This blog is in two parts. In the first part, we will discuss what CCPA is and what it requires. The second part will discuss how to make the most of this opportunity. Basic compliance is everyone’s immediate first step, but don’t be satisfied to stop there. CCPA presents a wonderful opportunity to create great digital privacy experiences, and earn deeper trust that strengthens your customer’s emotional connection with your brand.
What is CCPA and why was it enacted?
Officially, CCPA is Title 1.81.5 California Consumer Privacy Act of 2018.
CCPA is California’s answer to the new European regulation known as GDPR. It aims to protect consumer digital privacy, in a balance with promoting competition and commerce. With a 1/1/2020 start date, CCPA compliance is becoming urgent.
Consumer digital privacy is now a hot-button issue. In the U.S. we have seen a series of high-profile data breaches and the well-publicised Facebook fiasco during and after the 2016 presidential election (featuring Cambridge Analytica and “election hacking” by the Russians). More recently, we have heard scary stories about the threat of geo-location data to privacy. Meanwhile the public complains about aggressively “creepy” interactions on websites, text messages and emails. This includes “retargeting” display ads on websites, those ads that “follow you around.” Consumers are not happy so more regulation is coming.
How is CCPA different from GDPR?
Many firms have just finished scrambling to comply with GDPR. CCPA is often compared to GDPR because the purposes are broadly the same, but CCPA and GDPR are different. The most fundamental difference is that under GDPR an organisation must have a legal justification for collecting personal information. This requirement is not a part of CCPA.
In my opinion, GDPR is evidence of the horror of a “surveillance state” in the EU and especially in Germany. It is easy to see the EU perspective: if you hate a surveillance state, where neighbour is forced to spy on neighbour, how could surveillance by corporations (especially U.S. corporations) be OK? Sure, Americans don’t like to be “spied on,” but we never lived through control of our communities by the Stasi.
Surveys say Americans tend to think about privacy in terms of specific bad outcomes. We worry about identity theft, fraud, divorce court, embarrassment, increases in our insurance rates, and finding it harder to get a job. We also object to unfair dealing. When we choose to buy from “Company A” and share information to make that purchase better, we think this is all between Company A, our bank, and ourselves… nobody else’s business! It feels unfair and greedy when – without disclosure, much less our permission – Company A sells our information. It feels even more unfair if the information is ultimately “used against us” in pricing or in some other annoying way.
GDPR covers almost all organisations public or private, but CCPA covers mainly just larger for-profit businesses and those in the data-brokerage industry. CCPA has quite a few exclusions. Most of these exclusions avoid conflicts with U.S. Federal laws, which already cover quite a few categories of information, including medical information, consumer credit reporting, banking activities and some insurance activities. CCPA also limits its geographic reach to avoid issues with other States’ laws. It covers consumers who are residents of California but exempts a California resident’s information if it is “all from and about” their activities outside of California.
Other exclusions cover data required for compliance with law and data needed to exercise or defend legal claims. De-identified or aggregated data is excluded. To reduce the burden of compliance, the law seems to exclude nearly all small businesses, as well as consumer use and use for non-commercial activity (the churches are safe!).
So, while CCPA has its roots in the right to privacy enshrined in the California state constitution, it is not written as a human-rights law (as is GDPR) but as a piece of commercial consumer-protection legislation. Essentially, it is a “fair dealing” law.
It is just in California, right?
CCPA is just for California residents, but that affects companies worldwide who do business with those consumers. California is over 12% of the U.S. population, so it is hard to ignore. California also sets many trends in the U.S., and almost a dozen states are actively considering their own, similar new laws. Partly because of this there is now work underway to enact a national privacy law. Partisan gridlock in Washington DC may prevent it, but the basic privacy concepts have widespread support. We may see a national data privacy law this year.
So NO, it isn’t just in California. Segmenting your customers to handle California residents differently is legally OK, but it will not be a winning strategy for long.
What does the law require?
