California Consumer Privacy Act

A survey shows that most companies are not yet ready for the California Consumer Privacy Act (CCPA), and this includes companies that have undergone compliance processes for the EU General Data Protection Regulation (GDPR).

CCPA is not GDPR or a subset of GDPR. It’s a different law with different requirements, for which preparation will require time and attention.

More from Forbes.

Privacy law experts warn companies not to assume they can comply with the California Consumer Privacy Act (CCPA) because they are in compliance with the EU’s General Data Protection Regulation (GDPR).

“The fact is, CCPA is not GDPR, and it is different. There certainly are things that you probably built for GDPR that will be helpful, but CCPA deserves its own attention,” said J. Trevor Hughes, president and CEO of the International Association of Privacy Professionals (IAPP) at a privacy panel at RSA 2019.

Details from SC Magazine.

If it makes the individual go “huh, why did that (use of my information) happen?”  you, company that provides a service utilizing data, may have a data protection problem on your hands.

This was a key takeaway from the U.S. Senate Committee on the Judiciary hearing on “GDPR & CCPA: Opt-ins, Consumer Control, and the Impact on Competition and Innovation”.

“Here is my basic concern”, said Sen. Josh Hawley, R-Mo, “Americans have not signed up for this, they think the products [they are being offered] are free; they’re not free. They think they can opt out; they can’t opt out. It’s kind of like that old Eagles’ song, ‘You can check out any time you like, but you can never leave.’ And that’s a problem for the American consumer; it’s a real problem.”

Details from the International Association of Privacy Professionals.

The Federal Trade Commission should be the primary enforcer of a federal privacy bill and to do so would need a larger budget. That is one point that seemed to be in consensus at the Senate Committee on Commerce, Science, and Transportation hearing held on February 27, 2019 in connection with a U.S. Federal privacy law.

Additional points discussed included:

  • The role of state AGs in enforcement
  • Whether the FTC should be able to fine for a first offense
  • Whether consumers should have the right to deletion and whether the collection of sensitive data should be an opt-in choice for consumers
  • Whether the U.S. should look to the EU and its passage of the General Data Protection Regulation as a model, or, perhaps, the California Consumer Privacy Act
  • How heavily consumer choice should factor into a federal law

Details from the International Association of Privacy Professionals

To U.S. Federal Privacy Law or To Not U.S. Federal Privacy Law, that is the question.

At a House Committee on Energy and Commerce hearing February 26, industry professionals and advocates made their pitches for what should be contained within a federal privacy bill. The discussion revolved around how prescriptive a federal law should be and its potential impact on small businesses and vulnerable populations.

Two points discussed:

  • A law as prescriptive as the European Union’s General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA) is expensive to comply with and may lead to a barrage of litigation. This may adversely effect small and medium businesses which may end up closing shop.
  • Individuals should be given rights to access and correct the data companies collect and store about them online. Often, those impacted by misinformation (inaccuracies on credit scores, debts owed, criminal records, etc.) are minorities or low-income individuals who may be unable to fight for their rights.

Details from the International Association of Privacy Professionals.

Under a proposed amendment to the California Consumer Privacy Act (CCPA) filed Feb. 22, companies that amass user data could be the target of class-action litigation from state consumers if they’re accused of violating the CCPA.

This expands the existing private right of action under CCPA which currently applies only to data breaches. Other proposals include:

  • requiring data brokers to register with the Attorney General’s office
  • requiring companies to inform users if their data may be sold to third parties
  • requiring companies to disclose the monetary value of users’ data
  • allowing consumers and business to continue engaging in loyalty programs that otherwise may have been viewed as discriminatory under the CCP

Details from Bloomberg.

Read the full text of the private right of action amendment.

What’s in store for CCPA?

Narrower definitions? Broader private right of action? Increased funding?

All were discussed at a hearing regarding the California Consumer Privacy Act (CCPA) held at the California State Assembly in Sacramento, CA.

Supervising Deputy Attorney General on Consumer Protection Stacey Schesser indicated that her office would seek to expand the private right of action provision within the CCPA. Schesser also indicated to the lawmakers that the Attorney General will be asking for increased funding to help the office enforce the CCPA.

At the hearing, representatives from the California Chamber of Commerce, California Retailers Association, American Civil Liberties Union and independent academics and researchers, among others, voiced concerns about the CCPA, including the broad definitions of the terms “personal information”, and “consumer”.

Details from the International Association of Privacy Professionals.

Show me the money and I’ll show you my data.

“How much would you charge a marketer to use your personally identifiable information for general advertising purposes?”

About 60 percent of 2,000 U.S. adults polled in November 2018 were willing to share personal data for a price. A majority (57 percent) said it was worth a minimum of $10, while 43 percent valued it at less than $10 (28 percent) or would share it without compensation (15 percent).

The higher the income, the more likely they were to want more for their data.

This trend in how individuals regard their data may become even more interesting in the coming year as the California Consumer Privacy Act (CCPA), which will come into effect in 2020, allows companies to provide individuals with financial incentives for their information if certain conditions are met.

Details on the survey from MarTechToday.

Will the California Consumer Privacy Act serve as a blueprint for a federal privacy law or for a patchwork quilt of state privacy laws?

As states have been commencing legislative proceedings and as proposals for a federal privacy law are being formulated, the following seem to be principles that most agree should be included in a privacy law in the U.S.:

  • Banning some practices, including using data to discriminate against users.
  • Giving people the right to sue over misuse.
  • Giving people ownership rights in their data including the right to delete it, change it or take it back.
  • Requiring companies to be more transparent about how they use data and collect consumers’ consent, with some exceptions.

A point of contention is whether or not a federal U.S. privacy law should completely preempt (invalidate) state privacy laws (or whether they should continue to be binding if stricter than the federal law).

Details from the San Francisco Chronicle.

New Jersey follows in California’s footsteps with legislative initiatives on privacy.

The main proposed law (bill A-4902), will require commercial websites and online service operators to give customers:

  • a description of the personal information collected
  • a way to prevent the disclosure of personal information to third parties
  • a description of the information
  • an email address or phone number for requesting information
  • upon request from an individual, information on all disclosures of his data within the past year
  • a “Do Not Sell My Personal Information” link to a page that would allow customers to opt out of the disclosure of their personal data

Here’s what the chairman of the state’s Assembly Science, Innovation and Technology Committee has to say about the legislation:

“Should this happen at the federal level? Absolutely. We would want to see these protections at the federal level, but we are not seeing that … Until they do, New Jersey is going to do everything we can to protect New Jersey residents,”  said Assemblyman Andrew Zwicker (D-Middlesex), who chairs the committee and is sponsoring four of the bills on the agenda. Additional bills cover GPS data, student data and cybersecurity.

Details from NJ Spotlight.