What is the California Consumer Privacy Act?

Most Americans are unsure about how their personal data is collected, used, and shared (collectively, processed) by companies, and desire government-mandated protections to ensure they are not harmed by this activity. In the absence of federal consumer privacy legislation, the California State Legislature has stepped in to protect its residents’ privacy. The California Consumer Privacy Act (CCPA) empowers state residents to learn more about how companies process their personal data, demand that companies delete their data, and prohibit companies from selling their data.

Transparency

The CCPA requires companies to explain how they process California residents’ personal data in three ways.

First, the legislation gives each resident the right to obtain from a company a report about how and why it collects personal information. Personal information is personal data, broadly defined to include – in part – anything that can be used to identify a specific individual, such as one’s name, persistent identifier (e.g., a browser cookie or mobile device identification number), employment history, credit card number, protected class characteristics (such as race), biometric data (e.g., a facial image), web browsing history, geolocation data, and any inferences drawn from such data. Collection is also defined broadly to include “buying, renting, gathering, obtaining, receiving, or accessing . . . by any means . . . . either actively or passively.”

A data collection report must include a copy of the specific pieces of information collected about that resident, as well as lists of the general categories of personal information collected by that company, categories of data sources, categories of third parties with which personal information is shared, and the purposes for which the personal information is used.

Second, a resident has the right to obtain a report about the sale of their personal information. Upon request, a company must provide a report that includes the categories of information collected by the company, and a list of specific third parties to which the company sells personal information, along with the categories of personal information sold to each third party. Sale is defined broadly to include the exchange of data for money or anything else of value. 

Third, the CCPA requires a company to describe its data processing practices and users’ CCPA rights in its privacy policy or an equivalent notice, and also provide dedicated webpages or other methods for residents to submit CCPA requests.

Control

The CCPA also gives Californians more control over how their personal data is used.

A resident can demand that a company delete their personal information, unless that information is necessary for a business purpose, such as cybersecurity. When a resident exercises this right, the company must also ensure that entities performing “business purpose” functions delete the data.

 A resident can also prohibit future sales of their personal data. Every company to which the statute applies must provide a conspicuous “Do Not Sell My Personal Information” hyperlink on its homepage, through which a resident can submit a no-sale request. 

Nationwide effect

In the auto industry, companies may apply California’s relatively high consumer privacy standards nationwide. Uniform standards are more easily implemented, especially in the case of the CCPA, which applies to California residents physically present in other states. Also, adhering to more protective standards can boost a company’s reputation. Microsoft has already decided to honor CCPA rights nationwide. Moreover, California’s status as the fifth largest global economy makes it difficult for large American companies to avoid availing themselves to their compliance obligations with the CCPA. Thus, due to the size and reach of California’s economy, the ease of adapting a uniform law, and the reputational benefits that come with adapting consumer privacy protections, companies may choose to make the CCPA their de facto national privacy standard.

Industry response

While some members of the advertising technology community have criticized the CCPA, industry stakeholders have worked to develop their own technical specifications and tools to help companies come into compliance with the law.  The Interactive Advertising Bureau, an advertising business organization, recently released a framework to help publishers and technology companies achieve compliance with the CCPA. The Digital Advertising Alliance (DAA) also announced new mechanisms to help companies provide a “Do Not Sell My Personal Information” link on their websites in the form of text accompanied with a green Privacy Rights Icon .

The national debate about privacy

The CCPA is one of the first major privacy laws passed by a state that will no doubt have an impact on how other jurisdictions choose to craft their own legal standards for privacy. It may also become a foundation for a future federal privacy law in the US.

Already, several US house representatives and senators have introduced their own privacy legislation. These bills and the accompanying debate about a federal privacy standard juggle a number of different ideas about what a national law should include – such as a private right of action, special protections for certain data types, an expansion of the Federal Trade Commission’s enforcement power, and restrictions on algorithmic decision-making. To guide these legislative efforts, members of the business community have prepared their own proposals, such as Privacy for America’s framework, while consumer protection advocates have advanced their own recommendations for privacy protections. Notably, part of this debate covers whether state laws like the CCPA should be “preempted” by a single federal standard and whether the CCPA’s protections should serve as a baseline for a federal privacy law or represent the maximum level of consumer protection.

Keep in mind your rights and responsibilities

The dialogue about data privacy and legal rights and obligations that emerge from this space will no doubt evolve as the world continues to become more interconnected. If you’re a California consumer, be aware of new options for requesting and deleting data that might become available to you this year as a result of this change in California law. And if you’re doing business with California residents, make sure to speak to your attorney about complying with the CCPA. 

The Digital Advertising Accountability Program protects consumers' privacy online by providing independent, third-party enforcement of cross-industry best practices governing the collection and use of data in online interest-based advertising. The Accountability Program also provides guidance to companies looking to come into compliance with the DAA’s principles and responds to complaints filed by consumers about online privacy.