The California Consumer Privacy Act, or CCPA, went into effect on January 1, 2020. The law creates new consumer rights regarding access to, deletion of, and sharing of personal information that businesses collect. The law also requires the Attorney General to solicit broad public participation and adopt regulations to further the CCPA’s purposes. The regulations established procedures to facilitate consumers’ new rights under the law and to provide guidance for businesses on how to comply. It applies only to consumers in California however, it is reasonable to expect other states to follow with similar laws in the near future.
Does it Apply to Your Business?
Your business is only subject to the CCPA if it is for-profit, does business in the state of California, collects consumers’ personal information or determines the purposes and means of processing their personal information. It doesn’t apply to small businesses.
The CCPA only applies to businesses that have annual gross revenue greater than 25 million dollars, businesses that buy or receive customer information for commercial purposes or businesses that share or sell that information for commercial purposes. They must have information for 50,000 or more customers, devices, or households. It also applies to businesses that derive 50% or more of its annual revenue from selling consumers’ personal information.
The law does not apply to medical information collected by a covered entity governed by the Health Insurance Portability and Accountability Act (HIPAA) or the California Confidentiality of Medical Information Act. It does not apply to personal information collected, processed, sold or disclosed pursuant to the Gramm-leach-Bliley Act or the California Financial Privacy Information Act. It does not apply to the sale of personal information to or from a consumer reporting agency that is to be used in or to generate a consumer report.
Until January 1st, 2021, it does not apply to personal information collected from job applicants, owners, employees, directors, staff, officers, and contractors of a business. Until January 1st, 2021, it does not apply to personal information about an employee, owner, director, contractor, or officer collected pursuant to due diligence or business to business communication or transaction.
What is Required of Businesses?
Under the law, consumers have the right to know all of the data that is collected by a business, twice a year, free of charge. Consumers also have the right to say no to the sale of their information.
Consumers are also given the right to sue companies who collected their data where that data was stolen or disclosed pursuant to an unauthorized data breach if the company was negligent or careless about how it protected the data. Consumers also have the right to delete data they have posted, the right to be not to be discriminated against if they tell a company not to sell their personal information. They also have the right to be informed of what categories of data are collected about them prior to its collection and at a point of collection as well as to be informed of any changes to the collection.
The law also provides mandated often before the sale of any children’s information applying to people under the age of 16. Consumers have the right to know the categories of third parties with whom their data is shared and the right to know the categories of sources of information from whom the data was acquired. They also have the right to know the business or commercial purpose of collecting their information.
This means, as a business that is subject to follow the rules and regulations of this law, you must be able to tell your consumers the information you are collecting and why, and the third parties you may possibly provide the information to and why.
You must also provide a way for consumers to see all of the data you’ve collected on them as well as to give them a way to decline selling their information and deleting any data you have collected.
Compliance Issues Thus Far
We’re not too far into 2020 yet, and we’re seeing that many publishers are making it hard to find their Do Not Sell links. Notices are often highly inconspicuous, which suggests large companies are testing their minimum compliance. Many publishers are attempting to call as little attention as possible to the data opt-out option for their consumers.
Major publishers such as the New York Times, Wall Street Journal, Hulu, and Pandora are listing the required length at the very bottom of their respective home pages in small font. You’ll find that Netflix and Amazon hiding their opt-out language behind plain privacy links on their homepage. The links are also difficult to find on Facebook and Google. The point is that if you’re not actively looking for them, you likely will not find them.
Statute itself requires publishers to “Provide a clear and conspicuous link on the business’s home page titled ‘Do Not Sell My Personal Information’ which links to an internet web page that enables a consumer, or person authorized by the consumer, to opt-out of the sale of the consumer’s personal information. The reality is that what most of these publishers are doing probably doesn’t qualify as “clear and conspicuous”.
The initial efforts to comply with the CCPA may uphold the letter of the law but not the spirit. Hiding the links at the bottom of the page won’t Inspire consumer trust or bring more transparency. While the path forward is complex and murky, smart marketers are embracing privacy rather than fighting it.
I personally believe these bottom of the homepage placements will not be deemed sufficiently conspicuous and publishers will be forced to make them more prominent and potentially simplify the entire process. Rather than hoping users won’t notice, publishers and technology providers should be educating them about the benefits of not opting out, and language that laymen can understand. making it difficult for consumers to opt-out only furthers customer distrust.