Privacy and protection of personal information has almost always seemed like it should be a basic human right everywhere in the world, not only in the European Union where it has long been acknowledged as such. Within the last 10 years, however, that notion has been blurred by social media, the rise of online shopping, and subsequently the hacking of just about everything that lives on the Internet. For the longest time people have sort of just accepted this overreach and misuse of their personal information as the price you pay for using the Internet. Sure, maybe they delete Facebook for a while or change their passwords, but now that is starting to seem like it is not enough and governments from around the world are beginning to step in, in a big way.
The End of the Wild West
Over the past 10 years the world has embraced ubiquitous data and instant commerce while organizations have become accustomed to playing fast and loose with individuals’ personal data. It has been the Wild West, where personal data is misused and shared for gain with little consideration for an individual’s right to privacy and protection. Examples abound, but the current poster children are Facebook and Cambridge Analytica where a tangled web resulted in the sale and misuse of the personal data of 87 million Facebook users.
The Beginning of a New Era of Privacy
Fortunately, those days of unabashed sharing of personal data are becoming a thing of the past. No longer can companies profit off of handling your data with reckless abandon. We are now entering a new age, a time where your personal data is yours and misuse will not be tolerated. You own it and you control it. The trend is undeniable as evidenced by the involvement of governments on a worldwide scale. Recent legislation enacted by the European Union and the State of California intend to stop the madness and hold organizations to a higher standard of transparency and accountability. These regulations are destined to establish a sturdy backbone to the privacy matters movement.
The EU General Data Protection Regulation (GDPR) became effective on May 25, 2018 and levies fines up to 20 million Euros (or 4% of revenue) to the most egregious offenders. GDPR has been a seismic event to organizations processing personal data of EU residents. The European Union certainly means business.
So if GDPR is the earthquake, then The California Consumer Privacy Act of 2018 (CCPA) is a powerful aftershock. Passed as law on June 28, 2018 and effective on January 1, 2020, the Act will impact the data privacy landscape in the US, much like GDPR has impacted the privacy practices of organizations who handle personal data of EU residents. CCPA is claimed to be the strictest and most comprehensive privacy and data security law in the history of the US.
Let's take a closer look at some of the highlights of the CCPA, including the definition of personal information and the new set of rights introduced by the CCPA. The second part of this blog will elaborate on the scope of the CCPA in terms of businesses covered and their obligations, while Part 3 will discuss the enforcement of CCPA and what businesses should do to become CCPA-compliant from a practical point of view.
The NEW definition of Personal Information
The CCPA, similar to GDPR, has significantly expanded the definition of personal information to include any information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
It encompasses the following groups of personal data as examples:
- “Traditional” personal information: Real name, alias, postal address, telephone number, electronic mail address, social security number, driver's license number, passport number, or other similar identifiers and records of property.
- Online identifiers and tracking data: A unique pseudonym, or user alias, account name, device identifier, Internet Protocol address, cookies, beacons, pixel tags, mobile ad identifiers, or similar technology, including any “persistent identifier that can be used to recognize a consumer, a family, or a device that is linked to a consumer or family, over time and across different services”.
- The brand-new category of “Probabilistic identifiers”: This refers to identifiers that are capable of singling out “a consumer or a device to a degree of certainty of more probable than not based on any categories of personal information included in, or similar to, the categories enumerated in the definition of personal information”.
- Behavioral data: This includes “products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies”, and “Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement”.
- Profiling data: Including “inferences drawn from any of the information identified … to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes”.
- Professional, employment-related, background and education information: Including “characteristics of protected classifications under California or federal law”.
- Other types of data included: Biometric data, Geolocation data, and Sensory data (audio, electronic, visual, thermal, olfactory, or similar information).
This new definition of personal information represents an extreme expansion of how personal information has been defined in the United States for privacy purposes and aims to impose more stringent privacy standards on most businesses, including digital advertising and analytics. It would be hard to think of any personal data element that is not covered by this definition.
In response to this new definition, most businesses will be required to reconsider their current understanding of personal information and reassess how they handle personal data.
A New Set of Privacy Rights
The CCPA aims to empower consumers by giving them greater control over their data through a new set of privacy rights.
- The Right of Access: The CCPA grants consumers the right to request a business to provide (1) the personal information collected, sold or disclosed about them, (2) the sources from which the information was collected, (3) the business purposes for collecting or selling the information, and (4) the third parties with whom the information is shared.
- The Right to Disclosure: The CCPA requires businesses to disclose to the consumers, at or before the point of collection, (1) what and (2) why their personal information is collected and used, (3) whether the business sells or shares their personal information and if so, what personal data,(4) the description of their rights under the CCPA, and (5) how to exercise such rights.
- The Right to Deletion: The CCPA provides consumers with the right to request deletion of personal information based on their verified request, with certain exceptions (as discussed later in Part 2 of this blog).
- The Right to Opt-out of Sale: Consumers will have the right to opt out of the sale of their personal information.
- The Right to Opt-in for Children: The CCPA prohibits businesses from selling the personal information of children under the age of 13, unless their parents or guardians provide explicit consent (“affirmative authorization”). For children between the ages of 13 and 16, explicit consent should be obtained from the children themselves. Because this age group is rather active online and confirmation of age is not an easy task, this requirement has the potential of creating a massive burden on California businesses.
- Right to Equal Treatment. Businesses are not allowed to discriminate against consumers who exercise any of their new privacy rights under the CCPA, with certain exceptions. Businesses can charge a different price or provide consumers with different quality of goods or services if the difference is reasonably related to value provided by the consumer’s personal information. It is yet to be seen, when and how businesses will be able to rely on this exception. (More on this exception in Part 2 of this blog. Stay tuned.)
As you can see, the CCPA is surely going to make waves for businesses, and that is not even the half of it. Keep an eye out for Part 2 of this blog where we elaborate on what businesses are covered by the CCPA and their respective obligations.
Do you have any questions or comments so far? Feel free to leave a comment below, we’d love to hear from you!