California Consumer Privacy Act

From SI410
Jump to: navigation, search
Frameworks like the CCPA require companies to share their Data Privacy Policies with consumers. [1]

A new law in California, known as the California Consumer Privacy Act (CCPA), allows consumers greater control over the personal information that businesses and organizations collect about them. This legislation was enacted in part as a response to customers' growing skepticism about how firms were handling their personal information, particularly in the wake of several high-profile security breaches at financial institutions [2]. However, even though it is only applicable to California residents, the law provides consumers with a number of important rights, including the right to know what information a business has on them and how it is used or shared, the right to have collected personal information deleted, the right to opt-out of the sale of collected personal information, and the right to avoid being penalized or discriminated against for exercising their CCPA rights. The law is only applicable to California residents. Business owners are also required to issue written notices to customers outlining their privacy policies [3]. Consumers and corporations both have a stake in this innovative legislation, which has a number of distinct stakeholders. Each side has strong beliefs about the law and how it affects their own best interests, and they are both right. It's also possible to compare the CCPA to other similar frameworks, which will provide a more objective perspective on the effectiveness of the law [4].

History

When the 2014 JP Morgan Chase data breach happened, the inner workings of the California Consumer Privacy Act were still in the early stages of development. Sensitive information of third parties was exposed for more than a month before the breach was discovered. Consumers were frightened by the amount of personal information that these huge organizations acquired, and their distrust in corporations increased significantly as a result [5].

Despite the fact that an early version of the CCPA was drafted in 2017, its implementation was delayed due to opposition to the law by institutional authorities such as big technology corporations. In 2018, a privacy advocate by the name of Alaistair Mactaggart worked with the legislature to reintroduce the legislation to the vote. The bill was effectively passed, and it represented a significant step forward in the protection of consumer data privacy [6]. It became formally effective and began to be enforced in 2020, with the official start date being in early 2020.

Personal Information

It should be emphasized that the CCPA's definition of "personal information" includes a broad range of technological data identifiers. Personal information is defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” in the 2018 version of the CCPA [7].

According to the CCPA's definition of personal information, "information" does not have to be of a specific sort. As a result, both electronic data and paper files are subject to the jurisdiction of the CCPA. The definition of “personal information” concludes with the following statement: “with a particular consumer or household.” This means that the CCPA does not just apply to natural individuals, but also persons and properties related to them. A customer or a household is covered by the CCPA if any information about them is related to or associated with them. In light of the fact that the term "household" is not defined anywhere else in the CCPA, it is unclear what types of data can be categorized as "household" information [8].

The CCPA provides a collection of personal information examples that can be used to better understand what falls within its jurisdiction. Examples of this include, but are not limited to, the following [9]:

  • Real names, pseudonyms, addresses (physical and virtual), unique personal identifiers, email addresses and account names
  • Geographical Indications
  • Information pertaining to a professional or job situation
  • Information about commercial transactions, such as records of personal property, products or services acquired and contemplated, or other purchasing or consuming histories or habits
  • A consumer's browsing history and search history, in addition to information on the consumer's interaction with an Internet website, application, or ad
  • Inferences taken from any information found to develop a profile of a customer reflecting the preferences, traits, psychological patterns, predispositions, conduct, attitudes, intelligence, abilities, and aptitudes of the consumer

It is vital to remember that public information does not fall under the definition of "personal information" as defined by the CCPA. Due to the lack of a formal definition of what constitutes publicly available information, the interpretation is based on what financial institutions reasonably believe to be publicly available information [10].

CCPA Rights and Obligations

Consumers have certain rights under the California Consumer Privacy Act, which businesses are expected to protect to the greatest extent possible. These rights include the following: the right of access, the right to opt-out, the right to deletion, and the right to be free from retaliation or discrimination as a result of exercising one's rights under the California Consumer Privacy Act. Despite the fact that this regulation does not prevent personal information from being compromised in the event of a data breach, it does significantly elevate the relevance of data privacy for the consumer in general.

Compliance

The CCPA applies to businesses that meet any of the following conditions [11]:

  • Have a gross annual revenue of over $25 million;
  • Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or
  • Derive 50% or more of their annual revenue from selling California residents’ personal information.

The CCPA also only applies to for-profit organizations, so non-profit organizations and government agencies do not fall under the jurisdiction of this law.

