On January First, 2020, California will enact the toughest data protection laws ever, far outpacing Europe’s General Data Protection Act (GDPR.) Called the California Consumer Privacy Ace (CCPA), few of us are even aware of this and need to know. California often leads the nation in protective acts, and it is likely that other states will soon follow.
Are we protecting ourselves against ourselves?
The CCPA grants new rights regarding personal information for California residents. But more impactful – the law creates more and more duties for companies collecting data within the state (which is most everyone.) And of course, the fines are astronomical. Are we going too far in this process of protecting our personal data that many of its beneficial uses will be crushed?
First, the limits upon companies
CCPA will be imposed upon for-profit companies doing business in California with gross revenues greater than $25 million (whew) that buy, sell, or receive any of the personal information for more than 50,000 consumers, households or DEVICES (emphasis mine) for commercial purposes.
Devices? You’ve got to be kidding.
Here’s something to think about just from my home: I have three Amazon Echo devices in various rooms, two Ring doorbells, “Hey, Google” on five devices, “OK Cortana” on three, three smart TV’s, one smart 4K player, three desktops and two laptops, two smartphones, and WHO KNOWS how much more. Count two of us living in the household, and this law adds twenty-six (people and device) counts for our household. All collecting data when I type or speak (hopefully to not just near them.) By comparison, GDPR just addresses data collection and leaks with no count of sources. Now back to our story…
What’s covered?
[Email readers, continue here… ] California is interested in protecting personal information that can be associated or linked with a particular person or household. (Think of the advertisements that follow you around various sites for days and weeks after you visit the first site and look for a product.) And, gee, if the information is already public (from legitimate data-gathering sources such as a census) than you and the companies are off the hook. But who relies upon up to ten- year old census data which has no IP addresses or email addresses?
The good news
This new CCPA does not restrict a businesses’ ability to collect, use, retain, sell or disclose a consumer’s information that is “deidentified” or aggregated. Whew again. Most of us create our data stores to identify trends both geographic and product-based, stripping individual contact data from the mix. (But I know of at least one airline that can tell its marketing people the name, address, and more about every single ticket sold during the past ten years. Billions of records to track your travel preferences. But I digress.)
What does a business have to do (above GDPR notices?)
Now, businesses gathering data in California must inform consumers about what personal information is being collected and its intended use. Wow! Let’s hope this is not buried in one of those 2,000-word EULA’s we all agree to by scrolling down to check the box. And businesses must offer an “opt out” option to all consumers. Here’s a question: How many consumers will confuse this with “unsubscribe” and decimate our good mailing lists?
How about youth under 18?
Of course, CCPA protects children under 18 by strictly prohibiting the sale of any information containing data from this group. So, do we have to ask on every form the age of the viewer? Umm. Yes. And consumers may request deletion of their stored information (subject to certain limitations.) Now, there’s an opportunity for a new industry of “data deleters.” If Facebook can hire 3,000 people just to check for false or fake postings, how many will they need to hire for responding to requests for deletion of data?
Penalties for data breach?
How about $2,500 for EACH violation (that means individual or device if unintentional, or $7,500 if intentional? The grand “out” is that businesses have thirty days to cure the offensive act after receiving official notice. That sounds great if the cure is related to the process and not to any previously acquired data. If the latter, the cure will be almost impossible to address in such a short period, if ever.
What’s the conclusion?
Most of know that we are giving away personal information in return for convenience, free access or free use. Especially our younger consumers know this and are comfortable with the trade, considering it fair. So, are we going too far with CCDA? Well, this is much more geographically restrictive for a few (but not for any businesses collecting customer data over the Internet.) We’d all like not to receive so many unsolicited ads via email, placement on pages we visit and now even invading our texts. But we’d also like to keep our favorite sites free to use (including Google search and millions of aps among the many that will be impacted.)
Very soon, you will need to make that decision again and again as you visit those sites and aps that you want and need. It’s like a pendulum: We once had free access without realizing the data dissemination quid pro quo. Now we’ll know and control more but pay the price if we opt out by receiving much less useful information in ads and perhaps considerably less free ap and site access.
Which will you “vote” for when asked?
And here’s a final something to think about. The law now states that covered companies must have $25 million in revenues AND collect data from 50,000 or more sources. What if in the future, California or some other state substitutes “OR” for “AND” so that small businesses collecting data from at least 50,000 sources (remember that I have 26 people and devices in my home)? Now, how much are you concerned by this issue?
The danger of collecting information is confirmed by the state’s concern about the security of user data. Some information about citizens, by which one can easily identify a person (name, address and year of birth), is already protected by the Law on Personal Data. Companies and organizations must obtain written consent from citizens for its processing. Big data is a more capacious concept that includes, in addition to personal data, anonymized information, in particular, IP addresses, cookies, geolocation, biometrics, consumer preferences (search history, information about orders in online stores).
Another great post, Dave! m
Everyone,
There is one more (a fourth) qualification I missed that is another (whew) relief for most of us: The company gathering the information must make more than half of its gross income from the sale of data. I found this in a WikiPedia page about the CCPA:
https://en.m.wikipedia.org/wiki/California_Consumer_Privacy_Act
Dave
Pretty scary. Thanks for keeping us up on everything! We are in the process of finalizing licensing parameters so perfect timing!
Thanks, Dave. I’ve been telling my clients about GDPR for the last year, and will now incorporate this as well. I’m going to look into how they handle two of GDPR’s toughest issues: anonymization, which they require to be good enough that identities cannot be reconstructed from anonymized data, which of course is tricky, and the “right to be forgotten”.
Dave — You have done a great public service by giving us this “heads up.” I only wish it were hypothetical rather than factual.