Sunday, October 25, 2020

The CCPA: Understanding California’s Solution to Online Consumer Rights

by guest writer Jack Filiba

Consumers often have their rights ignored by the online platforms they interact with. Businesses frequently sell their users’ personal data, exploit collected information, and/or inadequately safeguard sensitive user records. In order to introduce some semblance of user protection to an industry that escapes borders and is largely unavoidable in our everyday lives, governments around the world have begun introducing regulation designed to protect digital consumers.

Most organizations are more unprepared than ready...

For California, this regulation arrived in the form of the California Consumer Privacy Act (CCPA). Following prior discussions in the U.S. about enacting sweeping digital privacy regulation, California became the first state to do so when the CCPA was passed in 2018.

The Act officially came into effect at the beginning of 2020, bearing some resemblance to Internet regulation enacted in the European Union two years prior. For more information about the EU’s General Data Protection Regulation (GDPR), check out our previous article on the subject.

Continuing our series this National Cybersecurity Awareness Month (NCSAM), we’re exploring how the CCPA impacts users both in California and beyond.

Both the EU’s GDPR and California’s CCPA were birthed from similar motivations; they aim to ensure that consumers are afforded fundamental digital protections. Much in the same way that you are entitled to certain rights as a consumer when you interact with businesses in the real world, regulatory interventions such as the CCPA and GDPR are designed to establish rights for your online interactions as well.

pie chart: CA support of CCPA
Californian Support of the CCPA
pie chart: CA support of expanding CCPA
Californian Support of expanding the CCPA

Average CCPA Preparedness:

Survey by IAPP
2019 findings from Godwin Simon Strategic Research showed that Californians overwhelmingly support the CCPA. 88% of respondents were found to be in favor of the act, with just 5% in opposition and 7% marked "unsure." Further, 88% said they supported expanding the state's consumer privacy rights beyond what is currently established by the CCPA.

When it comes to businesses, however, many may not be as ready to adapt to a CCPA-compliant landscape as their users. According to survey results from the IAPP last year, businesses rated their “CCPA preparedness” at 4.75 on average on a zero-to-ten scale.
“Most organizations are more unprepared than ready to implement what has been heralded as the most comprehensive privacy law in the U.S. ever.”
International Association of Privacy Professionals (IAPP)
Even if we assume the average level of CCPA preparedness has increased since businesses were surveyed last year, we are still left with the reality that users need to take it upon themselves to understand their rights in order to benefit from them. After all, you can file consumer complaints against businesses which fail to comply and otherwise make conscientious choices by understanding what the CCPA actually affords you as a consumer.

Put into broad categories, applicable businesses have to grant users in California the following rights:

1. The right to know when businesses collect information about you

The CCPA states that businesses which collect personal information must inform you either at or prior to the collection of your data. They must also inform you how your data is being used and shared, as well as which categories of personal information will be used. Businesses are forbidden from collecting additional categories of personal information without first providing notice.

2. The right to know what information is being collected

This right grants you the ability to request that a business discloses the categories and specific items of personal information that it has collected about you.

3. The right to request the deletion of your personal information

The CCPA mandates that businesses which receive requests to delete your personal data must do so, as long as this information does not fall into one of the exception categories outlined in the CCPA Legislature.

4. The right to opt out

Perhaps one of the most visible rights granted by the CCPA is the one which allows users to request that businesses do not sell their personal information. Since January 1st of 2020, many websites based in both California and other jurisdictions have been equipped with a form or button which reads “Do Not Sell My Personal Information.”

This change is a direct result of the CCPA stating that you have the right to instruct businesses not to sell your personal information. Further, if a business knows that a user is under the age of 16 they cannot sell their information unless the user opts in.

5. The right to equal service and price when exercising your rights

The CCPA states that businesses cannot discriminate against you simply for exercising your rights. Businesses are also not permitted to make you waive your rights, and any such contracts are unenforceable.

You can find our privacy statements just above the post tags on every page.
If you are keeping track of both the CCPA and GDPR, it is important to note a few key differences between the two acts. While mandated by the GDPR, the CCPA does not currently state that users are allowed to rectify incorrect information stored about them. In addition, the CCPA only instructs businesses to inform you of the categories of third parties they share information with, rather than specific information about the entities themselves. However, California’s regulation does include some requirements that are absent from the GDPR. These CCPA-specific requirements include “Do Not Sell My Personal Information” buttons on applicable websites and the fact that users under the age of 16 must opt in before their data is sold.

Ultimately, while acts like the CCPA and the EU’s GDPR are restricted to their geographies in a technical sense, their impact is not. Increasingly, businesses around the world are finding it easier to comply rather than differentiate between users based on their local laws. Further, these acts are having a ripple effect among regulators around the world and igniting conversations about online consumer rights.

While the California Consumer Privacy Act is far from being a “silver bullet” that will magically make your personal information safe online, knowing about your rights arms you with the ability to recognize when businesses fail to uphold them. Further, understanding the protections entitled to you under the CCPA allows you to avoid or report businesses which are not compliant and enjoy a version of the Internet that is less insistent on ignoring your rights.

Jack Filiba is a journalist specializing in coverage of digital and financial technologies, as well as new and emerging media formats. Get in touch with him via JaFiliba[at] or follow him on Twitter.

Further Reading & Resources
Why Your Data Matters
Read the CCPA

Why We Need a Federal Data Privacy Law - and How CCPA Sets the Pace

A November 2020 Ballot Initiative Aims to Overhaul and Expand the CCPA
"If You Don't Care About Online Privacy, You Should Read This"

"Your Data Matters"

"We Need to Own Our Data as a Human Right—and Be Compensated for It"

"We Don’t Want to Sell Our Data, We Want Data Rights!"
More Privacy Resources
More from DreamClassier

Cybersecurity & Infrastructure Security Agency (US)
Yearly Password Reminder & Survey

A Correction from Last Year

Last Week, the GDPR