The digital world was shaken up on June 28th when the California Consumer Privacy Act of 2018 (CCPA) was passed by the state legislature, introducing the strictest data privacy and user rights law that the US has ever pioneered.
The act adds to the rapidly growing list of privacy laws that have turned the world of digital operations and online business on its head. While businesses continue to adjust their strategies to suit the guidelines of the EU’s General Data Protection Regulation (GDPR), more pieces of legislation (including the ePRivacy Regulation, CONSENT Act, and Social Media Privacy Protection and Consumer Rights Act of 2018) are coming to the surface.
The CCPA brings the data privacy efforts forged by the EU into US legislation, setting the stage for a new era in American digital regulation.
Based in California – the tech hub and data collection center of the world – the act has quickly garnered a reputation for its groundbreaking nature, inevitable influence, and controversial reception.
But what exactly is the California Consumer Privacy Act of 2018? Why is it being met with both praise and condemnation? And what does its passing mean for you and your business?
Table of Contents:
- What is the California Consumer Privacy Act?
- Key Features & How to Comply
- Penalties & Enforcement
1. What is the California Consumer Privacy Act?
The California Consumer Privacy Act of 2018 – or CCPA – is a legislative bill passed by the state of California on June 28, 2018.
The initiative that the bill is based on was drafted by the group, Californians for Consumer Privacy. The group’s chairman, Alastair Mactaggart, says of the initiative:
After two years of research, the initiative we drafted is straightforward, and based on three principles: transparency, control and accountability.
The act draws on the EU’s newest and most comprehensive privacy law, the GDPR, and seeks to put greater control over personal data back in the hands of the users to whom it belongs.
When does it come into effect?
The act is set to take effect on January 1, 2020.
This institution date is notable in relation to the nature in which the law was passed, as it leaves a year and a half for the law to be edited and adjusted by the legislature.
Due to the California legislative process, measures signed by the Governor are subject to edits before the effective date, if those changes are unanimously agreed upon by the Senate.
Had the act been voted on by the people of California as a ballot measure, the text of the bill would have been immutable. However, as it was passed by the legislature, the language of the bill is still subject to change.
This means that the next 18 months will likely see more debate over the act, as lobbyists and tech giants make moves to water down the law – and privacy advocates make moves to stop them.
Who needs to comply?
The CCPA is designed to grant and uphold the rights of California citizens. Therefore, any business that markets to or collects personal data from Californians is subject to comply – regardless of the physical location of the company itself.
This leaves room for the question: Will businesses treat Californian consumers differently than they do those from other states?
Jamie Court, President of Consumer Watchdog, says that while businesses can, pragmatically, distinguish Californian users from those of other states, instituting practices that differ for the two would result in nasty marketplace qualms.
Instead, Court anticipates that companies will adopt practices designed to comply with the CCPA, and implement them across the board – giving users from all states equal data treatment.
With the recent institution of data privacy laws like the CCPA and the GDPR, it’s clear that it’s only the beginning of a growing trend toward consumer rights. While any business with users in California needs to comply with the CCPA, it’s only a matter of time before similar laws will arise and further widen the scope of compliance.
That being the case, companies across all states – and in a good deal of countries – should be taking steps now to meet the changing standards enforced on businesses’ interactions with user data.
2. Key Features & How to Comply
The CCPA clearly draws inspiration from the GDPR. However, the act is a diluted version of the EU’s sweeping regulation, and primarily addresses four areas: access, user control, protection, and non-discrimination.
According to the act itself, Californians are now entitled to the following rights:
- To know what information is being collected about them
- To know if their personal information is sold or disclosed, and to whom
- To say ‘no’ to the sale of personal information
- To access their personal information
- To equal service and price, even if they exercise their privacy rights
But what exactly do these rights mean for businesses who collect, store, share, and use the information of California citizens?
The act aims to give users greater access to the information that is collected from them, and know how that information is treated and shared – bringing forth a culture of transparency around consumer data.
Under the CCPA, users have the right to request businesses to disclose to them the following:
- What information has been collected
- The sources from which that data was collected
- The business purposes for collection
- Whether that information is sold, and for what business purpose
- The third-party recipients of the data
You need to be able and willing to divulge the above pieces of information to your users upon “verifiable request.” The information you then relay should cover the last 12 months of data collection, sharing, use, and sale, as it applies to that consumer’s personal information.
An easy way to address this feature of the CCPA is to offer users a form that allows them to submit data requests.
If you receive such a request, make sure to round up the information requested by that user and present it to them in a timely manner – within 45 days as per the guidelines of the CCPA.
Furthermore, any California consumer has the right to make such requests twice over the course of 12 months.
While the timeframe to comply with user data access requests is 45 days under the CCPA, keep in mind that it is 30 days under the GDPR.
Along with the access that you allow users to their information via requests, a key component to increasing consumer access as per the CCPA is transparency.
The current onslaught of privacy laws most notably serves to give users more control over their data. From making data handling requests, to the ability to opt out of data sale, users are being given rights over their personal information that have never before been established on American soil.
Let’s get into what you need to do to uphold these new rights and controls.
Honor consumers’ data requests
Not only do you need to honor a user’s request to access information about the data collected from them, but you also need to honor requests to delete that data entirely.
A form like the one pictured above can satisfy both the access and deletion aspects of user data management. Making such a form, link, or page available on your site will allow users to exercise the rights they have over their data – and keeps you off the Attorney General’s radar.
Allow users to opt out of the sale of their data
According to Section 1798.120 (a) of the California Consumer Privacy Act:
A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information. This right may be referred to as the right to opt out.
This link needs to take the user to a page designated to allow them to opt out of the sale of their personal information.
