<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=162429800880729&amp;ev=PageView&amp;noscript=1">

The Tech Break

A Primer on the California Consumer Privacy Act (CCPA)

Jul 14, 2020 / by Jeremy Rouse

A PRIMER ON THE CALIFORNIA CONSUMER PRIVACY ACT (CCPA)

CCPA has changed how companies across America do business, and this California-based piece of legislation has had far-reaching consequences for consumer privacy and data protection. So what exactly is CPPA, and what are the implications of this groundbreaking and disruptive piece of legislation?

What is CCPA?

The CCPA (California Consumer Privacy Act) began making waves even before it came into effect on January 1, 2020. Similar to GDPR, CCPA attempts to provide enhanced privacy rights and consumer protections to residents of California. Though this is a state-level law, its effects have rippled across the United States and impacted businesses, large and small, in a variety of ways.

What Exactly Does the CCPA Include?

CCPA is designed to give consumers new rights. 

  1. Businesses are now required to disclose any personal data about a consumer that has been collected, sold, or shared with third parties for business purposes. Businesses must also disclose which categories of personal data they collect and how that data is used.
  2. Businesses must now allow consumers to access their data.
  3. Upon request, businesses must now delete consumers' personal data. If that data has been shared with a third party, the original business is also responsible for ensuring that data is deleted as well.
  4. Businesses must now provide a way for consumers to opt-out of the sale of their personal data. This opt-out includes providing easy to use links posted on the business' website.
  5. Businesses may not discriminate against consumers who exercise their CCPA rights. Discrimination includes different pricing levels, product quality, and service levels.

Why Does CCPA Reach Beyond California?

California is a big state, and home to 40 million residents. If California were a country, it would represent the fifth largest economy in the world, with only the United States, China, Japan, and Germany beating it. As such, what happens in California affects the world.

How Has CCPA Changed How Companies Do Business?

Many large companies have already had to alter how they conduct business to ensure they are CCPA compliant. This new way of doing business not only helps safeguard private consumer data but also gives consumers more control over how their data is used. Several large companies also used CCPA as a way to reaffirm their commitment to user privacy and protections.

Microsoft

Microsoft announced that it would honor CCPA privacy rights for all users (not just those in California). They made a similar announcement in the wake of GDPR in 2018.

Facebook

Facebook also recently announced that they felt that they should be held to a higher standard when it comes to consumer privacy. In their press release, they expressed their support for CCPA and even went a step further to suggest that a federal law would be the most effective way to safeguard consumer rights in the United States.

Uber

Uber used its official statement on CCPA to reaffirm its long-standing policy of not selling user data to third parties. At the same time, they also acknowledged that the way they use consumer data to provide personalized ads could be considered a sale under CCPA. 

To help ensure compliance, Uber now allows users to easily opt-out of Uber’s default stance of sharing private consumer data with their advertising partners.

Google

Google has recently taken steps to help ensure businesses that advertise using Google Ads are now CCPA compliant. In their statement, they also reiterated that they do not sell personal information, never use sensitive information to personalize ads and provide users with the tools they need to gain transparency and control over their advertising experience.

What About Businesses that Rely on Ad Revenue?

The steps large businesses are taking in the wake of CCPA are admirable, and will hopefully give users more control over their private data and how it is used. However, advertising companies, in particular, are likely to be negatively affected by CCPA, particularly when it comes to targeted advertising

Many businesses rely on ad revenue to help them pay their staff and produce high-quality content that users can access for free. While most of us can agree that bad or poorly targeted ads are a nuisance, many advertisers are concerned that opt-out legislation like CCPA and GDPR could have serious long term consequences.

Map of California

Which States are Following California’s Lead?

In the wake of CCPA, other states are following California’s lead and implementing consumer privacy acts of their own. 

Illinois

In January, Illinois introduced the Illinois Data Transparency and Privacy Act, which governs the use of personal information in a very similar way to CCPA. It also introduces a suite of consumer rights, including the right to know how data is being used, the right to opt-out of personal data being used, the right to correct inaccurate personal information, and the right to have personal information deleted.

Maine

In July of 2019, Maine introduced CCPA-inspired legislation of its own, the Act to Protect the Privacy of Online Consumer Information. The act requires users to have explicitly opted in to having their data sold (CCPA only requires businesses to provide an opt-out function), but only applies to businesses that provide broadband internet services to residents of Maine.

Nevada

Nevada’s Senate Bill 220, which was introduced in October of last year, applies to any operator of online services (both in Nevada and outside of Nevada), but does not apply to offline activities. The definition of “selling” is also significantly narrower than the CCPA’s. This legislation also only applies to operators, a significantly smaller category than “businesses” as defined by CCPA.

New York

The New York SHIELD (Stop Hacks and Improve Electronic Data Security) Act amended New York’s data breach notification statute. It added new substantive data security requirements that apply to any person or business that owns or licenses computerized data (including the defined “private information”) of New York residents.

It can be challenging to determine which data counts as sensitive or private data, and being non-compliant can have serious consequences. As such, many businesses and municipalities are turning to the experts for help.

Is a Federal Version of CCPA on the Horizon?

Though Capitol Hill is currently focused on public health, CCPA and other state legislation is sure to drive data privacy talks in Washington. Though it is hard to predict if 2020 will bring with it a federal privacy bill, the reality is that CCPA is here to stay, and that other states and businesses aside from those mentioned above are sure to follow the example California has now set.

Topics: Business, Laws & Regulations

Jeremy Rouse

Written by Jeremy Rouse

In 2012, Jeremy Rouse joined Bird Rock Systems as an Security Architect and Virtual CISO. Jeremy has 20+ years working in IT and Security with Blue Chip and DOD industries. Jeremy has a passion for technology, innovation and helping customers develop and mature their cyber security programs. Jeremy is actively engaged in speaking engagements and security events. He is a member of multiple security organizations and holds the following certifications: CISM, CISSP, AWS CSA, MCSE, CCNA, ACE, VCP, ACMP

Recent Posts