What Washington D.C. is for the United States federal government, California is for the world’s tech industry. The capitol of Silicon Valley is fortressed on the southernmost shores of the San Francisco Bay, but its reach is planetary, the extent of its vast powers only recently fathomed by governments and people.
California is the physical frontier of America, where the continent plunges into the Pacific. With the passing into law of the California Consumer Privacy Act (CCPA), it is now also the frontier of data privacy law in the US, beginning January 1, 2020.
In this article, we will try to grasp the substance of the CCPA, recognize its consequences for businesses and consumers, and envision its possible futures.
The CCPA, or California Consumer Privacy Act is the data privacy law to take effect in the state of California on January 1, 2020.
It is the strongest, most restrictive privacy law passed in the United States as of today, but its practical future is still somewhat uncertain.
The scope of its enforcement is for the Attorney General of California to specify no later than July 2020, and since there is an on-going tug of war in the California State Legislature between big business and privacy activists, pulling the California privacy law in both directions with proposed amendments to either narrow or expand it.
At Cybot, creators of Cookiebot, we are following the developments of the law, its implementation and practical enforcement at a very close rate, since it deals with our area of expertise: online privacy.
Once the CCPA takes effect on January 1, 2020, Cookiebot will enable compliance with it as well as the GDPR and ePrivacy Regulation.
However - the CCPA demands that businesses provide records of personal information collected about a consumer in the preceding 12 months prior to the request made by the consumer to gain access to this information.
This means that information collected today could be requested for disclosure by a consumer on January 1, 2020, and so a business should start preparing for the CCPA now.
Cookiebot is a tool that helps website owners to comply with the current European law of GDPR and the coming ePrivacy Regulation, expected in 2019 or 2020. Even though the GDPR is rooted in the EU, it has worldwide effect, in the sense that any website, regardless of where in the world it is operated from, has to be GDPR compliant toward visitors from the European Union.
So, if you’re operating a website from California, you still have to be compliant with GDPR if you also have visitors from the EU.
As the CCPA is still being pulled back and forth between the tech industry and privacy advocates in the California State Legislature, this article does not give any definitive answers as to how the CCPA will be implemented, or how its enforcement will take shape in practice.
Instead, we paint as broad an overview as possible of this moment of tech reckoning in California, and the steps taken towards solving some of the big issues regarding privacy and democracy that have become evident over the last years.
Without further ado, let’s dive into the California Consumer Privacy Act –
In 1972, California voters amended the California Constitution to include the right of privacy among the “inalienable” rights of all people.
Forty-six years later, the CCPA (California Consumer Privacy Act, Assembly Bill No. 375) was signed into California state law in June 2018.
It goes into effect on January 1, 2020.
Very much contrary to the top-down centralized way that the European General Data Protection Regulation (GDPR) was passed into law, the California Consumer Privacy Act began as a bottom-up, grassroots initiative by unlikely privacy activists that included a millionaire real estate developer, a former CIA analyst, an industry executive and a Pulitzer price-winning journalist, who worked on the Snowden leaks for the Washington Post.
The CCPA started as a citizen ballot initiative in San Francisco and Oakland.
“Californians for Consumer Privacy”, as the group called themselves, was led by San Francisco real estate developer Alastair Mactaggart, who drafted a ballot initiative on consumer privacy protection to fill the legal void.
“Tell me what you know about me. Stop selling it. Keep it safe”, as Alastair Mactaggart summarized the proposal. With the revelations of the Facebook/Cambridge Analytica scandal, the California ballot initiative suddenly got a strong wind in its back.
Californians for Consumer Privacy gathered more than 600.00 signatures
for the support of what would eventually become the CCPA.
A ballot initiative is a way for the Californian public to legislate bottom-up, by drafting a proposal for a law and securing enough signatures (eight percent of the people who voted in the last gubernatorial election) for the proposal to then become a part of the November general election ballot in that specific state. Voters then have to choose yes or no on the same day that they vote for president or congress.
In the case of the CCPA, Mactaggart spent $3 million of his own money to raise more than 600.000 signatures for the proposal (which was a stronger and tougher version than what would eventually become the CCPA), and thus secured a spot on the general election ballot to be held in November 2018.
