If you want all of the specifics, you can check out the CCPA text. But if you’d rather avoid poring over detailed legislation, unpacking legal terminology, and making sense of the regulations for yourself, here’s a look at what the act covers.
What is the CCPA?
At its core, the CCPA is a privacy regulation. This is a key point to keep in mind, as regulatory issues often require technology changes. While this is the case for the CCPA — businesses will need to update their data handling practices and solve a variety of infrastructure issues to comply — the act primarily addresses consumer privacy and choice.
Because of this focus on privacy, you aren’t going to find much in the way of guidance on how to comply within the law itself. There aren’t rules about the type of infrastructure needed or similar guidelines that set a technical baseline. Instead, the law focuses on four rights for consumers in California. A CCPA Fact Sheet from the state’s government highlights these rights:
Right to know
The CCPA declares that consumers have the “right to know what personal information is collected, used, shared or sold.” The act mandates that businesses provide visibility into both the broad categories of information they gather (i.e., collecting web browsing data to recommend products) and the specific personal information they collect.
Right to delete
Under the new act, consumers have the right to delete their personal information held by businesses and service providers. This doesn’t mean consumers can access business systems; instead, they can request that a business delete their data, and the business must comply.
Right to opt out
If consumers don’t want their data to be sold, the CCPA gives them the right to opt out of that practice by asking a business to stop selling their personal information. What’s more, businesses must get opt-in consent for children 16 and under. A parent or guardian must give consent for those who are 13 or younger.
Right to nondiscrimination
The CCPA explicitly prohibits businesses from any form of discrimination relative to a consumer exercising their privacy rights.
These are the fundamental elements of the new CCPA act that you’ll need to think about. The implications are far reaching.
What does the CCPA mean for businesses?
Some context is necessary before we go into more detail about why the CCPA exists and what it’s trying to achieve. Here’s what the CCPA means in a nutshell:
Qualifying businesses (we get into qualification details in this chapter) must inform consumers that they collect users’ personal information, educate those individuals about what the data is used for, give consumers the ability to opt out, and, upon request, delete information that the organization holds.
In theory, it’s simple. In practice, things are going to get complicated. In fact, the state’s CCPA Fact Sheet estimates that compliance costs will add up to between $467 million and $16.454 million from 2020 through 2030.
Because of the impending cost and complexity of CCPA compliance programs, it’s worth looking into why this kind of legislation is increasingly necessary in today’s digital economy.
The CCPA’s emergence
The CCPA’s origins in the GDPR
The CCPA’s origins, in many ways, go back to the GDPR standards in Europe. The GDPR is a set of privacy laws dictating how businesses handle the data of European Union residents. It covers everything from transparency in sharing information with third parties to putting adequate protections in place to keep the information secure.
But the content of the GDPR — regardless of how important it may be — isn’t the revolutionary part.
The law sets a precedent for consumer privacy, but the most transformative precedent may be that the GDPR doesn’t just apply to businesses operating in the EU. Instead, the law mandates that any business gathering any personal information about an EU resident must comply. This means that a major government entity is legally demanding groups outside its primary jurisdiction comply or face consequences.
This set off an immediate chain reaction in the privacy space. If businesses outside of the EU have to comply with GDPR, then why shouldn’t other privacy-concerned governments put similar laws into place?
The CCPA is, on some level, a reaction to this development. Of course, California isn’t establishing the new privacy law simply because GDPR shows that it’s possible. The state government has a reputation for being progressive on digital issues, perhaps in response to the state’s role as a leader in digital innovation.
The CCPA is emerging in part because there’s now precedent for this sort of act, but also because the scale of the digital data-sharing economy has become so large that some sort of reaction is widely deemed necessary to protect consumers.
Why the CCPA is necessary and what it aims to achieve
Sharing data has become a critical source of income for many businesses. From marketing teams that purchase data to target potential customers in more personalized ways to lenders gathering consumer data to better understand the risk of lending to an individual, the applications are nearly limitless.
This data-sharing economy is growing quickly, and it can leave consumers uncertain as to where their data goes when a business collects it.
For example, data-driven marketing is a common practice. It involves analyzing large quantities of consumer data to inform marketing decision-making. This can mean anything from identifying big-picture trends across demographic groups to providing highly personalized content to specific users when they visit a website.
A landmark 2015 study from Data Marketing & Analytics, an organization that studies the data-driven marketing sector and advocates for best practices, found that this segment was responsible for $202 billion in revenue in the U.S. economy. It’s also behind 996,000 jobs — with more than 128,478 of those positions located in California in 2014.
