The California legislature is on a data privacy tear at the moment, and while that has some companies holding their breaths, Californians could be seeing some big gains in control over their digital data.
We’ve highlighted this in previous blog posts, but aside from requiring companies act more responsibly as data stewards (ex: requiring companies implement reasonable security protections), the California Consumer Protection Act (CCPA) grants unprecedented rights to consumers.
As-of this blog post’s printing, consumers are slated to see:
- Greater transparency around the type and specific data collected by companies: The CCPA will require businesses to disclose the “categories and specific pieces of personal information the business has collected” about them. (1798.100)
Now there are some limitations to taking advantage of the data export right, for example, a company doesn’t have to respond more than twice a year to the same requestor. Or if personal data is collected through a one-time transaction (ex: you’re a first-time or “guest” user at a website, and make a purchase), the company doesn’t have to retain data about you that it wouldn’t ordinarily. (So there might not be any data for you to receive in an export.) But generally speaking, this gives Californians the same rights as are provided to EU-residents under the GDPR.
- The right to have personal data deleted: This also follows the GDPR model, and we’ve written about this in other blog posts so we won’t go into detail here. But suffice it to say Californians can ask for their data to be deleted, and companies will generally have to comply (exceptions like “billing records” are noted here in 1798.105.d). (1798.105)
- Right to opt-out of a sale: Now this is new to the CCPA. The intent of this provision is to inform California residents to which entities are selling their data and which aren’t, and in the cases where data is being sold, to give Californians the right to opt-out of the sale.
From a practical standpoint, this is one of the most interesting things about the CCPA. Since the definition of “sale” is pretty broad – we go into it in this blog post – this right gives consumers a comprehensive handle on restricting who else downstream may receive their data. It’s essentially a big “easy” button since all a consumer will have to do is click a clear and conspicuous link (1798.135.1) on the company’s home page, provide the relevant information to allow the opt-out to be completed, and the rest will be history.
Alastair Mactaggart, one of the CCPA’s architects, has been quoted as saying he believes web browsers will adopt “do not sell” extensions to allow consumers to automatically opt-out of data sales, but whether or not this transpires remains to be seen. Companies which offer points, rewards, or loyalty programs often times do so in exchange for selling consumer data (under the current CCPA definition of “sale”). By opting-out of a data sale, or by requesting data deletion, consumers might find they have inadvertently also lost all their loyalty points or benefits in the process.
To offset some of this loss, the CCPA has provisions protecting consumers from price hikes, decreased service offerings, etc., in the event consumers want to exercise their rights under the CCPA:
- A business shall not discriminate against a consumer because the consumer exercised any of the consumer’s rights (1798.125)
But whether or not perks like points or rewards will remain unaffected is still to be determined.
Lastly and perhaps most notably, the CCPA grants California residents a right of private action (ex: they can sue companies) if their “nonencrypted or nonredacted personal information… is subject to unauthorized access and exfiltration, theft, or disclosure” stemming from failure to implement “reasonable security precautions”. (1798.150)
As-of this article’s publication, the definition of “personal information” in the above case is not the broad GDPR-like definition used in the rest of the legislation, rather it’s limited to specific data points like a consumer’s first and last name, in combination with social security, driver’s license, or financial account numbers (including passcodes needed to access said account). The full definition of personal information can be found here, but what’s most remarkable about this provision is that consumers won’t have to show any damage or harm as a result of a PII breach. They can simply file suit, and they’ll see a payout. With a damage cap of $750 per incident (1798.150.A), it won’t translate to a consumer windfall, but it will allow consumers to see some kind of restitution for their leaked data.
We’re still about a year out from enforcement, and whether or not the California Consumer Privacy Act (CCPA) will get modified is still up in the air. But even so, the CCPA is a powerful tool which will give Californians far more control over their online data than they have now. And as we’ve seen from previous landmark laws (CA SB 1386 – breach notifications; CalOPPA – requiring privacy policies), when California acts, other states tend to follow. So if you’re not a California resident, don’t despair. It’s quite possible that in another year or two the protections which are granted Californians under CCPA will extend to the rest of the United States as well.
Stay tuned to the Return Path blog for more in our CCPA series to hear about
- CCPA legal implications on organizations
- CCPA and 3rd party data usage
- Broader privacy law(s) in the U.S., what’s happening in other states
- Preparing for CCPA from a marketers view