In June 2018 California passed the California Consumer Privacy Act (CCPA). The act requires large companies that collect data from more than 50,000 individuals per year, and that have more than $25 million in annual revenue, to adhere to stricter user privacy standards. The law gives people more rights when it comes to knowing how their information is gathered, stored, processed and shared.
What Does the California Consumer Privacy Act (CCPA) Do?
The CCPA was heavily influenced by the privacy regulation, The General Data Privacy Regulation (GDPR), that went into effect in May 2018 in Europe. California officials and privacy advocates recognized the problems and concerns that these large scale data collection organizations were causing. The law protects the rights of California residents and anyone who does business in the State of California.
The purpose of the CCPA is to give California residents more rights:
- People should know what personal information a company collects about them.
- People should know if their personal data is sold or shared, and with whom.
- People should have the power to say no to having their information sold or shared.
- People should have access to their information, even after it’s been collected and stored.
- People should not have to pay extra or be offered a different service if they choose to use their privacy rights.
What Types of Data are Protected?
The CCPA applies to a broad range of “personal information”, which it defines as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The CCPA gives a list of standard data points, including Social Security numbers, drivers’ license numbers and purchase histories, but also “unique personal identifiers” which include device identifiers and other internet tracking methods.
Who Does CCPA Apply To?
The CCPA applies to any business organization (or any for-profit entity) that collects and uses customers’ personal data, which does business in California and meets at least one of the following criterion:
- Has annual gross revenues of over $25 million;
- Possesses the personal information of 50,000 or more consumers, households, or devices; or
- Earns more than half of its revenue from selling customers’ personal information.
It’s no coincidence that California is a leader in this type of regulation. California is home to tons of tech companies that meet these criteria. For example, Facebook, Google, Apple and Netflix all operate in California. But these companies’ user-bases are dispersed all across the United States and around the world.
Why Do Other States Need Laws like This?
Just because the biggest tech companies are based in California, doesn’t mean similar regulations can’t be used in other states. Facebook has millions of users in most states in the US, so it would meet the qualifications if the same criteria were put in place in other states.
Current federal regulations on consumer privacy simply don’t do enough to protect people and their information. Many current laws have been in place for over 10 years, which means they have a hard time applying to modern technologies and data use. According to the National Conference of State Legislatures’ list of state laws related to internet privacy, California is one of a few states to implement internet privacy laws at the state level. Tech companies like Facebook and Google have been left alone to self regulate for much of their existence, but they’ve grown much more powerful and influential in the recent years.
Why Is Regulating Tech Companies Important?
Facebook, Google, Apple, and other giant tech companies are already showing monopolistic tendencies. Their influence is unmatched, and that influence is steadily growing as they acquire more data and maximize their profits. If we let these companies continue on their set path, which generally has very little regard for user-privacy, we risk letting them grow to a scary level of power and influence.
However, there are some concerns with government regulation of tech companies. The biggest indicator that this is a bad idea are the Senate hearings that high ranking officials from Facebook, Google, and other tech companies had in 2018. There is a massive knowledge gap between what Senators understand about how companies like Facebook work. It makes more sense to let tech companies regulate themselves, since they have the best understanding of how their products actually work.
According to The Guardian, businesses like Uber and Facebook argue “the existing rules are too outdated to apply to them at all.” There is a fairly widespread idea that tech giants need to be regulated, but the people in power to do so have no clue where to start.
What Should Businesses Do?
Preparation for the CCPA going into effect is very similar to the steps organizations took to make sure they were compliant when GDPR went into effect. The New Jersey Law Journal recommends that businesses map out which information they collect from users and what they need to disclose to each user.
Businesses will also need to verify that their practices are in line with the new regulations. This process will be quick and simple for some businesses. Others will have a hard time revamping their entire data ecosystem. The bill was passed in June 2018, but will not be in full effect and enforceable until January 1, 2020.