The data-sharing economy has only grown since then, and those figures point to just one segment where data sharing occurs. The practice is common in a wide array of sectors. With so much revenue on the table, it’s no wonder that businesses want access to this data. Consider what can happen to a single piece of consumer data:
- You buy a new winter jacket online.
- Your credit card provider gets details about that transaction, and so does the online store where you purchased it.
- That store begins to advertise related items — gloves, hats, scarves, and the like — when you visit their site. It may even send you an email with promotional deals or recommendations based on your previous purchase.
- Meanwhile, a data aggregator purchases that transaction data from your credit card provider and gathers key metadata — your age, gender, etc.
- By purchasing data from other stores you interact with and analyzing other transactions, that aggregator creates a profile specific to you. They also use your data to analyze trends for people who are considered similar to you — perhaps they are the same gender, are approximately the same age, have a similar income, etc. — and they use that information to create demographic profiles.
- The data aggregator performing this analysis creates databases that are personal and demographic specific, and sells access to marketers, financial institutions, and even political parties.
- Those groups use that information to influence your behaviors. For example, a political party may identify you as somebody who is likely to have flexible views on an issue and therefore point specific messaging in your direction to influence your vote.
Throughout this process, many parties are buying and selling your data. The practices themselves are not inherently predatory. They certainly can be, but many of these parties are simply vying for your attention, not necessarily trying to manipulate you.
Regulations like the CCPA are not meant as an indictment of data sharing between businesses. Instead, what the CCPA addresses is the fundamental problem that most of this activity happens without consumers’ knowledge.
The CCPA and similar regulations are considered necessary not so much to curb the data-sharing economy but to give consumers insight into the specifics of how their data is used and allow them to choose how they’ll participate in the practice. That choice is at the center of the CCPA.
How the CCPA came to be
The CCPA was initially signed in June 2018, marking the beginning of what is typically a long and complex process.
Major regulatory laws like this usually go through a few years of back and forth between legislative bodies and industry stakeholders. During this period of discussion, individuals in the affected sectors highlight potential problems presented by the legislation, while both the government and private sector analyze the implications of the law and make amendments based on what they learned.
Regulatory laws will usually go through a few versions as changes are made before the law actually goes into effect. Once the law is active, organizations impacted by the guidelines are typically given a period of time — often a year or multiple years, depending on the scale of change — to adjust to the new standards.
For example, HIPAA and HITECH — prominent healthcare industry regulations that protect patient information — went into effect gradually over many years, and the deadlines for meeting specific regulatory benchmarks occurred at different times.
The CCPA has been an exception to this relatively slow and measured process. There was a comparatively short period for discussion in late 2018 and much of 2019, but the state resisted efforts to ease the laws contained within the CCPA.
While many businesses were concerned about the costs and challenges of implementing the CCPA — and potentially worried about losing value from sharing data freely — the state held firm to the scope of the legislation. And it set January 1, 2020 as the go-live date for the law. Enforcement is expected to begin in July 2020.
This represents a rapid, highly accelerated move to not only get the law in place but to begin enforcing it. The rush is expected to lead to a great deal of disruption for companies scrambling to comply.
To further complicate matters, there’s plenty of uncertainty around how different parts of the law will be interpreted and applied. Some of these issues will be ironed out in the months leading up to the enforcement date, while others will be addressed in court cases involving compliance breaches.
The entire process surrounding the CCPA regulations has been unconventional, with a clear sense of urgency to get the rules into place to protect consumers. This means that businesses need to not only move quickly to start preparing for compliance but also continue paying attention to the headlines about the CCPA to stay up to date on changes.
The coming months won’t be easy as businesses and lawmakers work to adapt, but California believes that protecting consumers’ personal information is worth it. After completing a Standardized Regulatory Impact Assessment, the state estimated that the CCPA guidelines will end up safeguarding approximately $12 billion worth of personal data used for advertising.
The scale of the CCPA is huge, and its rapid adoption can put your business in a difficult place. If you’re not based in California, that doesn’t mean you can tune out. The regulations apply to qualifying businesses handling the data of consumers located in California.
They also set a precedent for U.S.-based privacy law that could end up being a model for other states and possibly the federal government. It’s important to watch the CCPA closely to determine if it applies to your business. With that context top of mind, let’s dive into some CCPA specifics.
Send Comment: