We all know that with the continued rise of consumer data breaches and growing privacy concerns, there have been massive changes occurring for many countries on privacy regulations.
The most recent and more publicized has been the EU General Data Protection Regulation (GDPR) which is the most significant change in data privacy regulation in 20 years. We at Return Path blogged extensively on GDPR last year about what it is and why it is important. Overall, the EU wants to give people more control over how their personal data is used, understanding that many online service providers like Facebook, Google, and others trade access to people’s data for use of these services. By strengthening data protection legislation and introducing tougher enforcement measures, the EU hopes to improve trust in the emerging digital economy. Additionally, the EU wants to give providers a simpler, clearer legal environment in which to operate, making data protection law equal throughout the combined EU market.
Privacy in the United States, however, is much different—as it is not viewed as a fundamental human right. The US doesn’t have one overarching privacy regulation but instead has a patchwork of industry, local, state, and federal laws. It’s typically an opt-out scheme with a dash of opt-in and notice. Privacy tends to vary by sector or industry like healthcare or finance.
In March 2018, the Cambridge Analytica scandal broke. The public learned that private data had been harvested from more than 50 million Facebook users, without their knowledge and consent. This private data was used to target political advertisements. Since this event, the demand for better data privacy rules increased significantly.
California’s new regulation—CCPA
Because of these and many issues, we have seen many states in the US over the years implement their own regulations in regard to privacy, also focusing on need by sector or industry continuing to be driven by the rise in consumer data breaches and growing privacy concerns. California has often led the way in the US on innovative privacy regulation and in June 2018 has passed the California Consumer Privacy Act (CCPA). The CCPA is a well-intentioned regulation, but somewhat flawed as it seeks to protect the data privacy of technology users and others by imposing new rules on companies that gather, use, and share personal data.
Now, at Return Path, privacy really does matter to us and our clients and we continue to support regulations that make sense to help protect the public, but also that don’t stifle innovation, or are confusing to implement, or that make it hard for users to use the Internet efficiently.
How did CCPA come to be?
In May 2018, 600,000 supporters signed a California ballot initiative on data privacy in support of presenting the initiative to voters. This was an impressive amount of support—nearly twice the number of signatures required to do so, however, ballot initiatives can be an imperfect way to conceive public policy on a complex subject like data privacy. Before an initiative is enacted, it can be difficult for stakeholders to improve an initiative’s content considering how it will be applied and affect the way we use technology and online services. This is a problem because an initiative can be difficult to amend after enactment. California legislators intended to do better, but they faced a June 28 deadline. Legislators rushed to meet this deadline, but that rush meant privacy advocates didn’t have much chance to weigh in before it was passed and ensure it made sense and was implementable. The CCPA was conceived and born in record time—two days—resulting in a comprehensive consumer privacy law that having been rushed into being, seems to occasionally suffer from redundancy, drafting errors, and lack of clarity.
This isn’t the first time that California has worked on privacy regulations. In 1972, California voted to include the right to privacy among the “inalienable” rights of all people. That right gave individuals the ability to control the use, including the sale of their personal information. The state followed with adopting privacy measures that include:
- Online Privacy Protection Act
- Privacy Rights for California Minors in the Digital World Act
- Shine the Light, a California law intended to give Californians the “who, what, where, and when” of how businesses handle consumers’ personal information.
With the CCPA, California lawmakers wrote in the bill text that “California law has not kept pace with these developments and the personal privacy implications surrounding the collection, use, and protection of personal information.” They cited the “devastating effects for individuals” with loss of privacy and the “misuse” of data by Cambridge Analytica. “California consumers should be able to exercise control over their personal information, and they want to be certain that there are safeguards against misuse of their personal information,” lawmakers wrote in the bill. “It is possible for businesses both to respect consumers’ privacy and provide a high level transparency to their business practices.”
So whom does the law apply to?
Well, businesses that meet the following thresholds have to follow the regulations
- Has annual gross revenues in excess of $25 million
- Annually buys, receives for the business’ commercial purposes, sells or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices
- Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
The law also gives Californians rights to the personal information about themselves. Californians now have the right to following:
- Know what personal information is being collected about them.
- Know whether their personal information is sold or disclosed and to whom.
- Say no to the sale of personal information.
- Access their personal information.
- Equal service and price, even if they exercise their privacy rights.
The law also puts new obligations on business to inform citizens rights to the personal information they have on citizens. Many of the new obligations include complying with consumer requests for their personal information and others require businesses to retain data they collect in certain instances such as:
- Disclose to a requesting consumer the categories and specific pieces of personal information the business has collected
- At or before the point of data collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used
- Disclose and deliver for free personal information as requested by consumers. Businesses are not required to provide personal information to a consumer more than twice in a 12-month period.
- Retain any personal information collected for a single, one-time transaction, if the information is not sold or retained by the business
- Reidentify or otherwise link any data that, in the ordinary course of business, is not maintained in a manner that would be considered personal information.
What are the fines?
Fines under the CCPA will cap at $7,500 per violation—and even that maximum penalty is reserved for only intentional violations of the CCPA; violations lacking intent will remain subject to the present $2,500 maximum fine under Section 17206 of the California Business and Professions Code. Of course, cumulative fines for large and systemic abuses may add up to be costly, but they are unlikely to be bank-breaking. Of greater financial concern to businesses is that the CCPA expressly paves the way for the right of natural persons to bring lawsuits for the breach of their “non-encrypted or non-redacted personal information”—even in the absence of evidence of actual damage. The CCPA allows individuals to recover between $100 and $750 per such incident—or greater in the showing of actual damages exceeding $750.
Now, since the inception of the law, many coalitions and other interested and or impacted parties have been working to file amendments to work on the redundancies, drafting errors, and lack of clarity. These amendments followed almost two months of intense lobbying by leading industry and consumer groups alike. Both groups want to see more changes, but consideration of those requests is now likely deferred until the legislature begins its new session in January 2019. While technically a small chance remains for additional changes to be made, observers say further changes at this time are very unlikely.
Over the next few weeks, our staff of experts plans on doing a deeper dive into the details of CCPA as we did with GDPR and how it will impact you and how you need to prepare for the upcoming change, so stay tuned for some more great information.