“As California goes, so goes the nation.” This time, California is the first to take a page from the European Union. On the heels of the sweeping EU General Data Protection Regulation (GDPR) that took effect on May 25, 2018, the state of California moved quickly, passing its version of a consumer privacy law a month later, on June 28. The California Consumer Privacy Act (CCPA) is now in the “public consultation” period, the new law will take effect on January 1, 2020.
While the push for privacy is nothing new, privacy advocates, businesses and lawmakers in the U.S. have long been talking about protecting consumer privacy but no formal legislation materialized prior to CCPA. California’s foray into privacy came as a result of two private citizens concerned about big businesses using consumers’ personal data for profit and the potential data breaches of consumer private data resulting in political or malicious exploitation. For two years, Alastair Mactaggart and Rick Arney proceeded through the arduous task of navigating the political system to put a privacy initiative on the November 2018 ballot. Turned out they didn’t have to wait that long. Propelled by GDPR, California lawmakers passed the privacy bill in June. You can read about California Consumer Privacy Org and the effort to put privacy on the ballot in this letter from Alastair Mactaggart, who now serves as board chair for Californians for Consumer Privacy.
CCPA has a number of similarities to GDPR. Malcom Chisholm’s blog post on CCPA vs. GDPR describes the differences between the two laws. One noteworthy difference is that while the GDPR defines terms such as “Data Controller”, “Data Processor” and “Data Subject”, the CCPA only defines “businesses” and “consumers”. Businesses across the U.S. are already voicing concerns about the far-reaching consequences of CCPA. They are lobbying hard to make changes to the law, but at the same time they are strengthening their data privacy practices.
Here are some of the rights California consumers will have as a result of CCPA:
- Right to know all data collected by a business on you.
- Right to say NO to the sale of your information.
- Right to DELETE your data.
- Right to be informed of what categories of data will be collected about you prior to its collection, and to be informed of any changes to this collection.
- Mandated opt-in before sale of children’s information (under the age of 16).
- Right to know the categories of third parties with whom your data is shared.
- Right to know the categories of sources of information from whom your data was acquired.
- Right to know the business or commercial purpose of collecting your information.
- Enforcement by the Attorney General of the State of California.
- Private right of action when companies breach your data, to make sure these companies keep your information safe.
Unfortunately, if you don’t live in California, until your state passes similar legislation, you have no formal protection to privacy. We’ve seen these issues around data breach notification laws. Where you live in the U.S., or where your data was housed at the time of a breach, impacts how and when you are alerted. It is my hope that the federal government takes a page from the EU and creates a single, uniform law for consumer privacy. It would help with privacy expectations and be cost effective for businesses needing to conform to one law instead of 50.
Who ever said “consumer privacy is dead, get over it” was wrong.