California’s landmark digital privacy regulations will become the de facto law of the land when they take effect in January, allowing consumers more control over the personal data companies collect about them.
Beginning January 1, consumers will be able to ask for direct access to the information about them that companies keep, and request that the data be deleted. Consumers will also be able to opt out of having their data sold to third parties under the law.
The Consumer Privacy Act (CCPA) will go into effect in California. While this is a California law, it has ramifications both across the United States and globally because it applies not just to all California based companies, but also to anyone who collects and uses the personal data of any California residents. Even if a company is not based in California, it will be affected if it:
- Has annual gross revenues over $25 million.
- Annually buys, receives, sells, or shares personal information of over 50,000 California consumers, households, or devices.
- Derives at least 50% of annual revenue from selling California consumers’ personal information.
For years, as companies like Facebook and Google acknowledged how much data they are collecting from users, privacy advocates have called for governments to step in and better protect people’s data and give consumers more control over how the information is used. Since the European Union’s data protection law took effect in 2018, Congress has held numerous hearings on digital privacy, but failed to adopt any similar statute.
In the absence of an overarching federal law, the California law signed by former Gov. Jerry Brown last year will end up setting the privacy standards for the entire country as businesses across the United States prepare to comply.
While journalists and data researchers may use the law to investigate the type of data companies collect and what they do with it, the CCPA may not be a huge benefit to the average consumer because of the burden it places on them to do most of the legwork, digital privacy experts have said.
“The sheer number of privacy policies, notices, and settings or opt-outs one would have to navigate is far beyond individuals’ cognitive and temporal limitations,” Michelle Richardson, director of the advocacy group Center for Democracy and Technology, told a U.S. Senate committee earlier this year. “It is one thing to ask an individual to manage the privacy settings on their mobile phone; it is another to tell them they must do the same management for each application, social network, and connected device they use.”
How does the law work?
Californians will be able to request information from your company about what data is collected about them, why it was collected, how you received their information and who it was shared with or sold to. California residents will also have the right to bring a direct lawsuit if their unencrypted or unredacted personal information is subject to a data breach as the result of a business’s failure to implement reasonable security.
If a company is found to be in violation of the CCPA, they have 30 days to comply with the law once regulators notify them of a violation. If the issue isn’t resolved, there’s a fine of up to $7,500 per record which can add up quickly when the volume of consumer records at a company is considered.
An estimated 500,000 U.S. businesses, including Facebook, Amazon and Target, are expected to have to comply with the CCPA. California Attorney General Xavier Becerra told Reuters last week he will not extend the January 1 deadline to comply with the CCPA.
Historically, the Golden State has been a data protection pioneer: in 1972, voters added privacy to California’s Constitution’s list of inalienable rights of the people, right next to the right of enjoying life and liberty, possessing property or obtaining safety and happiness.
The text in the new bill, however, acknowledges that California law has not kept pace with new technologies: “the proliferation of personal information has limited Californians’ ability to properly protect and safeguard their privacy,” it reads.
The main purpose of the CCPA is to give Californians more control over their personal information, by granting them a number of fundamental rights: to know what personal information is being collected about them; to access this information; to know whether it is sold and to whom; to ask that their personal data be deleted, and to refuse to allow that it keeps being sold; and to receive equal service and price, even if they have exercised the previous right to opt-out.
That citizens should not suffer from higher prices or worse service as a result of their privacy choices is unique to the CCPA, and means that some companies may have to rethink their business models – for example, if they relied on data monetization to offer online services for free.
The new bill also provides extra safety for minors, by prohibiting businesses from selling the personal information of consumers under the age of 16, unless specifically authorized by the minor or their parents.
What new rights will the CCPA give to California residents?
The new rights under the CCPA are inspired by those of the EU’s General Data Protection Regulation (GDPR) to some extent, so companies that have prepared to comply with data subject requests under that regime may be able to leverage their efforts when preparing to comply with the CCPA. The CCPA gives California residents the right to request that a business do the following:
- Disclose the categories and specific pieces of PI it has collected.
- Disclose the categories of sources from which the PI is collected.
- Disclose the business or commercial purpose for collecting or selling the PI.
- Disclose the categories of third parties with whom the business shares the PI.
- Delete any PI about the consumer that the business has collected from a consumer, subject to certain exceptions.
- Not “sell” (broadly defined) the consumer’s personal information (the do-not-sell opt-out).
Businesses typically must respond to these requests that call for disclosure or delivery within 45 days of receipt, and must provide certain easily accessible, cost-free methods for exercising these rights. However, timing for implementation of do-not-sell rights and deletion requests is less clear under the act.
How do the “copycat” CCPA laws being proposed in other states compare with the CCPA?
In 2019, 15 states have proposed laws that are virtually identical to the CCPA but with minor differences, or are similar in certain ways but with key differences. Many have failed to gain sufficient support to become law this year; but a few, such as Massachusetts’ proposed law (which would provide a broad private right of action for violations of the law) are still before sitting legislatures.
North Dakota scaled back its proposal and passed a law requiring a study on what a potential privacy regulatory scheme should include. As of September 16, only Nevada has passed new consumer privacy legislation. The Nevada law, effective Oct. 1, 2019, requires operators of online services to provide Nevada residents the right to opt out of the sale of certain covered data collected via online services.
The Nevada law’s definition of “sale” is far narrower than is the CCPA’s. The prospect of having to comply with dozens of different state laws of this nature has fueled interest in a federal law to harmonize these proposals and provide businesses with clear compliance goals.