What is the California Consumer Privacy Act?

May 20, 2020, 09:00 AM by BBB National Programs

Most Americans are unsure about how their personal data is collected, used, and shared (collectively, processed) by companies, and desire government-mandated protections to ensure they are not harmed by this activity. In the absence of federal consumer privacy legislation, the California State Legislature has stepped in to protect its residents’ privacy. The California Consumer Privacy Act (CCPA) empowers state residents to learn more about how companies process their personal data, demand that companies delete their data, and prohibit companies from selling their data.

 

Transparency

The CCPA requires companies to explain how they process California residents’ personal data in three ways.

First, the legislation gives each resident the right to obtain from a company a report about how and why it collects personal information. Personal information is personal data, broadly defined to include – in part – anything that can be used to identify a specific individual, such as one’s name, persistent identifier (e.g., a browser cookie or mobile device identification number), employment history, credit card number, protected class characteristics (such as race), biometric data (e.g., a facial image), web browsing history, geolocation data, and any inferences drawn from such data. Collection is also defined broadly to include “buying, renting, gathering, obtaining, receiving, or accessing . . . by any means . . . . either actively or passively.”

A data collection report must include a copy of the specific pieces of information collected about that resident, as well as lists of the general categories of personal information collected by that company, categories of data sources, categories of third parties with which personal information is shared, and the purposes for which the personal information is used.

Second, a resident has the right to obtain a report about the sale of their personal information. Upon request, a company must provide a report that includes the categories of information collected by the company, and a list of specific third parties to which the company sells personal information, along with the categories of personal information sold to each third party. Sale is defined broadly to include the exchange of data for money or anything else of value. 

Third, the CCPA requires a company to describe its data processing practices and users’ CCPA rights in its privacy policy or an equivalent notice, and also provide dedicated webpages or other methods for residents to submit CCPA requests.

 

Control

The CCPA also gives Californians more control over how their personal data is used.

A resident can demand that a company delete their personal information, unless that information is necessary for a business purpose, such as cybersecurity. When a resident exercises this right, the company must also ensure that entities performing “business purpose” functions delete the data.

 A resident can also prohibit future sales of their personal data. Every company to which the statute applies must provide a conspicuous “Do Not Sell My Personal Information” hyperlink on its homepage, through which a resident can submit a no-sale request. 

 

Nationwide effect

In the auto industry, companies may apply California’s relatively high consumer privacy standards nationwide. Uniform standards are more easily implemented, especially in the case of the CCPA, which applies to California residents physically present in other states. Also, adhering to more protective standards can boost a company’s reputation. Microsoft has already decided to honor CCPA rights nationwide. Moreover, California’s status as the fifth largest global economy makes it difficult for large American companies to avoid availing themselves to their compliance obligations with the CCPA. Thus, due to the size and reach of California’s economy, the ease of adapting a uniform law, and the reputational benefits that come with adapting consumer privacy protections, companies may choose to make the CCPA their de facto national privacy standard.

 

Industry response

While some members of the advertising technology community have criticized the CCPA, industry stakeholders have worked to develop their own technical specifications and tools to help companies come into compliance with the law.  The Interactive Advertising Bureau, an advertising business organization, recently released a framework to help publishers and technology companies achieve compliance with the CCPA. The Digital Advertising Alliance (DAA) also announced new mechanisms to help companies provide a “Do Not Sell My Personal Information” link on their websites in the form of text accompanied with a green Privacy Rights Icon .

 

The national debate about privacy

The CCPA is one of the first major privacy laws passed by a state that will no doubt have an impact on how other jurisdictions choose to craft their own legal standards for privacy. It may also become a foundation for a future federal privacy law in the US.

Already, several US house representatives and senators have introduced their own privacy legislation. These bills and the accompanying debate about a federal privacy standard juggle a number of different ideas about what a national law should include – such as a private right of action, special protections for certain data types, an expansion of the Federal Trade Commission’s enforcement power, and restrictions on algorithmic decision-making. To guide these legislative efforts, members of the business community have prepared their own proposals, such as Privacy for America’s framework, while consumer protection advocates have advanced their own recommendations for privacy protections. Notably, part of this debate covers whether state laws like the CCPA should be “preempted” by a single federal standard and whether the CCPA’s protections should serve as a baseline for a federal privacy law or represent the maximum level of consumer protection.

 

Keep in mind your rights and responsibilities

The dialogue about data privacy and legal rights and obligations that emerge from this space will no doubt evolve as the world continues to become more interconnected. If you’re a California consumer, be aware of new options for requesting and deleting data that might become available to you this year as a result of this change in California law. And if you’re doing business with California residents, make sure to speak to your attorney about complying with the CCPA. 

 
The Digital Advertising Accountability Program protects consumers' privacy online by providing independent, third-party enforcement of cross-industry best practices governing the collection and use of data in online interest-based advertising. The Accountability Program also provides guidance to companies looking to come into compliance with the DAA’s principles and responds to complaints filed by consumers about online privacy.

Other Blog Articles

Blog

Status Update on Transatlantic Data Transfers: Building Bridges Takes Time

As 2020 draws to a close it is a good time to reflect on learnings about the future of authorized transatlantic data transfer mechanisms. In light of Brexit and continuing developments surrounding Schrems II, we discuss what the structure of the current Privacy Shield Framework can teach us much about what future commercial transfer mechanisms are likely to look like, as well as what businesses can do to shore up their compliance efforts.
Read more
Blog

Operation Income Illusion: A Positive Step by the FTC to Curb Deceptive Income Claims

The Federal Trade Commission (FTC)’s December 14 Operation Income Illusion initiative is a crackdown by the FTC and 19 federal, state, and local law enforcement partners against those that purport to offer significant income opportunities but that end up costing consumers thousands of dollars. This effort is consistent with an ongoing effort in the direct selling industry to ensure income claims are communicated truthfully and accurately.
Read more
Blog

CFBAI and CCAI 2019 Report on Compliance and Progress Published

BBB National Programs has published the Children's Food and Beverage Advertising Initiative (CFBAI) and Children’s Confection Advertising Initiative (CCAI) Report on Compliance and Progress During 2019. The report finds excellent compliance by all companies participating in the programs from January 2019 – December 2019. The report also notes the CFBAI participants’ implementation of stricter Uniform Nutrition Criteria in 2020.
Read more
Blog

CARU’s Year in Review: Defining Kidvertising and Tackling Hot Topics Head On

During an uncertain year, the team at the Children’s Advertising Review Unit (CARU) stayed busy. Through casework, online conferences, an evolving technology landscape, updates to policy and guidelines, and new thought leadership, our efforts furthered our mission to help companies comply with the laws and guidelines that protect children and their personal data.
Read more