What is the California Consumer Privacy Act?

Jan 14, 2020, 10:45 AM by BBB National Programs

Most Americans are unsure about how their personal data is collected, used, and shared (collectively, processed) by companies, and desire government-mandated protections to ensure they are not harmed by this activity. In the absence of federal consumer privacy legislation, the California State Legislature has stepped in to protect its residents’ privacy. The California Consumer Privacy Act (CCPA) empowers state residents to learn more about how companies process their personal data, demand that companies delete their data, and prohibit companies from selling their data.


Transparency

 The CCPA requires companies to explain how they process California residents’ personal data in three ways.

 First, the legislation gives each resident the right to obtain from a company a report about how and why it collects personal information. Personal information is personal data, broadly defined to include – in part – anything that can be used to identify a specific individual, such as one’s name, persistent identifier (e.g., a browser cookie or mobile device identification number), employment history, credit card number, protected class characteristics (such as race), biometric data (e.g., a facial image), web browsing history, geolocation data, and any inferences drawn from such data. Collection is also defined broadly to include “buying, renting, gathering, obtaining, receiving, or accessing . . . by any means . . . . either actively or passively.”

 A data collection report must include a copy of the specific pieces of information collected about that resident, as well as lists of the general categories of personal information collected by that company, categories of data sources, categories of third parties with which personal information is shared, and the purposes for which the personal information is used.

 Second, a resident has the right to obtain a report about the sale of their personal information. Upon request, a company must provide a report that includes the categories of information collected by the company, and a list of specific third parties to which the company sells personal information, along with the categories of personal information sold to each third party. Sale is defined broadly to include the exchange of data for money or anything else of value. 

 Third, the CCPA requires a company to describe its data processing practices and users’ CCPA rights in its privacy policy or an equivalent notice, and also provide dedicated webpages or other methods for residents to submit CCPA requests.

 

Control

 The CCPA also gives Californians more control over how their personal data is used.

 A resident can demand that a company delete their personal information, unless that information is necessary for a business purpose, such as cybersecurity. When a resident exercises this right, the company must also ensure that entities performing “business purpose” functions delete the data.

 A resident can also prohibit future sales of their personal data. Every company to which the statute applies must provide a conspicuous “Do Not Sell My Personal Information” hyperlink on its homepage, through which a resident can submit a no-sale request.

 

Nationwide effect

 In the auto industry, companies may apply California’s relatively high consumer privacy standards nationwide. Uniform standards are more easily implemented, especially in the case of the CCPA, which applies to California residents physically present in other states. Also, adhering to more protective standards can boost a company’s reputation. Microsoft has already decided to honor CCPA rights nationwide. Moreover, California’s status as the fifth largest global economy makes it difficult for large American companies to avoid availing themselves to their compliance obligations with the CCPA. Thus, due to the size and reach of California’s economy, the ease of adapting a uniform law, and the reputational benefits that come with adapting consumer privacy protections, companies may choose to make the CCPA their de facto national privacy standard. 

 

Industry response

While some members of the advertising technology community have criticized the CCPA, industry stakeholders have worked to develop their own technical specifications and tools to help companies come into compliance with the law.  The Interactive Advertising Bureau, an advertising business organization, recently released a framework to help publishers and technology companies achieve compliance with the CCPA. The Digital Advertising Alliance (DAA) also announced new mechanisms to help companies provide a “Do Not Sell My Personal Information” link on their websites in the form of text accompanied with a green Privacy Rights Icon .

 

The national debate about privacy

The CCPA is one of the first major privacy laws passed by a state that will no doubt have an impact on how other jurisdictions choose to craft their own legal standards for privacy. It may also become a foundation for a future federal privacy law in the US.

Already, several US house representatives and senators have introduced their own privacy legislation. These bills and the accompanying debate about a federal privacy standard juggle a number of different ideas about what a national law should include – such as a private right of action, special protections for certain data types, an expansion of the Federal Trade Commission’s enforcement power, and restrictions on algorithmic decision-making. To guide these legislative efforts, members of the business community have prepared their own proposals, such as Privacy for America’s framework, while consumer protection advocates have advanced their own recommendations for privacy protections. Notably, part of this debate covers whether state laws like the CCPA should be “preempted” by a single federal standard and whether the CCPA’s protections should serve as a baseline for a federal privacy law or represent the maximum level of consumer protection.

 

Keep in mind your rights and responsibilities

The dialogue about data privacy and legal rights and obligations that emerge from this space will no doubt evolve as the world continues to become more interconnected. If you’re a California consumer, be aware of new options for requesting and deleting data that might become available to you this year as a result of this change in California law. And if you’re doing business with California residents, make sure to speak to your attorney about complying with the CCPA. 

 
The Digital Advertising Accountability Program protects consumers' privacy online by providing independent, third-party enforcement of cross-industry best practices governing the collection and use of data in online interest-based advertising. The Accountability Program also provides guidance to companies looking to come into compliance with the DAA’s principles and responds to complaints filed by consumers about online privacy.


Other Blog Articles

Blog

Harmful Stereotyping in Advertising Must Not Be a “Forever Problem”

Though the annual celebration of Black History Month is drawing to a close, the plethora of issues raised by the study of Black history must always remain top of mind. For those of us who work in truth in advertising at BBB National Programs’ National Advertising Division (NAD), we are paying very close attention to the issues of diversity and stereotyping, as presented in various forms of advertising. Developing a mechanism to addressing representation in advertisements would not be simple, but the time is now to start the conversation. Harmful stereotypes in advertising must not be a forever problem.
Read more
Blog

5 Tips for Truthful and Transparent Influencer Marketing and Product Reviews

BBB National Programs’ National Advertising Division is dedicated to truth-in-advertising. To help you ensure that influencer marketing and the use of product reviews in your advertising is both transparent and truthful, we offer the following five tips.
Read more
Blog

In 2021, Consumer And Stakeholder Privacy Is About Defining Trust

As business and nonprofit leaders navigate the Fourth Industrial Revolution, consumer and stakeholder privacy has become a matter of defining trust. As new digital services and connected devices fueled by personal data flourish, consumers’ reasonable expectation of privacy shifts. If expectations do not match reality, it can lead to gaps in trust and new paths for litigation and regulatory enforcement. In this piece I outline a few 2021 privacy developments business and nonprofit leaders should note.
Read more
Blog

Broadening the Definition of Express and Implicit Representation in Children’s Advertising

One way to gauge exactly how far we have come in implementing diversity and inclusion is by analyzing what we see on our screens, particularly in advertising. The Children’s Advertising Review Unit (CARU) recognizes the special vulnerabilities of children with their limited knowledge, experience, sophistication, and maturity and often places itself in children’s shoes to gain insight when assessing the role advertisement has in shaping their perception.
Read more