With the threat of a strong privacy law passing with a majority of citizen votes in the November general election 2018, the tech industry started lobbying heavily against the ballot version of the CCPA.
Californians for Consumer Privacy gathered more than 600.00 signatures
One of the biggest fights between the ballot authors and the tech industry, specifically Facebook, was the so-called private right to action.
It was originally a right that authorized consumers to sue businesses and companies for any violation of the law, not just data breach. The tech industry was very pronounced in its opposition, fearing vast liability risks –
“We support more disclosure in principle, but the stakes are just much higher with the private right of action”, said Will Castleberry, Vice President for state and local policy in Facebook.
Google, Facebook, Verizon, Comcast and AT&T each contributed $200.000 to a committee opposing the proposed ballot measure. It was also estimated that they would spend around $100 million to campaign against the proposal come the November general election of 2018.
So, the initiative was watered down to only include a private right to action in the case of data breach (unauthorized access, theft etc.).
The CCPA was then drafted by Mactaggart, co-written and sponsored by two democratic lawmakers, raced through the State Legislature, passed unanimously and signed into law by the Governor of California on Thursday June 28, 2018 – all in less than one week.
Its co-author Assemblyman Ed Chau has called it “GDPR light”.
The CCPA grants the consumer “the right to request that a business that collects a consumer’s personal information disclose to that consumer the categories and specific pieces of personal information the business has collected” (1798.100.a).
Personal information is defined in the CCPA as “information that identifies, relates to, describes or is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”.
A GDPRization of the world means that Californians now have their own privacy law.
A consumer has the right to access and obtain a copy of the personal information that has been collected on them by a business in the past 12 months.
The CCPA specifies that consumers have the right to request the disclosure of (1798.110/115):
The request to disclosure has to be verifiable, before the business has to provide the information (1798.100.c). If verifiable, a business must promptly take steps to disclose and deliver, free of charge, the personal information to the consumer (1798.100.d).
The business must make available two or more methods for submitting requests (1798.130.a.1), and disclose, free of charge, the required information within 45 days of receiving the verifiable request (1798.130.a.2).
Remember: you also have to be GDPR compliant if you have visitors from the EU.
In the CCPA, a business is an umbrella term that includes both companies, corporations, associations, partnerships or any other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners.
However, to be regarded as a business under the CCPA, a company has to meet at least one of the three following attributes (1798.140.c):
This means that if you have a small business that makes under $25 million a year, or if less than half of your business income relies on selling personal information to third parties, or if your business does not sell more than fifty-thousand Californians’ personal information, the CCPA does not apply to you.
However, if your business shares “common branding” with a company that meets one of the abovementioned thresholds, your business will be subject to CCPA compliance.
The CCPA grants the consumer “the right to request that a business delete any personal information about the consumer which the business has collected from the consumer” (1798.105.a).
It specifies that “a business that collects personal information has to disclose the consumer’s rights to request the deletion of the consumer’s personal information” (1798.105.b).
The CCPA defines collection as anything that relates to access of personal information, actively or passively. In other words, intentional and passive collection of personal information, such as IP addresses or other online identifiers, counts as collection.
Sale/selling is defined as any sharing, disclosure or sale of personal information with a third party in exchange for money or other value.
Deletion is pretty straight forward. It means permanent erasure of personal information as requested by the consumer.
A business has to make it clear to the consumers that they have the right to request their data to be deleted. It must describe this right and how to exercise it.
The CCPA gives the consumer the right to demand a business not to sell their personal information to third parties (1798.120.) If such a request is received, the business is prohibited to sell their personal information.
The right to opt out of the surveillance markets of ad tech companies
is a right of the people, according to the California Consumer Privacy Act.
"Opt out" simply means that a consumer can choose to direct a business to stop the sale of their personal information to a third party. The only exemption here is the sharing, disclosure or sale of personal information to certain federal services and California health services.
A business must provide a clear link on their website with the title “Do Not Sell My Personal Information” (1798.135.a.1). This link must not require the consumer to create an account in order to direct the business to not sell their data.
If the consumer is under the age of 16 the opt out must be prior to request, i.e. a business cannot sell their personal information unless first authorized by parents or legal guardians.
The CCPA prohibits discrimination against consumers based on their choice to exercise their rights.