CCPA regulates “Personal Information” (“PI”). For CCPA, “PI” is any information that is or that reasonably could be associated with an individual or a household. This is a broad definition and clearly includes information a company collects from consumers, information it produces relating to them, and any 3rd party information it might buy. (Do you have an inventory of all the PI your company manages?)
“Reasonably” means that anonymised data is not “PI” unless it becomes de-anonymised. Anonymising data is a good practice, and under CCPA, companies won’t need to worry about de-anonymising data in order to respond to a consumer’s request.
CCPA requires clear disclosure to consumers, at or before the time of collection, including:
- Categories of personal information collected
- The sources of that information
- The categories of 3rd parties to whom it may be sold (shared)
- Information about the consumer's rights, including:
- The right to access all detailed information about themselves, in a portable format, from the past 12 months
- Right to opt-out of data sales (but this must be opt-in for under age 10)
- Right to request deletion of the information
Controversially, the law calls for a “Do Not Sell My Data” button to be prominently displayed on a company’s website.
Companies must inform consumers before collecting additional types of information and before implementing additional use cases. The law spells out requirements about how disclosure must be done (too detailed to repeat here). Likewise, it spells out requirements for fulfilling a consumer’s requests, such as “how quickly.” No doubt when the regulations are published, we will see even more details.
A third-party buying PI data must notify the consumer and give the consumer the opportunity to opt out before reselling the data.
Some of the exceptions are worth reviewing:
“Single one-time transaction” data
The case of a consumer’s requests becoming abusive (e.g.: too frequent)
Limits to the “right to deletion”
- “Freedom of the press”
- Data needed for security purposes
- Data used for purely internal company purposes, but only when the use is aligned with consumer expectations and/or the context in which the consumer provided the information
Companies must follow risk-appropriate data security practices. Under CCPA, consumers can sue or join a class-action law suit for a breach of non-encrypted data. (California law had already mandated notification of any security breaches.) In these cases, claims are capped at “actual damages” (must prove specific harm) or $750 per incident, whichever is more. Also, a consumer can sue for injunctive relief (e.g.: a court order to delete the data) or for other relief.
The California Attorney General (“AG”) will enforce the CCPA. AG must provide companies with a 30-day notice and cure period, but potentially massive civil penalties of $2.5k per violation (or $7.5k if intentional) are possible. Fines go to a special state fund, to defray the costs of enforcement, etc. Currently, consumers will be able to sue companies regarding data-security breaches, but not regarding any other provisions of the law. However, the AG has urged the California legislature to amend the law to enable private lawsuits to enforce all aspects of the law, to eliminate the 30-day notice before the AG can sue a company, and to drop the requirement that the AG provide advice to companies regarding the law. So the law may get tougher.
The CCPA preempts local California laws. It also excludes the possibility that a company might use an arbitration clause or other contract terms to blunt a consumer’s ability to exercise rights under this law.
The AG was required to hold hearings (now complete), issue regulations, and update various details of the law. In its regulations the AG is required to facilitate “consumers’ authorised agents” who would represent people in their privacy dealings with businesses.
Not enough detail? Read the statute here.
Here are some key dates, which make this law a moving target:
How is CCPA good for business?
Companies work for years to create great experiences for their customers. Naturally, these experiences must be legal, but winning and keeping the customer is your goal. Putting the law to one side, you should ask: what do people want, when it comes to data privacy?
As you comply with CCPA, you will be required to disclose all the personal data you collect, and the extent of this data may be a surprise to your customers. You will disclose previously hidden uses of the data, too. More surprise is likely. Reading these disclosures will force your customer to decide: “Do I like these uses of my data?”
CCPA gives winning companies the opportunity to implement better digital privacy experiences, without raising cynical questions. Because lots of companies will be complying with CCPA in 2019, customers won’t ask you why these changes are happening now. Instead, customers will ask, “Do I like your attitude?”
In the next part of this blog, we will discuss how to achieve a position of data privacy leadership. We will discuss the opportunities to exceed customer expectations about digital privacy and build stronger relationships with consumers based on trust and empowerment.