Difference between revisions of "California Consumer Privacy Act"

Revision as of 00:20, 7 February 2022

A new law in California, known as the California Consumer Privacy Act (CCPA), allows consumers greater control over the personal information that businesses and organizations collect about them. This legislation was enacted in part as a response to customers' growing skepticism about how firms were handling their personal information, particularly in the wake of several high-profile security breaches at financial institutions ^[1]. However, even though it is only applicable to California residents, the law provides consumers with a number of important rights, including the right to know what information a business has on them and how it is used or shared, the right to have collected personal information deleted, the right to opt-out of the sale of collected personal information, and the right to avoid being penalized or discriminated against for exercising their CCPA rights. The law is only applicable to California residents. Business owners are also required to issue written notices to customers outlining their privacy policies ^[2]. Consumers and corporations both have a stake in this innovative legislation, which has a number of distinct stakeholders. Each side has strong beliefs about the law and how it affects their own best interests, and they are both right. It's also possible to compare the CCPA to other similar frameworks, which will provide a more objective perspective on the effectiveness of the law ^[3].

History

When the 2014 JP Morgan Chase data breach happened, the inner workings of the California Consumer Privacy Act were still in the early stages of development. Sensitive information of third parties was exposed for more than a month before the breach was discovered. Consumers were frightened by the amount of personal information that these huge organizations acquired, and their distrust in corporations increased significantly as a result ^[4].

Despite the fact that an early version of the CCPA was drafted in 2017, its implementation was delayed due to opposition to the law by institutional authorities such as big technology corporations. In 2018, a privacy advocate by the name of Alaistair Mactaggart worked with the legislature to reintroduce the legislation to the vote. The bill was effectively passed, and it represented a significant step forward in the protection of consumer data privacy ^[5]. It became formally effective and began to be enforced in 2020, with the official start date being in early 2020.

Personal Information

To begin, it should be emphasized that the CCPA's definition of "personal information" includes a broad range of technological data identifiers. Personal information is defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” in the 2018 version of the CCPA ^[6].

According to the CCPA's definition of personal information, "information" does not have to be of a specific sort. As a result, both electronic data and paper files are subject to the jurisdiction of the CCPA. The definition of “personal information” concludes with the following statement: “with a particular consumer or household.” This means that the CCPA does not just apply to natural individuals, but also persons and properties related to them. A customer or a household is covered by the CCPA if any information about them is related to or associated with them. In light of the fact that the term "household" is not defined anywhere else in the CCPA, it is unclear what types of data can be categorized as "household" information ^[7].

The CCPA provides a collection of personal information examples that can be used to better understand what falls within its jurisdiction. Examples of this include, but are not limited to, the following ^[8]:

• Real names, pseudonyms, addresses (physical and virtual), unique personal identifiers, email addresses and account names
• Geographical Indications
• Information pertaining to a professional or job situation
• Information about commercial transactions, such as records of personal property, products or services acquired and contemplated, or other purchasing or consuming histories or habits
• A consumer's browsing history and search history, in addition to information on the consumer's interaction with an Internet website, application, or ad
• Inferences taken from any information found to develop a profile of a customer reflecting the preferences, traits, psychological patterns, predispositions, conduct, attitudes, intelligence, abilities, and aptitudes of the consumer

It is vital to remember that public information does not fall under the definition of "personal information" as defined by the CCPA. Due to the lack of a formal definition of what constitutes publicly available information, the interpretation is based on what financial institutions reasonably believe to be publicly available information ^[9].

CCPA Rights and Obligations

Consumers have certain rights under the California Consumer Privacy Act, which businesses are expected to protect to the greatest extent possible. These rights include the following: the right of access, the right to opt-out, the right to deletion, and the right to be free from retaliation or discrimination as a result of exercising one's rights under the California Consumer Privacy Act. Despite the fact that this regulation does not prevent personal information from being compromised in the event of a data breach, it does significantly elevate the relevance of data privacy for the consumer in general.

Compliance

The CCPA applies to businesses that meet any of the following conditions ^[10]:

• Have a gross annual revenue of over $25 million;
• Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or
• Derive 50% or more of their annual revenue from selling California residents’ personal information.

The CCPA also only applies to for-profit organizations, so non-profit organizations and government agencies do not fall under the jurisdiction of this law.