This means that if a consumer chooses to opt out of the selling of their data to third parties, or if they request their data deleted, a business is not allowed to then e.g. charge different prices for services, provide different levels or quality of services or deny the consumers services (1798.125.a).
However, the CCPA also authorizes businesses to offer financial incentives, e.g. different prices and quality of service, for the collection, sale or deletion of personal information (1798.125.a.1.b).
One of the main areas of ambiguity in the California Consumer Privacy Act have to do with the definition of data, specifically the two categories of “individual data” and “household data”.
Critics have raised the concern that the CCPA is too unclear whether the law’s distinction between “individual data” and “household data” would potentially enable anyone in a so-called “household” to request and obtain another person’s personal information.
What is “household data” and how is it different from “individual data”?
This might seem harmless on the surface. But the implications of this inconsistency could possibly mean that everyone from a college roommate to a divorced partner might suddenly be enabled to request personal information on the members of their registered “household”.
Both the tech industry and privacy activists have voiced concern and called on the State Legislature to revise this issue.
Another ambiguous area of the CCPA is what critics have referred to as the loopholes regarding the financial incentives that could potentially create a “pay for privacy” model in California.
The CCPA authorizes businesses to offer financial incentives to consumers as compensation for the collection, the sale, or the deletion of personal information.
This means that a business may offer a different price, rate, level, or quality of goods or services to the customer “if that price or difference is directly related to the value provided to the consumer by the consumer’s data”.
In principle, a financial incentive is designed to encourage certain behaviors or actions, in this case for the businesses to motivate California citizens towards letting their personal information be used.
But it could also mean that businesses could offer tiered pricing for consumers based on whether they opt-out or delete their data.
“This path towards a pay-for-privacy is a dangerous and slippery slope”, said Democratic Senator Hannah Beth Jackson of Santa Barbara about the CCPA when it passed last summer.
So how does the California Consumer Privacy Act fare against its European equivalent, the General Data Protection Regulation that came into effect in May 2018?
The General Data Protection Regulation (GDPR) is a European law that has global jurisdiction, in the sense that it protects the personal information and user data of all European citizens, regardless of where in the world the website or business handling the EU user data is located.
The crux of GDPR is that websites and businesses must obtain clear and unambiguous consent from its users prior to any processing of personal data, after specifying all types of cookies and other tracking technology present and operating on its pages. It also requires that they safely and confidentially document each user consent.
European privacy law differs on a vital point from its Californian counterpart.
The scope of GDPR is large and deals with data of all types of data (i.e. not only personal information), how companies and organizations have to secure transparency and document user consent.
The most clear and consequential distinction between the European and Californian laws are at the point of consent.
The GDPR grants the user the right of consent, meaning that their data cannot be used until the user gives their consent to do so.
This consent can be given in different ways, but the crux of it is that under the GDPR prior consent is demanded by law.
Now, in the CCPA nothing of the sort is stated. A business does not need prior consent to handle personal information, nor does a website need to obtain user consent to sell their data to third parties.
What the CCPA does is to grant the consumer the right to request – either disclosure, deletion, a business to stop selling their information. But this happens after the fact of both collection and sale.
Where the GDPR creates a door for the consumer to lock, the CCPA creates a window for the consumer to open in order to know what of their personal information might already be obtained by a business.
The GDPR is a prevention, whereas the CCPA is a means to transparency and then deletion (of past 12 months data collected).
Though it was passed last summer, the CCPA won’t take effect before January 1, 2020. The truth is that a lot can happen before then.
The following scenarios point to an array of possible futures for the CCPA.
As of May 2019, at least ten follow-on bills to the CCPA have been introduced by both Republican and Democratic lawmakers in the California State Legislature. Four of them would expand and strengthen the privacy act, five of them would narrow and weaken it.
A legal tug of war dominates the interim period before the CCPA takes effect on January 1, 2020.
They either seek to build on and expand protection and user control of personal information in the CCPA, so as to accommodate the activist and consumer groups, who say the law doesn’t go far enough.
Or they seek to either further the interests or sooth the apprehensions of the tech industry by watering down or annulling some of the core data protection regulations of the CCPA.
