The European Union’s General Data Protection Regulation (GDPR) ‘drew first blood’ as it relates to regulating technology companies relying on consumer data to generate revenue. The state of California soon followed suit, passing the California Consumer Privacy Act (CCPA) in June 2018. The CCPA took effect on January 1, 2020, ushering in a series of sweeping changes with repercussions beyond California.
Since California represents an enormous slice of national GDP – with most major technology companies headquartered in Silicon Valley – the CCPA could arguably serve as the foundation for laws that apply nationally. In this post, we take a closer look at what the law does, what implications its enactment may have, and what it might signal for the future.
The Basics of the CCPA
The CCPA “creates new consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses.” The rules are fairly straightforward – at the most basic level, California consumers are granted the rights to know what personal data is being collected, used, shared or sold. It allows citizens to delete information collected by businesses, to opt-out of having their personal information sold, and a “right to non-discrimination in terms of price or service” when choosing to exercise their CCPA-given rights.
Businesses found to be in non-compliance of the CCPA will be required to pay a series of fines, from $7,500 per instance for intentional violations to $2,500 for those without intent, and potentially $750 per user in damages.
Businesses are subject to the CCPA if they meet at least one of three conditions:
• Earns gross annual revenues in excess of $25 million;
• Buys, receives, or sells personal data for 50,000-plus consumers, households, or devices;
• Earns at least half of their annual revenue via sales of personal data.
The CCPA broadly defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California resident or household.”
The CCPA in Practice
The newness of personal data privacy laws has prompted plenty of questions. The very breadth of the law and the definition of personal data seems to have complicated application of the CCPA. Compliance – or at least what compliance looks like – is hardly straightforward. Kabir Barday, CEO of privacy management software company OneTrust, told the New York Times that “companies have different interpretations, and depending on which lawyer they are using, they’re going to get different advice.”
How companies make personal data available to consumers is extremely variable, often requiring different time frames and methods to request, view, and potentially delete that information. Given the national implications of the law, and with national legislation failing to gain real traction, that gray area could be problematic.
Google, Facebook, and Uber have all taken different approaches towards compliance. Google now offers clients a system “that restricts the use of consumer data to business purposes like fraud detection and ad measurement,” while Facebook, in keeping with their laissez-faire approach to certain policies, said in a blog post that they “encourage advertisers and publishers that use our services to reach their own decisions on how to best comply with the law,” and will provide “updated contractual commitments… to clarify that we will only use our partners’ data for the business purposes described in our contracts with them.” Meanwhile, Uber decided to offer users a chance “to opt out of having the ride-hailing service share their data with Facebook for ad targeting purposes.”
What Comes Next?
It seems likely that, with the rollout in its nascent stages, additional tweaks and changes will be introduced over time. California Attorney General Xavier Becerra has stated that a final set of compliance rules will be released in mid-2020, which may further define some more nebulous bits of the legislation. It is also possible that there may be no single form of compliance, by virtue of the ranging “types and extent of personal data that companies currently make available,” though that seems unlikely. Becerra said that as long as consumers follow the process, they should be able to access both general and specific data alike, without issue.
The notion that data is the property of consumers—and not businesses that collect it—is a relatively new (but impactful) premise. Until national legislation is introduced, California’s CCPA looks to be the standard-setter across the US for the time being.