Implement data sale opt-in for consumers under 16 years old
While most users are granted the right to opt out, as detailed above, those under the age of 16 are explicitly given the “right to opt in.”
Section 1798.120 (d) states:
A business shall not sell the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, […], has affirmatively authorized the sale of the consumer’s personal information
While the right to opt in applies broadly to users under the age of 16, keep in mind that to lawfully sell the data of users under the age of 13, the opt-in to data sale must be granted by a parent or guardian.
As we cover below, in the Penalties & Enforcement section, consumers now have the right to sue over a loss of privacy resulting from a data breach.
Keeping consumer data safe and secure largely comes down to caution and organization.
Data is a precious commodity, and the damages a business may face for failing to keep it safe are loftier than ever.
Make an effort to audit your data, evaluate the procedures with which you handle it, and adjust your strategies accordingly to maximize protection.
Data mapping is quickly becoming a staple in the appropriate handling of consumer data, for both data safety and legal compliance.
The act states:
A business shall not discriminate against a consumer because the consumer exercised any of the consumer’s rights under the title
But what exactly constitutes discriminatory practices against users who choose to opt out?
According to the CCPA, such actions include, but are not limited to:
- Denying goods or services
- Charging differential prices (including through the use of discounts, penalties, or price benefits)
- Offering a different quality of goods or services to those who exercise their rights than those who do not
- Suggesting that the consumer will receive differential prices or qualities in the event that they exercise their rights
The act does present a caveat to the above, noting that a business can, in fact, offer different prices or qualities of goods and services “if that difference is reasonably related to the value provided to the consumer by the consumer’s data.”
While this allows businesses some wiggle room in how they may incentivize users to relinquish control of their data, we recommend proceeding with caution in this undertaking, given the high risk of consumer backlash.
3. Penalties & Enforcement
As the act is a piece of state legislation, enforcement ultimately resides with the Attorney General’s office.
As for the penalties that noncompliant businesses face, there are potential fines of $750 per person, per violation.
While this number immediately reads as much less than the multi-million-dollar fines threatened by the GDPR, large-scale data breaches or audience-wide data handling violations could easily add up to a detrimental chunk of change for companies to fork over.
In fact, a business with just 1,300 consumers whose data is breached is subject to nearly a million-dollar fine.
Furthermore, the act allows for California consumers to file lawsuits that aren’t based on an evidentiary loss of money or property, but rather, on claims of loss of privacy.
Traditionally, lawsuits are founded on proof of damages. This not being the case under the CCPA has, in itself, sparked contention and concern from data-reliant companies.
But the controversy surrounding the new privacy law goes much deeper than fines…
The birthplace of the CCPA, alone, sets the stage for controversy.
Ironically, California has carved out its place as both the center of data collection and the hub of consumer privacy rights. In 1972, the “right to privacy” was written into the state’s constitution, laying the foundation for decades of groundbreaking privacy laws, like COPPA and CalOPPA.
Not only does California lead the charge when it comes to instituting privacy regulations, but the state is also home to the biggest players in the data-driven digital arena – including Apple, Google, and Facebook.
The intersection of these things paves the way for heated opposition between tech giants and privacy advocates to take place with both parties rooted in the same space.
Parties on either side of the CCPA – those in favor and those opposed – have camps in California, making the unfurling of this act a spectacle for the world to watch.
How the act came to be
The original initiative and subsequent measure were reportedly stronger, stricter, and more in-line with the stringent guidelines of the GDPR.
However, the measure was set to appear on the November ballot in California, and go to the people for the final vote. Had it won, the language would have remained as is, going live in 2020 with the original clauses and penalties in-tact.
Would the stricter version of the act have passed at the hands of Californians this November?
That’s an answer the Silicon Valley tech giants weren’t willing to find out.
Realizing the risk that this shift placed on the potential passing of the ballot measure, tech giants like Google and Microsoft threatened to pour millions of dollars into opposing this bill and lobbying against the yes-vote.
In fact, here’s one of the flyers that was being passed around the golden state only a few weeks ago:
The poster claims that the act would stifle job retention and growth in California’s tech field. Had the measure been brought to ballot, there likely would have been thousands more flyers contributing to a heavily-funded campaign opposing the act.
In light of these threats, both democrats and republicans rushed to produce a watered-down version of the bill and pass it rapidly in the legislature, so as to avoid it moving to the ballot.
These efforts were rewarded with a unanimous vote in favor of the act, and an 18-month grace period where lobbyists retain the potential to change the text of the final law.
What happens now?
As mentioned, the passing of the act by the legislature rather than by ballot makes for an interesting set of possibilities between now and January 1st of 2020.
In a Forbes article, Art Neill speculates that the CCPA will continue to be:
amended and improved based on input from stakeholders.
This means the tech giants and lobbyists will likely be in Sacramento these coming months, persuading the legislature to amend the bill as they see fit.
However, these efforts will surely be met with opposition from the privacy advocates. The battle will likely boil down to, as it often does in politics, who has the deep enough pockets and the loose enough checkbook to make the adjustments they want to see get written in – or taken out – of the bill.
While the main goals of the act will almost certainly remain the same – granting users greater access, control, and protection of their data – how businesses are expected to uphold these rights, to what extent, and the consequences for failing to do so, remain subject to change.
Efforts to make such adjustments will, no doubt, be intercepted by advocacy groups, but to what avail, we will have to wait and see.
While the official language of the act when it comes into effect in 2020 will likely look different to how it does today, the core concepts of the bill – offering users greater access to, control over, and protection of their data – will surely remain in-tact.
This new measure, compounded with the data rights and privacy efforts ushered in by the GDPR, are substantially changing the way businesses operate online.
Now is the time to put compliance measures in place, and start being vigilant in the way you collect, use, sell, and share consumer data – or face the consequences.