For the past two decades, concerns about online privacy have slowly gained traction. People want faster page loads, less website clutter, and most importantly, better protection of their data and respect for their privacy.
The emergence of content-filtering software like ad blockers spearheaded the trend towards growing awareness of privacy issues associated with the existence of data brokers and obscure tracking technologies, and while it still stands true that technology moves faster than the law, it looks like governments are finally catching up.
Back in May 2018, the European Union’s General Data Protection Regulation (aka GDPR) came into force and spelt the biggest change in EU data protection law in 25 years.
It’s not only the EU regulating and taking a tough stance on data protection and user privacy, however; the California government is also getting fully on board with the California Consumer-Privacy Act (full bill text here) and CONSENT Act.
Legal disclaimer: Clearcode is a software development company, not a law firm. The information provided in this document is designed to provide an overview of CCPA and should not be taken as legal advice. Please consult a professional lawyer to address the individual needs of your business.
What Is the California Consumer Privacy Act
Technological developments have long outpaced the introduction of new laws to protect consumers, but California has always led the charge in some way, such as the previous privacy act or the emissions act to curb climate change. On June 28, the California State Legislature passed a law known as the California Consumer Privacy Act, a regulation akin to the European GDPR, but more suited for the US legal system. Its summary can be found here.
— Ed Chau (@AsmEdChau) June 28, 2018
The California Consumer Privacy Act (CCPA) aims to provide Californian citizens and residents with more information about how companies collect their personal data.
What is CONSENT Act
When reading about CCPA, it is easy to come across a sibling regulation called CONSENT Act. This may be a bit confusing, so it’s worth to mention it here, too.
The CONSENT Act is a pending piece of federal legislation, a set of rules similar to the CCPA and GDPR that, if passed, would apply nationwide in the US and require companies to obtain consent from users to use, share, and sell their data. The deftly conceived acronym (always capitalized) stands for a rather-lengthy name, Customer Online Notification for Stopping Edge-provider Network Transgressions (full text here).
The CONSENT Act may become a federal privacy law that would either complement or, if amended, preempt the CCPA. It does not have a preemption provision in its currently proposed version.
California Consumer Privacy Act (CCPA) and CONSENT Act are both intended to pave the way for online privacy and spur a crackdown on privacy violations in the US. For the purpose of this post, however, we will focus on California Consumer Privacy Act exclusively.
How Does the California Consumer Privacy Act Work?
In a nutshell, CCPA will empower people to know the types of personal information businesses collect about them, and give them the right not to agree to the sale of their personal data to other parties. More specifically, CCPA introduces the following rights:
- Right to know all data collected by a business on you
- Right to say NO to the sale of your information
- Right to DELETE your data
- Right to be informed of what categories of data will be collected about you prior to its collection, and to be informed of any changes to this collection.
- Mandated opt-in before sale of children’s information (under the age of 16)
- Right to know the categories of third parties with whom your data is shared
- Right to know the categories of sources of information from whom your data was acquired
- Right to know the business or commercial purpose of collecting your information
- Enforcement by the Attorney General of the State of California
- Private right of action when companies breach your data
What are the Non-Compliance Fines?
Under the CCPA, fines are enforced by the California Attorney General and can reach up to $7,500 per every violation (in the case of intentional violations). Non-intentional violations remain subject to the $2,500 maximum fine.
Also, the CCPA allows affected consumers to take individual or class-action lawsuits against offending businesses, which should be a more serious financial concern for potential violators. Damages range between $100 and $750 – or more, if actual damages are proven.
CCPA vs GDPR: What Are the Similarities and Differences?
The net effect of the California Consumer Privacy Act is very similar to that of the GDPR. One was clearly influenced by the other, and they overlap in many areas. For instance, the CCPA, like the GDPR, covers the user’s right to be forgotten, the right to portability and the right of access to data, terms known well to anyone familiar with the GDPR.
There are differences, too. For example, the CCPA states that explicit damages, if proven, can be claimed by individuals in the event of a data breach. Also, while the GDPR requires every company processing customer data appoint a Data-Protection Officer, the CCPA does not.
So, let’s have a look at the most important similarities and differences:
What Effect Will the California Consumer Privacy Act Have on AdTech and MarTech?
California Consumer Privacy Act may have serious impact on the way AdTech and MarTech platforms collect, process and distribute data about online users.
Here are a some ways in which CCPA will change how AdTech and MarTech companies work:
More Moderate Use of Third-party Data
The CCPA gives consumers the right to know “the categories of sources from which the personal information is collected.” This requirement should make companies more selective about collecting third-party data, and not collect beyond what is really needed. Under the CCPA, businesses may be requested to justify the scope of their data collection and its sources.
Switch from Third-party to First-party Data
The shift towards transparency initiated by privacy-centered laws like the GDPR and CCPA encourages companies to become less reliant on third-party data and make do with first-party data instead – e.g. the data collected directly through online forms.
Less Excessive Collection of Data About the Users
Laws like the CCPA or GDPR consider the data controller as the principal party responsible for collecting and managing consent. This is also an increasing reliability, which pushes companies to limit the liability by collecting only data that is actually needed, rather than any data they are able to collect, necessary or not.
Implementation Consent Management Platforms
Both the CCPA and the GDPR stipulate that consumers, at any time, can exercise their right to be forgotten and request that any data your company has on them should be deleted. Every website must have a mechanism allowing, upon request, to access, amend or delete a consumer’s data.
Higher Transparency Standards
According to the CCPA, companies must keep a record of all data sales for a period of one year. Although all visitors (unlike in the case of the GDPR) are opted in by default, every website must display a clearly visible link with the call-to-action specifically saying “Do Not Sell My Personal Information,” allowing visitors to quickly opt out if they wish to.
The very fact of having to display such a button can potentially raise privacy and security concerns, and we believe the best way to remain transparent and avoid alienating visitors is to eliminate the need for such a button altogether by not selling customer information.
When Will California Consumer Privacy Act Be Introduced?
It seems the dark pre-privacy times are over. The glaring violations, including the recent scandal involving the social media mogul Facebook, have led us to a point of no return. However, the California law won’t come into effect until early 2020, which will give the tech industry some grace period to address its privacy issues.
The US congress has only introduced two other online privacy laws to date, one in 2011 and 2015, but they were never passed. This time it’s different – much thanks to the recent scandals with Huawei, Facebook and Cambridge Analytica making the headlines, and the introduction of the GDPR in Europe.
On the face of it, CCPA is just a minor regulation in the world scale. But let’s put it in perspective: California, with almost 40 million residents, makes up about 12% of population of the USA. This is more than the population of Canada – a number that has to be reckoned with.
In fact, California in terms of GDP would be the fifth largest economy in the world, and match the United Kingdom’s.
This is also why there is no way for big brands to ignore California’s consumer privacy act altogether. Yep, that’s another piece of regulation that throws a spanner in the big AdTech/MarTech machine. However, the good news is compliance with it should be relatively easy, especially for companies that are already in compliance with GDPR.