Right of Access

The CCPA defines the consumers’ Right of Access as such: “A consumer shall have the right to request that a business that collects a consumer’s personal information disclose to that consumer the categories and specific pieces of personal information the business has collected.”[12] Once a customer has requested information from a corporate entity, the business entity is subject to a number of legal requirements. As long as the request is determined to be verifiable, the business must respond to the request by producing the desired information within 45 days of receipt of the request. It is advised that businesses retain records of CCPA requests, as well as the business's responses to those requests, for a period of at least 24 months after the request was received [13].

When a consumer requests their personal information from a business entity, they can expect the disclosure of the following [14]:

  • The types of personal information about a consumer that has been collected by the business
  • The types of sources from which personal information is obtained 
  • The business or commercial reason for which personal information is collected or sold
  • The types of third parties with whom the organization shares personal information
  • The exact pieces of personal information about that consumer that it has gathered

In order to increase accessibility for users seeking to exercise their “Right to Access”, businesses are required to make it easier for consumers to create requests. The business must give at least two designated means for customers to make requests for information, “including, at a minimum, a toll-free telephone number, and if the business maintains an Internet Web site, a Web site address” according to the regulations [15].

Right to Opt-Out

Consumers have the "right to opt out" of the selling of their personal information under the terms of the CCPA. Consumers must be informed of this right under the new legislation, and if a consumer actively opts-out, the business will not be able to sell the consumer's information again until the consumer later provides the business with express authority[16].

Businesses must provide explicit notice to their customers in order to make it obvious that they have the option to "opt-out." Businesses must also provide clear notice to their customers. Providing a link to their website's documentation of their privacy policies would be an example of this. Minors are not given the option to opt out of the sale of their information; instead, they are only offered the option to opt in to the sale of their information. As a result, businesses will have a harder time selling the personal information of younger consumers (ages 13-16) [17]. There is a process for businesses to follow in the event that a consumer requests for an opt-out. Consumers who contact businesses and request that their information not be sold for marketing purposes should be granted this request for a period of at least one year. Following the expiration of this term, the company may contact the customer to ask for consent to conduct the sale of their personal information once more. This contributes to the preservation of the transparency and integrity of both parties concerned [18].

Right to Deletion

Consumers have the right to request that businesses delete any personal information that has been collected on them through various means. This also obligates the company to instruct their service providers to remove any personal information about the customer as a result of this. There are cases where the business can deny the consumer’s request. The following are some of the most frequently cited reasons[19]:

  • “The business cannot verify your request”
  • “To complete your transaction, provide a reasonably anticipated product or service, or for certain warranty and product recall purposes”
  • “For certain business security practices”
  • “For certain internal uses that are compatible with reasonable consumer expectations or the context in which the information was provided”
  • “To comply with legal obligations, exercise legal claims or rights, or defend legal claims”
  • “If the personal information is certain medical information, consumer credit reporting information, or other types of information exempt from the CCPA”

Right to be Free from Retaliation or Discrimination

Businesses are prohibited from retaliating or discriminating against individuals who have exercised their rights under the CCPA by refusing them products or services, or even by providing goods and services of a lower or higher quality. Any attempt to dissuade consumers from using their rights in this manner is prohibited by the Consumer Product Safety Commission. Businesses, on the other hand, can offer different services and charge different rates to consumers who have exercised their rights, as long as the distinction can be “reasonably related to the value provided to the consumer by the consumer’s data.”[20]

Enforcement

If a business is found to be in breach of the CCPA and does not correct the violation within 30 days, the business may be subject to civil penalties of up to $7,500 per infraction [21].

The CCPA requires businesses to inform consumers about their rights in a certain manner and to provide them with the tools to exercise those rights without charging them a fee. For example, under CCPA, firms must include an explanation of a consumer's "right to know" in their privacy policy or on their website, as well as "one or more designated methods" for making requests. The CCPA also requires businesses to train their staff who are responsible for managing customer enquiries on the company's obligations as well as how to help consumers in the exercise of their legal rights under the law. Businesses must also provide a "clear and conspicuous link" on their homepage that reads "Do Not Sell My Personal Information." Due to ambiguity in the statute regarding how consumers must be informed of their right to delete, it is possible that a future regulation or change to the statute will be required to address the issue[22].

Stake Holders

Corporations and consumers have strong feelings about the California Consumer Privacy Act policies. The corporate actors contend that data privacy is merely a commodity for the user, whereas consumer advocates say that data privacy is a fundamental right for all people [23].

