The California Consumer Privacy Act (CCPA) is a California Internet privacy law that deals with consumer data protection and a user’s right to seek privacy online.
It is America’s first law to create a thorough set of guidelines around consumer information, akin to the EU’s General Data Protection Regulation (GDPR).
The CCPA enables residents of California to learn what personal data businesses collect about them, their children, and their devices.
The FTC and Consumer Data Protection and Privacy
The Internet is a largely deregulated space in regards to privacy, where social media and tech firms, in particular, have lived by an anything-goes attitude for decades. States, such as California, are now finally stepping in with their very own consumer data privacy laws.
In the absence of general consumer privacy laws, America has issued massive fines against companies such as Facebook, PayPal, and Uber, leveraging the Federal Trade Commission (FTC). Under Section 5 of the 1914 FTC Act, companies cannot engage in deceptive or unfair actions or practices. Some time ago, the FTC boldly took on misleading or false advertising carried out by some of the leading consumer brands in the country.
These were baby steps taken by the FTC to inspect misleading “representations” created by leading social media and tech firms about the confidentiality of the data it amasses. Facebook, for example, communicated to its users in its privacy notices and apps that it will not sell their personal data or that its users could limit access to the information upon checking off certain boxes.
However, with the FTC filing a complaint against the social media giant in 2012 and the latter having agreed on a settlement, it became clear that Facebook was not actually walking the talk. The complaints trail doesn’t end there – with another FTC complaint raised for pretty much identical violations, which was resolved after Facebook agreed on a $5 billion settlement.
The FTC is certainly under control of consumer data protection and privacy in the country. However, its wings are chopped off, or it cannot act against a particular company if the company does not say anything about user data protection or privacy on its platform, in its advertising, or through its products.
What Is the California Consumer Privacy Act? And What Rights Does It Afford to Citizens?
Signed into law in 2018 and brought into effect from January 1, 2020, the California Consumer Privacy Act (CCPA) lets consumers rightfully ask a service provider to disclose the sections and the particular pieces of personal data they have amassed about them, along with the information’s source and purpose of collection. The law allows consumers to request a business to delete personal data that were accumulated from their consumers.
People residing in California have the right to learn about the different categories of personal information, such as voice recordings or smartphone locations, that a business has on them. The law also lets users learn about the types of third parties – such as app developers – a business has sold data to or obtained the information from.
Consumers also enjoy the rights to look into the particular pieces of personal data a business has collected about them – which could include an individual’s:
- Physical locations
- Online activities
- Biometric facial data
- Ride-hailing routes
- Ad-targeting data
Individuals can also ask to see particular inferences made about them based on the collected data – which include categorizations or predictions related to their behavior, psychology, attitudes, abilities, or intelligence.
Thanks to the CCPA, consumers are now well within their rights to prevent businesses from selling their personal data to third parties or make commercial use of the same without their prior consent or knowledge. Most importantly, businesses cannot discriminate against buyers who would not like their personal information publicized.
If you are concerned about how a particular company uses your personal information for its commercial gains and would like to prevent the business from indulging in such activities, just send an email to the company. Kindly note, the kind of details provided to you will not be standard across the board.
Also, for security reasons, companies could ask you to prove your identity – such as asking you to provide them a copy of your driver’s license – so that the company is sure the data is being forwarded to the correct person.
CCPA’s Key Takeaways
- It enables you (the consumer) to communicate to businesses not to share or sell your information with other firms.
- It gives you complete control over all your data collected from different sources.
- It lets you hold businesses accountable for not safeguarding your personal data.
- It enables you to request service providers to anonymize your information so that the data doesn’t get correlated to you, or you do not get tracked online using that information.
According to the CCPA, personal data is any piece of information that is identifiable and can characterize an individual. The data could include information from all or some of your:
- Postal addresses, IP addresses, email addresses, document numbers such as passport, driver’s license, or other similar documents.
- Devices connected to the Internet, such as smartphones, tablets, and laptops. Your interaction with advertisements and websites on these devices, browsing history, etc. are accounted for.
- Geolocation information gathered from web and mobile applications.
- Biometrics such as retina, iris, face, fingerprints, and voice.
- Online information such as facts, conclusions, assumptions.
- Unique pieces of information identifying a connection between you and a health insurer.
- Feedback you share with businesses on the products you purchased.
While the focus is extensively on new consumer privacy rights, CCPA also has a data security element attached to it. The law requires businesses to employ and maintain proper security procedures.
Does the Law Apply to California Alone?
Just because the law has “California” in its name, it doesn’t mean it’s confined to California borders. The law encompasses all firms that do business with Californians living in the state and the ones who are domiciled in the state but are put up elsewhere temporarily for business or personal reasons.
Courtesy of the law, there are certain benefits that citizens of California would enjoy over non-Californians, which include the ability to:
- Not proceed with a transaction if personal data is at stake.
- Ask a company to delete their personal information.
Non-Californians are most likely to enjoy these benefits going forward since most companies are likely to adopt the law and implement it, irrespective of their geographic location.
Institutional Responses to CCPA
The CCPA reportedly affects close to 500,000 businesses functioning in the States. It has caused several companies to make changes to their privacy policies and terms of service. Multiple companies have, in fact, come forward to comply with the rules set down by the CCPA.
Microsoft, for instance, announced that it would ensure the protection of individual data privacy rights throughout the United States, thus honoring the CCPA. Despite its dark past, Facebook claimed that it supported CCPA in 2018 as it has a commitment towards consumer privacy globally, which is strongly in line with the CCPA’s underlying tenets of control and transparency.
