Here’s what you need to know about CCPA changes

Oct. 22, 2019
Set to go into effect in January, Calif. legislation marks the first major data privacy law in the U.S.

The world is beginning to wake up and understand the importance of preserving privacy as a fundamental human right. Over the past few decades, some of the largest companies in the world have, quite literally, had free and unfettered reign over their customers’ personal data. Companies have been free to do with all that valuable, sensitive personal data essentially as they pleased, and they have certainly been content to share that data with all types of third parties and cash in on what is now considered by many as one of the most important commodities in the world. 

In the wake of multiple, large-scale data breaches and cyber incidents, many affecting hundreds of millions of individuals, consumers are taking notice and realizing that their loss of control over their personal data has been leading to some very real consequences. The incredibly rapid evolution of modern technology is fundamentally altering the way people live their lives, and at the same time exponentially increasing the amount of personal data being shared with companies online, thus also significantly increasing consumers’ risks of being adversely affected by a major cybersecurity incident in their lifetime.

To exacerbate that risk, internet of things (IoT) devices are becoming increasingly ubiquitous and are proliferating at a rate faster than manufacturers are inclined to ensure their proper security; social media platforms are becoming fully ingrained in the lives of billions of people worldwide while simultaneously proving dangerously inept at protecting user privacy; and online banking, online shopping, online trading, and online gaming services are all collecting highly sensitive personal information from consumers across the globe and often failing to secure their systems from being breached. This is precisely why it is becoming critically important that consumers are given back control over their personal data and that the companies that are collecting that data are held properly accountable for securing it, keeping it private, and out of the hands of hackers and cybercriminals.

Tracking Data Privacy Legislation

To date, the most significant piece of active data privacy legislation is the European Union’s General Data Protection Regulation (GDPR), which provides consumers in Europe with a set of rights that gives them a significant amount of control over their data and how it is handled by the companies that collect it. The GDPR also ensures that the companies that collect data on consumers in Europe are held properly accountable for protecting the privacy of that data. Should a company be found in violation of any aspect of the privacy law, the company would be subject to potentially crippling financial penalties. 

The California Consumer Privacy Act (CCPA) is leading the way as far as data privacy laws go in the United States. The landmark privacy law, following in the footsteps of and in many ways closely analogous to the GDPR, is set to go into effect on the 1st of January 2020 and marks the first major data privacy legislation in the US. Like the GDPR, the CCPA affords consumers in the state of California specific rights and control over how their personal data is handled and processed by the companies that collect the data.

Particularly favorable for consumers is the fact that the CCPA provides quite a broad definition of what types of personal information are protected under the law. By and large, “personal information” under the law applies to any information that “identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device.” This includes a wide range of information such as a California resident’s name, alias, email address, physical address, IP address, driver license number, passport number, social security number, biometric data, property records, purchasing histories, online browsing history, location data, employment data, etc. This list is by no means exhaustive either and is deliberately left vague to account for any information that could be “reasonably” linked to a consumer in California. 

The true crux of the law revolves around the five rights that California residents will enjoy in protecting their broadly defined personal data from being mishandled by the companies that collect it. Firstly, consumers will have the right to know — “at or before the point of collection” — what categories of personal information are being collected and the purposes for which the data is being used. California residents will also have the right to request a copy of the data that a business has collected on them, including the specific information that a business has retained on the consumer, any categories of third parties the company has shared it with, and the commercial purpose for why the data was collected.

Furthermore, consumers will have the right to request deletion — with certain reasonable exceptions — of the personal information that a company has collected on them. Additionally, if at any time during their dealings with a company, a consumer decides that they do not authorize the company to sell their personal information to third parties, they have the right to opt-out of the sale of their data. Finally, consumers have the right to equal service if they decide to exercise any of their rights under the law, meaning that companies are prohibited from charging higher rates, offering lower-quality goods, or providing any lesser service to those customers who exercise their rights in accordance with the CCPA. 

Putting Teeth Into CCPA

This comprehensive set of data privacy rights coupled with the wide-ranging definition of what constitutes protected personal information under the law arms California residents with some of the most substantial online data privacy protections in the world. Let’s make no mistake about it, the CCPA is robust, comprehensive, demanding of businesses, and an essential piece of legislation that will be of significant benefit to consumers in California and the preservation of their data privacy. 