Right of Access

The CCPA defines the consumers’ Right of Access as such: “A consumer shall have the right to request that a business that collects a consumer’s personal information disclose to that consumer the categories and specific pieces of personal information the business has collected.”^[11] Once a customer has requested information from a corporate entity, the business entity is subject to a number of legal requirements. As long as the request is determined to be verifiable, the business must respond to the request by producing the desired information within 45 days of receipt of the request. It is advised that businesses retain records of CCPA requests, as well as the business's responses to those requests, for a period of at least 24 months after the request was received ^[12].

When a consumer requests their personal information from a business entity, they can expect the disclosure of the following ^[13]:

• The types of personal information about a consumer that has been collected by the business
• The types of sources from which personal information is obtained 
• The business or commercial reason for which personal information is collected or sold
• The types of third parties with whom the organization shares personal information
• The exact pieces of personal information about that consumer that it has gathered

In order to increase accessibility for users seeking to exercise their “Right to Access”, businesses are required to make it easier for consumers to create requests. The business must give at least two designated means for customers to make requests for information, “including, at a minimum, a toll-free telephone number, and if the business maintains an Internet Web site, a Web site address” according to the regulations ^[14].

Right to Opt-Out

Consumers have the "right to opt out" of the selling of their personal information under the terms of the CCPA. Consumers must be informed of this right under the new legislation, and if a consumer actively opts-out, the business will not be able to sell the consumer's information again until the consumer later provides the business with express authority^[15].

Businesses must provide explicit notice to their customers in order to make it obvious that they have the option to "opt-out." Businesses must also provide clear notice to their customers. Providing a link to their website's documentation of their privacy policies would be an example of this. Minors are not given the option to opt out of the sale of their information; instead, they are only offered the option to opt in to the sale of their information. As a result, businesses will have a harder time selling the personal information of younger consumers (ages 13-16) ^[16]. There is a process for businesses to follow in the event that a consumer requests for an opt-out. Consumers who contact businesses and request that their information not be sold for marketing purposes should be granted this request for a period of at least one year. Following the expiration of this term, the company may contact the customer to ask for consent to conduct the sale of their personal information once more. This contributes to the preservation of the transparency and integrity of both parties concerned ^[17].

Right to Deletion

Consumers have the right to request that businesses delete any personal information that has been collected on them through various means. This also obligates the company to instruct their service providers to remove any personal information about the customer as a result of this. There are cases where the business can deny the consumer’s request. The following are some of the most frequently cited reasons:

• “The business cannot verify your request”
• “To complete your transaction, provide a reasonably anticipated product or service, or for certain warranty and product recall purposes”
• “For certain business security practices”
• “For certain internal uses that are compatible with reasonable consumer expectations or the context in which the information was provided”
• “To comply with legal obligations, exercise legal claims or rights, or defend legal claims”
• “If the personal information is certain medical information, consumer credit reporting information, or other types of information exempt from the CCPA”

Right to be Free from Retaliation or Discrimination

Enforcement

If a business is found to be in breach of the CCPA and does not correct the violation within 30 days, the business may be subject to civil penalties of up to $7,500 per infraction ^[18].

