The Wider Implications of the California Consumer Privacy Act
By Daniel Garrie (May 14, 2019)
Without a federal standard for digital privacy legislation, states are left to their own devices in enacting internet and data privacy laws. The result is a cacophonous patchwork of state legislation, leaving businesses scratching their heads and lawyers haphazardly navigating layers of red tape.
Enter California’s most recent digital privacy initiative: the California Consumer Privacy Act of 2018 (CCPA). CCPA affects those businesses buying, selling or otherwise in the trade of the “personal information” of California residents — all 39.54 million of them.
In 2019, personal information is the bread and butter of tech companies. It is the price consumers pay for using “free” internet websites and applications. What consumers don’t pay in USD, they pay in PII. The CCPA represents an attempt to regulate this economy of personal information by granting California residents more visibility into and control over the ways their personal information is used.
Below is a general overview of some of the key provisions of CCPA and some thoughts on its wider implications.
The CCPA defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
This is much broader than the traditional definition of personal information seen in most privacy laws in the United States. However, the CCPA does exclude publicly available information, defined as information “lawfully made available from federal, state, or local government records, if any conditions associated with such information” excluding biometric information collected without the consumer’s knowledge and personal information used for a purpose different from the one for which the information is maintained and made available in the government records or otherwise publicly maintained.
The range of companies subject to CCPA is also fairly broad. In short, CCPA applies to companies that are for-profit, collect and process the personal information of California residents, do business in the State of California and meet at least one of the following criteria:
• Has annual gross revenues in excess of $25 million.
• Annually buys, receives for the business’ commercial purposes, sells or shares for commercial purposes the personal information of 50,000 or more consumers, households or devices.
• Derives 50% or more of its annual revenues from selling consumers’ personal information.
The CCPA grants California residents more visibility into and control over their personal information primarily through the following four requirements:
• Notification of personal information collection: At or before the point of collection, businesses must notify consumers that they are collecting the consumer’s personal information, what personal information is being collected, how that personal information is being collected, how the business intends to use such personal information, and whether and to whom it is being disclosed or sold.
• Personal Information Sale Opt-out: Businesses must notify consumers that they are selling the consumers’ personal information, that the consumers have a right to opt out of such sale, and must post a “Do Not Sell My Personal Information” link on its homepage, which allows consumers to easily exercise that right of opting-out.
• Personal Information Removal: A business must delete the personal information the business collected about a consumer and direct service providers to delete the consumer’s personal information in response to a verifiable consumer request, subject to certain exceptions.
• Service Equality: “A business cannot discriminate against a consumer who exercises his or her rights under the CCPA. Generally, the CCPA prevents a business from charging a consumer a fee because he or she exercised a right under the CCPA. However, the CCPA does allow a business to charge a different price or provide a different level of service to customers if ‘that difference is reasonably related to the value provided to the consumer by the consumer’s data.’ Businesses can offer consumers financial incentives to allow Personal Information collection,” per BenefitsPRO.
With its aggressive stance on data protection and privacy rights, the CCPA exemplifies just how wide the gap is between individual state digital privacy laws. To contrast with California, South Dakota’s first-ever data breach notification law went into effect in July 2018.
In fact, the CCPA resembles the European Union’s General Data Protection Relation (GDPR) more than it does other U.S. state data privacy laws. Like the GDPR, the CCPA approaches data privacy from an opt-in perspective. Both the GDPR and CCPA grant the consumer the right to access the personal information collected. GDPR and CCPA are grounded in the idea that digital privacy is a right, not a bargaining chip. The GDPR works, in part, because it applies to the entire European Union. However unique the California jurisdiction may be, it is still a bona fide member of the United States of America (and the third-largest at that).
The CCPA treats digital privacy like a personal right to be placed back in the hands of consumers. While, in theory, this sounds like a progressive idea, the practical implementation of CCPA in isolation hardly “protects” the consumer. Rather, it complicates the already murky waters of data privacy.
Ultimately, I believe the CCPA is red tape without results. The choice between geofencing the interfaces of California residents and upending consumer information-driven business models is not one that many are looking forward to making. While California may be a legislative leader in many respects, in the digital privacy arena, California may have started the race without tying its shoes.