What is the California Consumer Privacy Act?

Jan 14, 2020, 10:45 AM by BBB National Programs

Most Americans are unsure about how their personal data is collected, used, and shared (collectively, processed) by companies, and desire government-mandated protections to ensure they are not harmed by this activity. In the absence of federal consumer privacy legislation, the California State Legislature has stepped in to protect its residents’ privacy. The California Consumer Privacy Act (CCPA) empowers state residents to learn more about how companies process their personal data, demand that companies delete their data, and prohibit companies from selling their data.


Transparency

 The CCPA requires companies to explain how they process California residents’ personal data in three ways.

 First, the legislation gives each resident the right to obtain from a company a report about how and why it collects personal information. Personal information is personal data, broadly defined to include – in part – anything that can be used to identify a specific individual, such as one’s name, persistent identifier (e.g., a browser cookie or mobile device identification number), employment history, credit card number, protected class characteristics (such as race), biometric data (e.g., a facial image), web browsing history, geolocation data, and any inferences drawn from such data. Collection is also defined broadly to include “buying, renting, gathering, obtaining, receiving, or accessing . . . by any means . . . . either actively or passively.”

 A data collection report must include a copy of the specific pieces of information collected about that resident, as well as lists of the general categories of personal information collected by that company, categories of data sources, categories of third parties with which personal information is shared, and the purposes for which the personal information is used.

 Second, a resident has the right to obtain a report about the sale of their personal information. Upon request, a company must provide a report that includes the categories of information collected by the company, and a list of specific third parties to which the company sells personal information, along with the categories of personal information sold to each third party. Sale is defined broadly to include the exchange of data for money or anything else of value. 

 Third, the CCPA requires a company to describe its data processing practices and users’ CCPA rights in its privacy policy or an equivalent notice, and also provide dedicated webpages or other methods for residents to submit CCPA requests.

 

Control

 The CCPA also gives Californians more control over how their personal data is used.

 A resident can demand that a company delete their personal information, unless that information is necessary for a business purpose, such as cybersecurity. When a resident exercises this right, the company must also ensure that entities performing “business purpose” functions delete the data.

 A resident can also prohibit future sales of their personal data. Every company to which the statute applies must provide a conspicuous “Do Not Sell My Personal Information” hyperlink on its homepage, through which a resident can submit a no-sale request.

 

Nationwide effect

 In the auto industry, companies may apply California’s relatively high consumer privacy standards nationwide. Uniform standards are more easily implemented, especially in the case of the CCPA, which applies to California residents physically present in other states. Also, adhering to more protective standards can boost a company’s reputation. Microsoft has already decided to honor CCPA rights nationwide. Moreover, California’s status as the fifth largest global economy makes it difficult for large American companies to avoid availing themselves to their compliance obligations with the CCPA. Thus, due to the size and reach of California’s economy, the ease of adapting a uniform law, and the reputational benefits that come with adapting consumer privacy protections, companies may choose to make the CCPA their de facto national privacy standard. 

 

Industry response

While some members of the advertising technology community have criticized the CCPA, industry stakeholders have worked to develop their own technical specifications and tools to help companies come into compliance with the law.  The Interactive Advertising Bureau, an advertising business organization, recently released a framework to help publishers and technology companies achieve compliance with the CCPA. The Digital Advertising Alliance (DAA) also announced new mechanisms to help companies provide a “Do Not Sell My Personal Information” link on their websites in the form of text accompanied with a green Privacy Rights Icon .

 

The national debate about privacy

The CCPA is one of the first major privacy laws passed by a state that will no doubt have an impact on how other jurisdictions choose to craft their own legal standards for privacy. It may also become a foundation for a future federal privacy law in the US.

Already, several US house representatives and senators have introduced their own privacy legislation. These bills and the accompanying debate about a federal privacy standard juggle a number of different ideas about what a national law should include – such as a private right of action, special protections for certain data types, an expansion of the Federal Trade Commission’s enforcement power, and restrictions on algorithmic decision-making. To guide these legislative efforts, members of the business community have prepared their own proposals, such as Privacy for America’s framework, while consumer protection advocates have advanced their own recommendations for privacy protections. Notably, part of this debate covers whether state laws like the CCPA should be “preempted” by a single federal standard and whether the CCPA’s protections should serve as a baseline for a federal privacy law or represent the maximum level of consumer protection.

 

Keep in mind your rights and responsibilities

The dialogue about data privacy and legal rights and obligations that emerge from this space will no doubt evolve as the world continues to become more interconnected. If you’re a California consumer, be aware of new options for requesting and deleting data that might become available to you this year as a result of this change in California law. And if you’re doing business with California residents, make sure to speak to your attorney about complying with the CCPA. 

 
The Digital Advertising Accountability Program protects consumers' privacy online by providing independent, third-party enforcement of cross-industry best practices governing the collection and use of data in online interest-based advertising. The Accountability Program also provides guidance to companies looking to come into compliance with the DAA’s principles and responds to complaints filed by consumers about online privacy.


Suggested Articles

Blog

The 2000s Introduced the Internet and Influencers to Ad Law

The 2000s was a decade of change as online advertising exploded and, as a harbinger of things to come, the online environment became fertile ground for innovative ways to both communicate with consumers or, for the unscrupulous, take advantage of unwary consumers. The low barriers to entry allowed disrupters to enter the digital space and forced traditional marketers to compete in this space or be left behind.
Read more
Blog

For Developers: Get to Know the CARU Advertising Guidelines

The CARU Advertising Guidelines are widely recognized industry standards that help ensure advertising directed to children is fair and appropriate for its intended audience across any form of child-directed media. The CARU team outlines some key revisions to the Guidelines to which mobile developers should pay heed.
Read more
Blog

Getting Certified: Cisco Demonstrates Dedication to Customer Success through APEC Privacy Compliance

Cisco is an example of how a global company must navigate a variety of legal privacy regimes, while also being dedicated to leading the way on data privacy to maintain and further enhance a trusted relationship with its customers. To thread this needle, Cisco has chosen to rely on a third-party privacy certification offered by our team at BBB National Programs.
Read more
Blog

Lemon Law 101: Understanding the Law and Your Rights

If your vehicle is under warranty, lemon laws require your vehicle manufacturer to repair your vehicle. The federal lemon law, known as the Magnusson-Moss Warranty Act (“Mag-Moss”), and state lemon laws are in place to protect consumers from getting stuck with “lemons.” It is important to understand the difference between state and federal lemon laws as well as how you and your vehicle are covered under each.
Read more