Corporate Point-of-View

A number of corporate arguments have been compiled in the following section[24]:

Several corporate actors have asserted that the CCPA's provisions will have unforeseen implications in the future. Users would face considerable security risks as a result of the stringent requirements, which will make it easier for fraudulent requests to be granted approval.

The CCPA's rules are further made more difficult to follow by the ambiguous definitions of some important terminology. For example, the terms "household information" and "personal information" can refer to a broad range of data that would be up to the businesses to fairly assess what constitutes such information.

Corporate attorneys contend that exclusions from loyalty programs should not be considered discriminatory under the anti-discrimination statute. This would be consistent with the CCPA's provision for firms to charge different prices or provide lower quality services to consumers who opt out, as long as the difference is a reasonable difference from what their data would be worth otherwise.

Corporations argue that the CCPA's rigorous standards will have an adverse economic impact on their operations. There is also the issue of some firms growing too quickly, and as a result, they may not be prepared to comply with the CCPA's rules simply because they did not anticipate their growth to be so significant so quickly. It may take a significant amount of time for a company to be fully prepared to comply with all of the CCPA's policies. Other concerns have been highlighted, such as the fact that smaller firms may be impacted more severely than larger organizations, as they will not have the same ability to comply with all of the laws as larger businesses. The digital economy would be one of the most significant economic repercussions of this decision. Because consumer data is an important aspect of businesses' operations, both online and offline, they rely on consumer data to target virtual advertisements to promote their businesses. Putting restrictions on the instruments that entrepreneurs might use to build their businesses will cause economic growth in digital markets to stagnate.

Consumer Point-of-View

A number of consumer arguments have been compiled in the following section[25]:

As consumer advocates believe, it is becoming increasingly crucial that laws such as the California Consumer Privacy Act (CCPA) is present in the society in which we currently live. When we live in a technologically advanced world where technology is used for practically all aspects of our lives, it is necessary to have regulations in place to prevent data breaches from occurring, which might expose millions of people to risk. While corporations are concentrating on the unforeseen repercussions that may occur in the future, consumers are attempting to govern current data activities by looking back at historical events, according to consumers.

Consumers contend that the definitions given by the CCPA are correct and that they should be broad in scope in the general case. They contend that broad definitions are the most effective means of safeguarding customers' data privacy rights.

When it comes to the problem of the nondiscrimination clause, consumers want businesses to be transparent about how they assess the difference in prices or quality of goods and services based on the value derived from the data of consumers.

Consumer literacy was a major issue of contention for those who advocated for users. It is critical that consumers are fully aware of their rights under the CCPA and that they have easy access to this information. It is not sufficient for businesses to give users with a notification that consists of a long block of text that contains technical computer jargon, followed by a large button that states, "I have read and understood." Several consumers have argued that standard practices such as these should be changed, and that increasing legal literacy so that the general public can understand the law is essential for the law to be successful.

Similar Privacy Frameworks

In addition to the California Consumer Privacy Act, there are several current privacy frameworks that can be compared to it, with one of the most relevant being the General Data Protection Regulation (GDPR). The GDPR was implemented in May 2018 with the goal of protecting the personal data of users residing in the European Union. It offers a set of principles that will make it easier for enterprises to comply with regulatory requirements, allowing everyone in the EU to profit from the digital economy[26].

Both the CCPA and the GDPR legislation were put in place to protect users in a world where technology is becoming increasingly pervasive, and the value of user data has risen to incomparable heights. The GDPR, like the CCPA, does not apply just to businesses based in or operating within the European Union. It applies to any company that holds information about users from the European Union. Both regulations impose fines on businesses that fail to comply with their policies[27].

The following are some of the most significant changes between the two pieces of legislation:


  • Consumers who are EU citizens or residents are protected under the GDPR. Consumers who have briefly resided in the EU are included in this category. The CCPA, on the other hand, only protects users who can be identified as California residents[28]. Despite the fact that both the CCPA and the GDPR have an impact on global businesses, the GDPR has a considerably broader reach.
  • The CCPA allows users the right to refuse the sale of their personal information, but the GDPR does not contain that exact provision. User consent is not required; instead, users are given the opportunity to "withdraw his or her consent at any moment,"[29] but firms are still permitted to sell personal information until the request is granted.
  • The GDPR protects personal information that is also publicly available, whereas the CCPA does not protect a user's public information that is publicly available. Individuals covered by the GDPR are afforded far greater protection than those covered by the CCPA[30].
  • Unlike the GDPR, the CCPA is concerned with nondiscrimination against persons who make use of their CCPA, as opposed to the GDPR [31].

