In 2018, the California legislature passed the California Consumer Privacy Act (CCPA). Set to go into effect in 2020, the CCPA arose out of a compromise between legislators, privacy advocates, and a California businessman who had proposed his own ballot measure. How the CCPA came to be is a very interesting story – I encourage you to read more about it.
What is the CCPA?
In a nutshell, the CCPA is a law that gives all California residents the right to access any data that companies collect about them, know how their data is used, and exercise control over whether and when their data is collected.
Although the CCPA is the strongest privacy law ever enacted in the United States, it’s by no means the first of its kind globally. The description above will sound familiar to anyone acquainted with the European Union’s GDPR (General Data Protection Regulation), which went into effect in May 2018.
What obligations do companies have under the CCPA?
Much like the GDPR, the CCPA requires affected companies to:
- Tell consumers what data they’re collecting.
- Identify a legitimate business purpose for collecting consumer data. A legitimate business purpose might be providing the consumer with goods or services they’ve requested (e.g., a business needs a shipping address to deliver an order), while a non-legitimate reason might be, say, storing it for an ambiguous future research project.
- Honor consumer requests to provide a complete copy of the consumer’s collected data, to stop collecting the consumer’s data, and/or to destroy any of the consumer’s data that has been collected.
- Allow consumers to opt out of having their data sold to third parties. The law specifically requires online businesses that collect data to display a prominent “Do not sell my personal information” option, and to comply with those consumer requests.
Companies are required to provide these protections to consumers for free; a company cannot, for example, charge a consumer more if they request that their data be deleted.
Who’s a “consumer” or “affected company” under the CCPA?
A “consumer” is any California resident whose data is collected by a company. A consumer doesn’t actually have to buy anything to be protected under the CCPA; any visitor to a website, for example, qualifies as a consumer and is entitled to data protection.
An “affected company” is any company that does business in California, and meets at least one of the following criteria:
- Has gross annual revenues of $25M or more, OR
- Processes personal information of more than 50,000 consumers, households, or devices, OR
- Derives more than 50% of their revenue from selling personally identifiable information
Note that a company is “doing business in California” if they interact in any way with residents of California, even if they have no physical presence in the state. This means that most U.S. companies of any significant size — and many international companies, as well — are affected by the CCPA and required to comply with its rules.
How does the CCPA define “data”?
Very broadly. According to the text of the bill, data includes any “personal information…that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”. This definition covers just about everything: addresses, fingerprints, browser history, etc., etc.
The bill also specifically calls out inferred data, defined as:
Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
This means that if a company makes an informed guess at your age, location, hobbies, or other personal characteristics based on the pages you’ve browsed, products you’ve purchased, etc., those guesses are also protected data.
Data protected under the CCPA does not include data protected under other major U.S. privacy laws — most notably, health data covered under HIPAA is excluded from the CCPA rules.
Who’s going to enforce the CCPA?
The State of California can take any affected company to court for failure to comply with any of the rules of the CCPA. Consumers can also sue companies under limited circumstances — for example, if a company’s data protection processes are found to fall grossly short of industry standards.
What do companies need to do to prepare for the CCPA?
Between now and when the law goes into effect, companies affected by the CCPA will need to:
- Create an inventory of the data they collect, including how that data is used
- Ensure that their consumers can access the data that is collected about them
- Provide a mechanism for consumers to request that the company stop collecting and/or delete their data
- Provide a mechanism for consumers to opt out of having their data sold to third parties
- Notify consumers when their data is being collected (e.g., add cookie tracking consent banners)
Fortunately, many companies will already have taken these steps to achieve GDPR compliance — thanks to the similarities between the two laws, the additional work required for the CCPA should be minimal compared to GDPR compliance.
Finally, companies need to make sure that their data protection is up to industry standards. The CCPA doesn’t include detailed requirements for data security — but given that failure to adequately secure data is one of the few grounds for a consumer (as opposed to state) lawsuit under the CCPA, most companies will want to give their security systems a good once-over.
What else can we expect between now and when the CCPA goes into effect?
The CCPA may have been signed into law last year, but that doesn’t mean all the specifics are settled. Over the next nine months (and beyond, in some cases), consumers and businesses should keep an eye out for:
Official rules release: The California legislature is currently in the midst of the rulemaking process for the CCPA. Official rules — which spell out exactly how the law will be implemented in various contexts — will be released in Fall 2019.
Amendments: There’s a good chance we’ll see some proposed amendments to the CCPA between now and January 2020, and possibly some significant changes to the law as a result.
Similar legislation in other states: Several other states are now considering legislation similar to the CCPA, which raises questions about how various state laws would interact. If these new bills pass, businesses might find themselves navigating an ambiguous, or even conflicting, patchwork of regulations.
Federal legislation: With privacy gaining momentum as a state-level issue, it’s only a matter of time before we start seeing proposals at the federal level. California consumers should keep an eye on the federal discussion, and can play a role in encouraging federal lawmakers to enact legislation that’s at least as strong as California’s.
Court challenges: Finally, we can expect to see the CCPA challenged in one or more court cases in the near future. Possible challenges could include First Amendment grounds – especially with respect to inferred data – or grounds that it violates the Constitution’s Commerce Clause.
However the details shake out, though, come January 2020, California consumers will have significantly more control over how their data is collected, stored, and used. As a business owner or employee, you might find the transition a little intimidating — but as a consumer, well, you can go ahead and start counting the days until you get to check that “do not sell my data” box.
Heads up! We’re expert developers, designers, and PMs here at Grio — but we’re not lawyers. What you’ve just read is our best attempt at high-level summary of the California Consumer Privacy Act. This is definitely not legal advice, so please don’t interpret it as such.