CCPA and the Ongoing Fight for Digital Privacy

privacy is in the eye of the beholder

Data surveillance feels omnipresent in our digital lives… Because it is.

Chances are, your smartphone location is being recorded in a spreadsheet somewhere. Facebook and Google track your activity all over the web. Data brokers collect and sell information about you and millions of others in a largely unregulated industry that most of us know very little about. 

In fact, data collection at the consumer level is so pervasive today that it’s even become a national security issue. Consider the ease with which New York Times journalists identified and tracked military officials with security clearances traveling home at night – simply by using a large location data set along with publicly available information. Pretty scary stuff.

(Interestingly, Scotland has identified that there is a critical shortage of trained cybersecurity pros in the country and is teaching former soldiers new skills to fill this need… which seems appropriate in light of the modern battlefield shifting to information warfare.)

……..So where do we go from here?

New Laws, New Privacy Rights

Given the difficulty of fully protecting our personal information and the sheer number of data breaches we hear about, it can be tempting to just give up on privacy entirely. But sacrificing our personal data for a more connected world isn’t a tradeoff we have to make. Nor should we. 

Fortunately, awareness is growing and activism has made strides already. The General Data Protection Regulation (GDPR) from 2018 opened the door to curtailing the worst data privacy abuses in the European Union. This year, the California Consumer Privacy Act (CCPA) went into effect on January 1st, bringing stringent privacy regulations to the most populous state in the U.S.

The CCPA will fundamentally change how businesses collect and manage user data. So what does that mean for your organization – and for you as a consumer? Here’s what you need to know.

What Does the CCPA Do and What Does It Cover?

The CCPA gives California residents the right to know what data is being collected about them, as well as learn what third parties it’s shared with and request the deletion of that data. You may have already seen a link that says, “Do Not Sell My Personal Information” on some major websites. That’s the CCPA in action – consumers in California can now opt-out of having their personal data sold at all.

The new regulations cover a wide variety of personal data, which is defined as anything that “is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

So this includes all of the following personal information:

  • Name, username, password, phone number, email or physical address, SSN, etc.;
  • Biometrics like DNA, fingerprints, and facial recognition data;
  • Race, sexual orientation, marital status, religion, etc.;
  • Professional, employment-related, and education information;
  • IP addresses, browsing history, geolocation data, and device identifiers;
  • Inferences drawn from the above to create a profile about a consumer’s preferences, characteristics, predispositions, behavior, attitudes, intelligence, and more.

However, companies can still learn certain information about you by looking at data found in public government documents. This publicly available information (such as property records and court filings) can still be aggregated and sold by data broker firms. That won’t change.

Anonymized user information is also exempt, which gives some leeway for businesses that deal with machine learning AI, for example.

Which Companies Are Affected By the CCPA?

Any company that serves California residents and has $25 million or more in annual revenue must comply with the new regulations. In addition, the CCPA covers companies that have personal data on at least 50,000 people or that make more than 50% of their revenues from selling personal data. 

The caveat? Even companies that aren’t based in California – or the United States – will have to comply with the new privacy guidelines when providing services there. 

With 40 million residents, California represents a huge share of the consumer market. No company is going to want to give that up (and further privacy legislation appears to be inevitable) so compliance is the way forward. 

What Are the Consequences for Non-Compliance?

California residents now have the right to request a copy of all the data that has been collected on them over the previous 12 months. Companies need to be ready to provide that information within 45 days of being asked, which can be a pretty tall order considering the complexity of modern file repository systems!

Violations of the law can be fined up to $7,500 per record if the issue isn’t resolved within 30 days of notification by a regulator. And if the problem persists, a class action lawsuit for damages can be brought forward as well. 

But enforcement is a whole other story. The California attorney general’s office is in charge of investigating suspected violations and enforcing the law – however, it may only have the resources to pursue a handful of cases per year. Consumers will have to advocate for themselves.

So What’s the Bottom Line?

Even if enforcement and penalization end up being relatively rare, the CCPA has ushered in a time of reckoning for all American companies that deal with personal data. Other states are creating and implementing their own privacy statutes, and businesses will need to keep a close eye on developments in this sphere. 

For the most part, Americans welcome strong privacy protections. However, having lost the fight against state privacy laws, Big Tech is now lobbying for a federal law that would preempt tougher state regulations. A comparatively weaker national framework could potentially allow for business-as-usual to continue – which is what tech giants like Facebook and Google seem to want.

So it’s more important than ever to make your voice heard.

How to Fight For Your Privacy

First, take advantage of your options! Whenever possible, opt-out of data collection and restrict the sale of your personal information. Tighten up your privacy settings on various platforms to let businesses know that privacy matters to you. Publicly tweet at companies whose privacy policies are lacking.

The more people who take action, the better. Eventually, companies may even have to reward people for the use and sale of their personal data – which is allowed under the CCPA. 

You can also contact your member of Congress to express your support for a strong consumer privacy law that doesn’t undermine individual state efforts. Consider sharing your concerns about corporate behavior that goes beyond selling data into more sinister territory like psychological manipulation (let’s not forget Cambridge Analytica…).

As California privacy activist Alastair Mactaggart puts it, consumers need “the right to know” and “the right to say no” when it comes to their own data. In this way, the CCPA sets a powerful example for developing strong privacy regulations in other areas of the United States and worldwide. 

Ultimately we must exercise our rights in order to keep them. The battle isn’t over, but with continued vigilance, privacy just might be here to stay.

Interested in learning more? Check out our post on privacy trends for 2020 and beyond.