References

  1. Why Washington state could finally pass data privacy laws with a bill backed by the tech industry https://www.geekwire.com/2021/washington-state-finally-pass-data-privacy-laws-bill-backed-tech-industry/
  2. Davis, Lauren. "The Impact of the California Consumer Privacy Act on Financial Institutions Across the Nation." North Carolina Banking Institute, vol. 24, Mar. 2020, pp. 499+. Gale Academic OneFile, link.gale.com/apps/doc/A619741660/AONE?u=umuser&sid=bookmark-AONE&xid=fd7dd585. Accessed 28 Jan. 2022.
  3. Bukaty, Preston. The California Consumer Privacy Act (CCPA) : An Implementation Guide, IT Governance Ltd, 2019. ProQuest Ebook Central, https://ebookcentral-proquest-com.proxy.lib.umich.edu/lib/umichigan/detail.action?docID=5798680
  4. Das, Ravi. “Cybersecurity Risk.” Assessing and Insuring Cybersecurity Risk, 2021, pp. 112–115., https://doi.org/10.1201/9781003023685-1.
  5. Davis, Lauren. "The Impact of the California Consumer Privacy Act on Financial Institutions Across the Nation." North Carolina Banking Institute, vol. 24, Mar. 2020, pp. 499+. Gale Academic OneFile, link.gale.com/apps/doc/A619741660/AONE?u=umuser&sid=bookmark-AONE&xid=fd7dd585. Accessed 6 Feb. 2022.
  6. Baik, Jeeyun (Sophia). “Data Privacy against Innovation or against Discrimination?: The Case of the California Consumer Privacy Act (CCPA).” Telematics and Informatics, vol. 52, 2020, p. 101431. Crossref, https://doi.org/10.1016/j.tele.2020.101431.
  7. Baik, Jeeyun (Sophia). “Data Privacy against Innovation or against Discrimination?: The Case of the California Consumer Privacy Act (CCPA).” Telematics and Informatics, vol. 52, 2020, p. 101431. Crossref, https://doi.org/10.1016/j.tele.2020.101431
  8. Bukaty, Preston. The California Consumer Privacy Act (CCPA) : An Implementation Guide, IT Governance Ltd, 2019. ProQuest Ebook Central, https://ebookcentral-proquest-com.proxy.lib.umich.edu/lib/umichigan/detail.action?docID=5798680.
  9. Bukaty, Preston. The California Consumer Privacy Act (CCPA) : An Implementation Guide, IT Governance Ltd, 2019. ProQuest Ebook Central, https://ebookcentral-proquest-com.proxy.lib.umich.edu/lib/umichigan/detail.action?docID=5798680.
  10. Davis, Lauren. "The Impact of the California Consumer Privacy Act on Financial Institutions Across the Nation." North Carolina Banking Institute, vol. 24, Mar. 2020, pp. 499+. Gale Academic OneFile, link.gale.com/apps/doc/A619741660/AONE?u=umuser&sid=bookmark-AONE&xid=fd7dd585. Accessed 6 Feb. 2022.
  11. “California Consumer Privacy Act (CCPA).” State of California - Department of Justice - Office of the Attorney General, 27 Jan. 2022, https://oag.ca.gov/privacy/ccpa.
  12. Bukaty, Preston. The California Consumer Privacy Act (CCPA) : An Implementation Guide, IT Governance Ltd, 2019. ProQuest Ebook Central, https://ebookcentral-proquest-com.proxy.lib.umich.edu/lib/umichigan/detail.action?docID=5798680.
  13. Davis, Lauren. "The Impact of the California Consumer Privacy Act on Financial Institutions Across the Nation." North Carolina Banking Institute, vol. 24, Mar. 2020, pp. 499+. Gale Academic OneFile, link.gale.com/apps/doc/A619741660/AONE?u=umuser&sid=bookmark-AONE&xid=fd7dd585. Accessed 6 Feb. 2022.
  14. Bukaty, Preston. The California Consumer Privacy Act (CCPA) : An Implementation Guide, IT Governance Ltd, 2019. ProQuest Ebook Central, https://ebookcentral-proquest-com.proxy.lib.umich.edu/lib/umichigan/detail.action?docID=5798680.
  15. Bukaty, Preston. The California Consumer Privacy Act (CCPA) : An Implementation Guide, IT Governance Ltd, 2019. ProQuest Ebook Central, https://ebookcentral-proquest-com.proxy.lib.umich.edu/lib/umichigan/detail.action?docID=5798680.