Uber, in response to the law, came up with an opt-out option that allowed customers to not share their information with third-party businesses for ad targeting. Google also announced that it would build on its feature that it devised following the GDPR, by offering limited data processing so that its advertisers, partners, and publishers could manage their compliance.
Some companies, such as T-Mobile and Oracle, have not publicly expanded on how they are complying or will comply with the law.
What Kind of Businesses Does CCPA Impact? And How Can They Be CCPA-Compliant?
The law covers retailers, ride-hailing services, mobile service providers, cable TV companies, and every other business that collects personal information of their users for commercial reasons or any other purpose.
Businesses should also fall under one of the following conditions to be bound by the CCPA. Those include:
- Their gross annual revenues should be more than $25 million.
- They must have access to personal information of at least 50,000 individual users, households, or devices.
- They should be making at least 50% of their revenue by selling personal information of their users.
To be CCPA-compliant, businesses should provide their users with all amassed data upon request. Besides, they must also disclose:
- The various sources from which the data was collected.
- The purpose or intent of selling or collecting the data.
- Details about other companies with whom the collected data were/are shared.
Businesses keen on conforming to the privacy law should also:
- Notify their users in advance any personal information they would likely collect from them.
- Provide users multiple ways to not opt for the data collection program. This could be accomplished by offering a link to opt out of their site, alongside a phone number to contact the business.
- Offer features that are identical to the features that are provided to users who chose to be a part of the data collection exercise.
- Keep a record of such user requests and their responses to those requests.
- Respond to user requests and provide the requested information within 45 days from the date of request.
- Disclose their own data privacy and protection practices and policies to their users.
What if Businesses Fail to Comply?
If companies fail to comply with the CCPA, they will be heavily penalized for their actions. They could be charged up to $7,500 for each violation, it the violation is ruled intentional. The inability to safeguard user data or negligence causing any data theft would also be counted as a violation of the law. $2,500 fines may apply to businesses that unintentionally break the law.
However, the CCPA is not designed to be reckless toward businesses at fault. Concerned companies receive a 30-day time period to correct their mistakes. If they succeed in fixing their violation and if the concerned user confirms the same in writing, businesses can save themselves from any possible action.
CCPA’s Effect on Other States
In the wake of the CCPA, policymakers in several other states have been called upon to build on the advancements fashioned by California and take the mantle ahead by integrating robust requirements that would render companies even more responsible for all the user information they gather and utilize for their gains.
Besides driving policy talks in other states, the CCPA could also likely turn into a blueprint of sorts for others to base their own laws on since there is no GDPR equivalent in the U.S. yet. New York, Washington, and Illinois are likely to furnish draft laws during 2020, based on their activities with the Internet Association. That said, those laws are bound to have elements unique to the respective states.
States are also likely to continue passing an increased number of sectoral privacy laws directed toward specific industries. Though a comprehensive and strong privacy bill is not extremely likely in the near future, CCPA, along with other state laws, would continue to drive talks in Capitol Hill, Washington, D.C.
Comparing CCPA to GDPR
The European Union (EU) and its General Data Protection Regulation (GDPR) law is a general consumer information privacy and security law. Since the CCPA comes pretty close to tackling consumer data privacy (albeit at the state level), it’s fairly comparable to GDPR. Both provide users the right to delete, access, and bow out of online engagements with a business any time.
The GDPR, however, affords consumers the right to rectify incorrect personal information, which the CCPA does not. Also, the GDPR needs explicit consent at the point when consumers hand over their information. CCPA, in contrast, asks the service provider to inform their consumers about their right to not opt for a particular data collection practice, via a privacy notice.
The CCPA defines personal data fairly broadly. According to the law, information is anything that identifies, describes, relates to, can be associated with, or be linked reasonably, indirectly or directly, with a specific household or consumer. This expansive view of consumer information is quite similar to how GDPR defines “personal data.”
Privacy Policies for Online Services or Websites
The laws also concern any other similar mechanism that provides buyers the ability to choose how their personal information is used or how they get tracked over a period. Website operators must also reveal whether third parties could be or are carrying out tracking activities on the site.
In addition, although not targeted specifically toward online businesses, California laws require all non-financial companies to disclose to their patrons, by electronic mail or in writing, the kinds of personal data they sell or share with another business for compensation or direct marketing reasons. Under the law, businesses could upload a privacy statement giving buyers the opportunity to opt out of not sharing their information at any cost.
Online Privacy of Minors
The privacy rights of California for the state’s minors allow children to remove or request removal of information or content posted:
- on a website
- in an online application
- on a mobile app, or
- on any other online service
The rights also mitigate the operator of the online service or website from advertising or marketing specific goods or services to minors that they cannot legally purchase. The law even prohibits promoting certain offerings based on the personal data relating to a minor. The site owner should also not use, disclose, compile, or allow some other business to capitalize on the information.
America, unlike Europe with its GDPR, doesn’t have a central privacy law or an all-encompassing consumer data protection law. Instead, there are multiple vertically focused privacy laws, along with a fresh breed of consumer-focused privacy laws. The 1974 U.S. Privacy Act, Children’s Online Privacy Protection Act (COPPA), Gramm-Leach-Bliley Act (GLBA), etc. are laws that have been instituted at the federal level for various industries.
COPPA, in fact, was the first major move to regulate personal data collected from minors. However, none of these laws categorically mitigate private companies from collecting consumer data online without due permission. With the CCPA, however, you may pretty soon see advancements made toward instituting a consumer data protection law at the federal level, just like GDPR.