An example of the industry-friendly and Big Business-backed legislation being worked on as of May 2019, is the anonymously titled Assembly Bill 1416, which would provide the option for businesses to be exempt from complying with the CCPA, as well as exempt from the data limitations that the law enforces.
An example of the opposite is a bill titled Privacy for All and is currently supported by more than 30 privacy groups in the US.
This bill would change the opt-out nature of the CCPA to an opt-in scenario that mirrors the GDPR prior consent. It would bring the CCPA closer to the GDPR by prohibiting a business from sharing a consumer’s personal information “unless the consumer has affirmatively authorized the sharing.”
As of May 2019, however, neither of the bills have had hearings yet, i.e. in early stages and not at all guaranteed to become law.
Meanwhile, a lobbying effort by the tech industry is under way to influence the scope of the enforcement of the CCPA.
As the CCPA reads, it is the Attorney General of California who is responsible for the enforcement of the CCPA. The specific rules of the enforcement must be defined in writing by the Attorney General no later than July 2020.
How strong will CCPA enforcement be?
This means that potential lawsuits and fines over violation of the CCPA is for the Attorney General to enforce on businesses like Google, Facebook and the other tech giants, whose home base of Silicon Valley is nestled just south of San Francisco.
As of May 2019, tech industry lobbies are attempting to sway the Attorney General towards a narrow scope of enforcement. Their arguments for a reduced room of enforcement are the stifling of competition and a further burden to companies struggling to comply with the GDPR.
Meanwhile, a bill has been introduced to the State Legislature, co-sponsored by the Attorney General of California himself, which would bring back Mactaggart’s original private right of action – i.e. would allow consumers to sue any business that violated their rights under the CCPA.
“There is something unfair about giving California’s consumers new rights but denying them the ability to protect themselves if those rights are violated”, Attorney General Becerra said to the L.A. Times on April 19, 2019, in response to the efforts to broaden and enable consumer enforcement in the CCPA.
As of May 2019, none of these bills have passed into law.
Another uncertain element in the enforcement of the CCPA is the possibility that a federal law will be passed and enforced in all of the US. This could potentially override state-level regulations, such as the CCPA, and create a whole new landscape of higher legal authority.
Tech companies have been lobbying for more relaxed federal privacy laws
This could also lead to a weaker nationwide version of stronger state-level laws, like the CCPA.
This is in the interest of Silicon Valley, obviously, who actively lobbied against the CCPA.
The fear of privacy activists and consumer groups, as well as the authors and sponsors of the CCPA, is that a federal law can seem like a victory, in that it ensures uniform law in all of the US, while in fact being a loss on part of the consumers, because these uniform federal laws might settle on a weaker privacy level than the CCPA.
The hopes of privacy activists are also, paradoxically, that a federal law could do better than California’s.
Their hope is that California will be the lower bar upon which a federal privacy law might build, rather than undercut.
As California goes, so goes the nation, as the old American saying puts it.
Or as Alastair Mactaggart said, when visiting Washington to meet with key senators and Trump administration officials on the matter: “California leads, the others follow”.
The tech industry is often compared to the oil industry of a hundred years ago – unregulated, monopolous and too powerful.
Data is the new oil, the fuel of the 21st century, they say.
California has always been the frontier of opportunity and business.
Once it was “gold”, then it was “oil”, now it is “data”.
This is an apt comparison in many ways, since the both the gold rush and the oil boom of the last centuries began in Southern California. But it leaves out a very important distinction that is critical to keep in mind:
Where oil is an inanimate resource that powers machines; data is the mapping of human behavior that powers digital infrastructures of probability in order to predict and make predictable the experience of being a person.
It is this collection and monetization of our inner and outer lives that has made Silicon Valley a force parallel to nation states in power and wealth.
Where the unregulated oil industry made a few men very rich and as a consequence very powerful, the unregulated tech industry is making a few men very rich and very knowledgeable, and as a consequence immensely more powerful than the oil tycoons of the late century.
This knowledge is the collective behavioral patterns of societies and the private inner lives of billions of people.
The collection and monetization of said knowledge has ushered in the era of surveillance capitalism in which, according to Harvard Business School professor Shoshana Zuboff, “the economic imperatives compel the leading tech companies to enter a collision course with democracy.”
Google is free to use.
With the CCPA, Californian citizens are no longer free for Google to use.