Stake Holders

Corporate Opinion

Consumer Opinion

Consumer Literacy

Similar Privacy Frameworks

References

1. ↑ Davis, Lauren. "The Impact of the California Consumer Privacy Act on Financial Institutions Across the Nation." North Carolina Banking Institute, vol. 24, Mar. 2020, pp. 499+. Gale Academic OneFile, link.gale.com/apps/doc/A619741660/AONE?u=umuser&sid=bookmark-AONE&xid=fd7dd585. Accessed 28 Jan. 2022.
2. ↑ Bukaty, Preston. The California Consumer Privacy Act (CCPA) : An Implementation Guide, IT Governance Ltd, 2019. ProQuest Ebook Central, https://ebookcentral-proquest-com.proxy.lib.umich.edu/lib/umichigan/detail.action?docID=5798680
3. ↑ Das, Ravi. “Cybersecurity Risk.” Assessing and Insuring Cybersecurity Risk, 2021, pp. 112–115., https://doi.org/10.1201/9781003023685-1.
4. ↑ Davis, Lauren. "The Impact of the California Consumer Privacy Act on Financial Institutions Across the Nation." North Carolina Banking Institute, vol. 24, Mar. 2020, pp. 499+. Gale Academic OneFile, link.gale.com/apps/doc/A619741660/AONE?u=umuser&sid=bookmark-AONE&xid=fd7dd585. Accessed 6 Feb. 2022.
5. ↑ Baik, Jeeyun (Sophia). “Data Privacy against Innovation or against Discrimination?: The Case of the California Consumer Privacy Act (CCPA).” Telematics and Informatics, vol. 52, 2020, p. 101431. Crossref, https://doi.org/10.1016/j.tele.2020.101431.
6. ↑ Baik, Jeeyun (Sophia). “Data Privacy against Innovation or against Discrimination?: The Case of the California Consumer Privacy Act (CCPA).” Telematics and Informatics, vol. 52, 2020, p. 101431. Crossref, https://doi.org/10.1016/j.tele.2020.101431
7. ↑ Bukaty, Preston. The California Consumer Privacy Act (CCPA) : An Implementation Guide, IT Governance Ltd, 2019. ProQuest Ebook Central, https://ebookcentral-proquest-com.proxy.lib.umich.edu/lib/umichigan/detail.action?docID=5798680.
8. ↑ Bukaty, Preston. The California Consumer Privacy Act (CCPA) : An Implementation Guide, IT Governance Ltd, 2019. ProQuest Ebook Central, https://ebookcentral-proquest-com.proxy.lib.umich.edu/lib/umichigan/detail.action?docID=5798680.
9. ↑ Davis, Lauren. "The Impact of the California Consumer Privacy Act on Financial Institutions Across the Nation." North Carolina Banking Institute, vol. 24, Mar. 2020, pp. 499+. Gale Academic OneFile, link.gale.com/apps/doc/A619741660/AONE?u=umuser&sid=bookmark-AONE&xid=fd7dd585. Accessed 6 Feb. 2022.
10. ↑ “California Consumer Privacy Act (CCPA).” State of California - Department of Justice - Office of the Attorney General, 27 Jan. 2022, https://oag.ca.gov/privacy/ccpa.
11. ↑ Bukaty, Preston. The California Consumer Privacy Act (CCPA) : An Implementation Guide, IT Governance Ltd, 2019. ProQuest Ebook Central, https://ebookcentral-proquest-com.proxy.lib.umich.edu/lib/umichigan/detail.action?docID=5798680.
12. ↑ Davis, Lauren. "The Impact of the California Consumer Privacy Act on Financial Institutions Across the Nation." North Carolina Banking Institute, vol. 24, Mar. 2020, pp. 499+. Gale Academic OneFile, link.gale.com/apps/doc/A619741660/AONE?u=umuser&sid=bookmark-AONE&xid=fd7dd585. Accessed 6 Feb. 2022.
13. ↑ Bukaty, Preston. The California Consumer Privacy Act (CCPA) : An Implementation Guide, IT Governance Ltd, 2019. ProQuest Ebook Central, https://ebookcentral-proquest-com.proxy.lib.umich.edu/lib/umichigan/detail.action?docID=5798680.
14. ↑ Bukaty, Preston. The California Consumer Privacy Act (CCPA) : An Implementation Guide, IT Governance Ltd, 2019. ProQuest Ebook Central, https://ebookcentral-proquest-com.proxy.lib.umich.edu/lib/umichigan/detail.action?docID=5798680.
15. ↑ Holmes, Eric N. California Dreamin’ of Privacy Regulation : The California Consumer Privacy Act and Congress. [Library of Congress public edition]., Congressional Research Service, 2018-
16. ↑ Davis, Lauren. "The Impact of the California Consumer Privacy Act on Financial Institutions Across the Nation." North Carolina Banking Institute, vol. 24, Mar. 2020, pp. 499+. Gale Academic OneFile, link.gale.com/apps/doc/A619741660/AONE?u=umuser&sid=bookmark-AONE&xid=fd7dd585. Accessed 6 Feb. 2022.
17. ↑ Bukaty, Preston. The California Consumer Privacy Act (CCPA) : An Implementation Guide, IT Governance Ltd, 2019. ProQuest Ebook Central, https://ebookcentral-proquest-com.proxy.lib.umich.edu/lib/umichigan/detail.action?docID=5798680.
18. ↑ Holmes, Eric N. California Dreamin’ of Privacy Regulation : The California Consumer Privacy Act and Congress. [Library of Congress public edition]., Congressional Research Service, 2018-.