That said, a few amendments to the law that passed through the California legislature last month would provide somewhat of a reprieve for businesses should they be approved by the governor this month. Two of the amendments would provide one-year exemptions for information companies collect on employees and job applicants, and on B2B communications, respectively. Another amendment would eliminate the requirement for companies that operate strictly online to provide a toll-free number for customers to call and exercise their rights.

Other approved amendments to the law provide a permanent exemption for car dealers sharing information with manufacturers in case of a repair or recall, as well as an amendment that clarifies the definition of personal information and excludes publicly available information and aggregate data. Even though these amendments to the law can be considered a small victory for businesses, the overall greater scope of the law remains heavily consumer-friendly and will be hugely advantageous for California residents.

Interestingly, however, the group that originally pushed for the state’s privacy legislation in the first place (Californians for Consumer Privacy) is now insisting that the CCPA as it stands to go into effect doesn’t go quite far enough to give consumers “true control over their own data”, and have proposed a ballot initiative to appear on the November 2020 ballot that, if passed, would further strengthen the law. In addition to establishing a California Privacy Protection Agency that would act as both a watchdog and enforcer of the law, the group’s ballot initiative also proposes to triple the fines for any infringement against minors under the law, establish additional rights concerning the sale of sensitive personal information, as well as ensure Californians are sufficiently protected from any attempts to weaken the law by requiring any further amendments be “in furtherance of the law”.

The group’s founder, Alastair Mactaggart, stated in a blog post that the proposed initiative is in response to two deeply concerning developments he has noticed since the CCPA’s introduction two years ago. The first of those being that “some of the world’s largest companies have actively and explicitly prioritized weakening the CCPA”, and the other that “technological tools have evolved in ways that exploit a consumer’s data with potentially dangerous consequences.” He goes on to make the argument that “using consumer data in these ways is not only immoral, but it also threatens our democracy.”

Can Business and Consumer Goals Mesh?

Indeed, executives from some world’s largest corporations are actively lobbying for federal legislation that would effectively weaken the CCPA and other potential future privacy regulations enacted at the state level. In a recent letter addressed to top U.S. government leaders, a group of over fifty CEOs across various business sectors urged action toward establishing a comprehensive federal privacy law protecting all Americans uniformly. The letter argues that “now is the time for Congress to act and ensure that consumers are not faced with confusion about their rights and protections based on a patchwork of inconsistent state laws,” adding that “innovation thrives under clearly defined and consistently applied rules.” 

It is true that consistent and clearly defined regulations across the board would be beneficial for companies, and presumably, for consumers alike, any potential federal law that undermines or otherwise dilutes stronger state privacy laws would be a step backward for overall consumer privacy throughout the United States. Strong data privacy laws that properly protect consumers by no means must be exclusive of companies’ ability to operate, innovate, and grow. It is important to strike the correct balance and allow breathing room for companies to innovate while still protecting consumers’ essential rights to data privacy. Establishing a federal data privacy law could potentially accomplish that, but only if the law doesn’t work to sabotage strong legislation at the state level and weaken consumer rights to privacy.  

The digital privacy landscape in the U.S. is going through a badly needed and fundamental transformation. Companies are looking at a tectonic shift in the way they operate and handle data, while consumers are finally beginning to realize the promise of true data privacy and a truer sense of control over their personal information. What we are likely to see happen going forward as the landscape continues to rapidly evolve is other states beginning to follow California’s lead and enacting their own data privacy laws.

New York already has a comprehensive proposal on the table that is ostensibly even stronger than the CCPA, and a handful of other states are also poised to begin introducing consumer privacy legislation. Ultimately, the eventual outcome will likely be a set of national privacy regulations that protect all consumers in the U.S. with individual states given a certain amount of freedom to enact their own privacy rules. Most importantly, the future of data privacy in the United States looks bright for consumers overall as we are finally seeing meaningful action being taken to hold corporations accountable for how they handle data and to properly safeguard the privacy of consumers.  

About the Author:

Attila Tomaschek is a data privacy advocate at  Attila began writing for ProPrivacy in 2018 after having been in the VPN industry for over 4 years. As an industry veteran, Attila has cultivated a deep understanding of how VPNs can help users unlock the internet and protect their privacy online. Attila is a staunch advocate for digital privacy and for free and open internet, and various publications have asked him to provide expert comment on matters of digital privacy.