech companies should do more to protect personal information
- 95% want the right to know what information companies are collecting about them and who they share it with·
- 86% support new legislation that would prevent companies from penalizing consumers who exercise their privacy rights by providing a substandard service or by demanding higher prices
- 94% want to have the right to legally pursue a company that violates their privacy rights
What Does This Mean for Businesses?
Businesses face a steep learning curve as they prepare for the implementation of the CCPA and make some dramatic changes to their privacy policies and data handling processes. The most basic changes include giving consumers:
- Information about what personal data they collect, store, share, and sell
- The ability to opt-out of data collection and delete personal information
- The right to opt-out of data sharing
- The right to equal services even if they exercise their privacy rights
- The ability to request and receive all retained data via email or mail
At this point, you’re probably thinking that the CCPA is simply America’s take on the GDPR and, while the European Union’s General Data Protection Act has been a useful stepping stone for those companies needing CCPA compliance, there are some fundamental differences.
Under the CCPA, a company can’t refuse a consumer equal service simply because they opted out of data collection, but they can offer incentives to those who opt-in. In other words, “businesses are not prohibited from charging a consumer a different price or rate, or from providing a different level or quality of goods or services to the consumer if that difference is reasonably related to the value provided to the consumer by the consumer’s data”.
This may sound rather daunting for companies that need to achieve compliance by the New Year, but some suggest, the CCPA may also allow businesses to further develop their data-based research.
According to EFF activist Hayley Tsukayama, “If the CCPA increases consumers’ trust of data protections it could actually increase the amount of data that consumers are willing to share with firms. Despite the additional controls put on data use, increased access to users’ data could help improve business’ capacity to produce and bring research to market as well as increase firm capacity for product innovation.”
Furthermore, companies embracing the higher level of data protection advocated by the CCPA will gain a more positive reputation as a trustworthy company committed to user privacy. Businesses relying on consumer data for their marketing strategies will also have to raise the bar and start working harder to gather their own data, rather than relying on dodgy third-party data sales.
The Challenges of the CCPA
It’s not all fun and games for CCPA-compliant businesses, however, and they’re facing some serious challenges, both legally and financially. First, there are the changes that need to be implemented to comply with the CCPA. These don’t come cheap and an economic impact assessment suggests that the CCPA “could cost companies a total of up to $55 billion in initial compliance costs”.
Even more worrying are the potential legal implications of the CCPA. Not only would failure to comply result in fines of up to $7,500, but individuals could sue for anywhere between $100 and $750 if the company is hacked, or their data breached. Consumers will also be able to seek damages should they feel the security of their data was compromised.
According to some, this will result in “an onslaught of class-action suits… [where] even companies who do believe they have reasonable security measures in place will have to essentially prove that through expensive litigation”.
For privacy advocates, the CCPA is a welcome development and promises to be the first of many new laws designed to give consumers greater control and ownership over their personal data. While it poses something of a headache for businesses that must restructure their data handling processes and ensure the security of the data they collect and store, it could also see a positive shift in international mindsets regarding the ethical use of personal data.
Most internet users have wondered, “Is my computer spying on me?” and the answer, in effect, is yes. The CCPA has the potential to blindfold those spies by giving the consumer the right to opt-out from trackers that collect data and as well as online ad targeting. By requiring businesses to have specific links stating, “Do Not Sell My Personal Information”, users will finally be able to leave those online trackers behind and browse in comparative peace.
There’s a fundamental shift in how data is being viewed and the CCPA is indicative of that change. Where data was once the virtual gold of the internet, it’s now becoming a high-value currency that consumers think carefully about before spending. Even big social media companies like Facebook are feeling the pinch as eroding trust caused a drop of one million daily users in Canada and America in 2017 alone.
It seems the tide is turning and it’s time to take back control and ownership of your data by doing business only with those companies you trust to handle your data with a modicum of respect.