  16. Holmes, Eric N. California Dreamin’ of Privacy Regulation : The California Consumer Privacy Act and Congress. [Library of Congress public edition]., Congressional Research Service, 2018-
  17. Davis, Lauren. "The Impact of the California Consumer Privacy Act on Financial Institutions Across the Nation." North Carolina Banking Institute, vol. 24, Mar. 2020, pp. 499+. Gale Academic OneFile, link.gale.com/apps/doc/A619741660/AONE?u=umuser&sid=bookmark-AONE&xid=fd7dd585. Accessed 6 Feb. 2022.
  18. Bukaty, Preston. The California Consumer Privacy Act (CCPA) : An Implementation Guide, IT Governance Ltd, 2019. ProQuest Ebook Central, https://ebookcentral-proquest-com.proxy.lib.umich.edu/lib/umichigan/detail.action?docID=5798680.
  19. “California Consumer Privacy Act (CCPA).” State of California - Department of Justice - Office of the Attorney General, 27 Jan. 2022, https://oag.ca.gov/privacy/ccpa.
  20. Bukaty, Preston. The California Consumer Privacy Act (CCPA) : An Implementation Guide, IT Governance Ltd, 2019. ProQuest Ebook Central, https://ebookcentral-proquest-com.proxy.lib.umich.edu/lib/umichigan/detail.action?docID=5798680.
  21. Holmes, Eric N. California Dreamin’ of Privacy Regulation : The California Consumer Privacy Act and Congress. [Library of Congress public edition]., Congressional Research Service, 2018-.
  22. Holmes, Eric N. California Dreamin’ of Privacy Regulation : The California Consumer Privacy Act and Congress. [Library of Congress public edition]., Congressional Research Service, 2018-.
  23. Baik, Jeeyun (Sophia). “Data Privacy against Innovation or against Discrimination?: The Case of the California Consumer Privacy Act (CCPA).” Telematics and Informatics, vol. 52, 2020, p. 101431. Crossref, https://doi.org/10.1016/j.tele.2020.101431.
  24. Baik, Jeeyun (Sophia). “Data Privacy against Innovation or against Discrimination?: The Case of the California Consumer Privacy Act (CCPA).” Telematics and Informatics, vol. 52, 2020, p. 101431. Crossref, https://doi.org/10.1016/j.tele.2020.101431
  25. Baik, Jeeyun (Sophia). “Data Privacy against Innovation or against Discrimination?: The Case of the California Consumer Privacy Act (CCPA).” Telematics and Informatics, vol. 52, 2020, p. 101431. Crossref, https://doi.org/10.1016/j.tele.2020.101431.
  26. Wolford, Ben. “What Is GDPR, the EU’s New Data Protection Law?” GDPR.Eu, 13 Feb. 2019, gdpr.eu/what-is-gdpr.
  27. Kucera, Danielle. “CCPA vs. GDPR: Similarities and Differences Explained.” Okta, Inc., 18 Jan. 2022, www.okta.com/blog/2021/04/ccpa-vs-gdpr.
  28. Das, Ravi. “Cybersecurity Risk.” Assessing and Insuring Cybersecurity Risk, 2021, pp. 112–115., https://doi.org/10.1201/9781003023685-1.
  29. Davis, Lauren. "The Impact of the California Consumer Privacy Act on Financial Institutions Across the Nation." North Carolina Banking Institute, vol. 24, Mar. 2020, pp. 499+. Gale Academic OneFile, link.gale.com/apps/doc/A619741660/AONE?u=umuser&sid=bookmark-AONE&xid=fd7dd585. Accessed 7 Feb. 2022.
  30. Baik, Jeeyun (Sophia). “Data Privacy against Innovation or against Discrimination?: The Case of the California Consumer Privacy Act (CCPA).” Telematics and Informatics, vol. 52, 2020, p. 101431. Crossref, https://doi.org/10.1016/j.tele.2020.101431
  31. J. Kessler. “Data protection in the wake of the GDPR: California’s solution for protecting the world’s most valuable resource” S. Cal. L. Rev., 93 (2019), pp. 99-128
Retrieved from "http://si410wiki.sites.uofmhosting.net/index.php?title=California_Consumer_Privacy_Act&oldid=108948"