I am sure you would have heard that data is the new oil. Modern-day enterprises thrive on data to make business decisions. To prevent misuse of data and recognise the rights of data subjects, General Data Protection Regulation (GDPR), the UK Data Protection Act of 2018, and India’s Personal Data Protection Bill (PDPB) are some of the laws (or to-be laws) that seek to regulate how corporate organizations collect and process data. In this article, I will be discussing the California Consumer Privacy Act of 2018.
What is the CCPA?
CCPA stands for the California Consumer Privacy Act. It was passed in June 2018 and came in force from January 01, 2020. It is a state-level legislation in the United States that grants a set of rights to the Californian residents. As per the latest estimates, with 39.6 million population, California is the most populous state in the USA. According to the Assembly Bill Number 375, a consumer or set of consumers can demand the entire record of data secured on them by businesses. This legislation intends to provide consumers with the answers to all questions related to their data. As per the provisions of this act, an individual can even refuse the sale of their data. The covered companies are bound to reveal all the third parties with whom they are sharing the collected data. For this act, the term “business” includes partnership, sole proprietorship, limited liability company, corporation, and association.
CCPA only applies to businesses whose gross revenue exceeds $25 million and those who generate 50% of their revenue by selling the personal information of consumers. It is also applicable to the companies that either buy or process personal information of more than 50,000 devices, households, and consumers. The businesses need not be specifically based out of California for this act to be applicable.
Definition of “Personal Information”
The act defines personal information as
information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
As given in CCPA, the scope of personal information includes, but is not limited to:
- Identifiers such as a real name, alias, postal address, unique personal identifiers, online identifiers such as IP address, email address, and account name, Social Security Number, driver’s license number, passport number, or other similar identifiers
- Characteristics of protected classifications under California or federal law
- Commercial information including records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies
- Biometric information
- Internet or additional electronic network activity information including, but not limited to, browsing history, search history and information regarding a consumer’s interaction with a website, application or advertisement
- Geolocation data
- Audio, electronic, visual, thermal, olfactory or similar information
- Professional or employment-related information
- Education information, defined as information that is not publicly available personally identifiable information (PII) as defined in the Family Educational Rights and Privacy Act (20 USC section 1232g, 34 CFR Part 99)
- Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behaviour, attitudes, intelligence, abilities and aptitudes
Personal v. Public Information
As per CCPA, personal information includes unambiguous identifiers (postal address, real name, social security number), exclusive identifiers (online IP address, email address, account name), biometric information, geolocation data, internet activity (but not limited to browsing or search history), and sensitive data (consumer’s characteristics, preferences, behaviour, attitudes, educational information, medical history, employment, and financial information).
Perhaps, it will be more convenient to figure out what is not personal information, than to outline what is.
Personal information does not include any information which is publicly available. As far as cookies are concerned, they are used to accumulate personal data of consumers, they can be categorized under unique identifiers, as a part of personal information under CCPA. It is quite possible that the information accumulated through cookies would only include anonymised data of users. However, it can be regarded as personal data if combined with other data, used for creating user profiles or establishing device connections.
Initially, this act also covered information associated with employers and employees. However, an amendment AB 25 was passed, which partially exempts the employers from abiding by the act concerning data collected “by a business in the course of the natural person acting as a job applicant to, an employee of, director of, officer of, medical staff member of, or contractor of that business.” This exemption is only going to remain in force till January 01, 2021, and hence, the businesses will still need to comply in the due course of time.
Another amendment, AB 874, has been passed which intends to clarify the outlines of publicly available information, an exception to the explanation of personal information. It removes the “purpose” requirement under this exception. Consequentially, all the information available in local, state, or federal government records will be omitted from the definition of personal data and considered as the publicly available information.
- The Californian residents will be empowered with the right to know about the information collected about them by businesses. They will be able to get answers to questions such as:
a. Why was the data collected?
b. What are the types of data collected?
c. Was the data sold or shared with a third party? If yes, who?
- The consumers will have the liberty to refuse the businesses to sell their data. This act broadens the definition of selling data from a mere financial transaction.
- Californians can seek appropriate legal remedies if a business violates their rights as given under the act.
- Californians will be able to request the businesses to delete their personal information.
Obligations of a business under CCPA
- To reveal the personal information collected, sold, or exposed for business activities
- To share details about the classification of personal information and the purpose of data collection
- To facilitate access to the users in regards to their collected personal information
- To delete the collected personal information, as and when requested
- To provide a choice to the users with respect to selling their personal information to other businesses
If a user thinks that their privacy has been compromised or their rights have been violated, they can serve a legal notice to the concerned business. CCPA grants a window of thirty days to a business entity to take appropriate action. Once this duration is over and if the issue is not resolved, users can also file a class-action suit against the business.
This law also provides for penalties if a business does not comply with the requirements given under the act. Non-compliance with CCPA may lead to a civil penalty for such businesses, amounting to $7500 for each violation. It also provides for a civil action to recover damages of a minimum of $100 and a maximum of $750 per consumer. It must be considered that the price for compliance is undoubtedly less than the resulting penalties due to non-compliance. In contrast, the GDPR penalizes 4% of the preceding year’s worldwide turnover or a fine up to €20 million, whichever is more.
GDPR & CCPA
Many experts have termed CCPA as California’s GDPR. However, the introduction of CCPA cannot relinquish the EU’s data protection regulation. Both the legislations have certain stark differences between them. For example, CCPA’s definition of personal information is much more extensive than the description laid down by the GDPR.
CCPA encloses nearly, all the communication happening in the cyber space, thereby bringing businesses under strict compliance requirements. However, it is believed that CCPA compliance should not be troublesome for the businesses that are already GDPR compliant.
Still a work in progress…
AB 375 was processed in mere seven days since the lawmakers wanted to deflect a ballot initiative. This was done primarily to clear a stringent law that was rather opposed by the tech giants. This act, prepared in just a week, comprises of various ambiguities, which makes it a challenging task to meet compliance requirement. Some key concerns include the variation in pricing of users, based on their privacy choices. Several organizations provide users with an option to elevate to paid level for avoiding advertisements. The law hereby is a bit ambiguous. When users exercise their rights under CCPA, companies cannot differ in providing services or quality of goods.
However, under CCPA, companies are not barred from giving a distinct set of services to users, if that distinction is correlated to the user’s data. Therefore, it becomes a possible situation that this law will witness several amendments in due course of time. Recently on June 01, 2020, the Office of the California Attorney General has submitted a report outlining proposed changes in the act. As far as state-level legislations are concerned, CCPA seems to be just the beginning in the United States. It is expected that by 2025, a majority of US states would have enacted a law dealing with the rights of consumers with respect to their data in cyber space.