A few months have passed since the great GDPR panic of 2018. We've all had time to wrap up compliance*, catch our breath and look to the future. So what's next for personal privacy regulations for U.S. based entities?
It's the California Consumer Privacy Act (CCPA), which was signed into law on September 23, 2018. This time around we should all be able to avoid the hysteria we saw with GDPR.
Before I continue, please note that this article targets owners of mid to large, business-to-business (B2B) websites. Whether your organization is public or privately held is irrelevant, as is whether your organization is based in California.
I find most blog posts on this and similar topics to be highly suspect, so research for this article depends solely on the text of the law. Regardless of where you get your information, verify it with an attorney who specializes in the subject matter. If your company deals with personal information as part of its core business, this article is not for you.
* If you have not yet tackled GDPR compliance or don't know what GDPR is, check out my article on GDPR for U.S. Based Websites.
What is the California Consumer Privacy Act?
In 1972, California voters amended the California Constitution to include the right of privacy among the “inalienable” rights of all people. The amendment established a legal and enforceable right of privacy for every Californian. Fundamental to this right of privacy is the ability of individuals to control the use, including the sale, of their personal information – AB 375, Section 2(a)
To support this amendment, a number of California laws have already been passed: The Online Privacy Protection Act, the Privacy Rights for California Minors in the Digital World Act and Shine the Light.
The CCPA is a new law that builds on those to further protect residents' rights. It started as a proposed ballot initiative, but its supporters agreed to withdraw it under the condition that a new law could be passed before June 28, 2018.
That was the deadline to finalize what would be on the ballot. To meet this, an imperfect bill (Assembly Bill 375) was resurrected after it previously failed to gain traction. It was passed in a rush. The ballot initiative and AB 375 are both referred to as the California Consumer Privacy Act even though the ballot initiative and the resulting law proved to be very different.
California's Assembly members feared that if a law wasn't passed in time, and the initiative made it onto the ballot, voters would pass a law that would be difficult if not impossible for businesses to comply with.
Later in 2018, an amended version passed through the California State Senate (Senate Bill 1121). But the law is still not perfect and further amendments seem likely.
Before we get into the details of the law we should acknowledge that some parts may change. Perhaps the law itself may never be enforced.
There are currently initiatives in place to establish a federal data privacy law that would override any state data privacy laws. Federal legislators may feel that the California law either overreaches or doesn't go far enough, and then rush a federal law... A move that mirrors the action taken by the California State Assembly.
It is reasonable for state and federal legislators to be wary of voter-driven initiatives and a bevy of individual state laws. Businesses could be saddled with impractical technical directives or the overwhelming burden of complying with the laws of 50 different states.
As a web developer, I'm frightened by both of these scenarios. But as an individual consumer, I'm disappointed with the California law. It simply does not go far enough to protect personal, identifiable data.
Whatever happens, the next couple of years will be pretty chaotic, but this is where we stand right now...
Who is protected by the CCPA?
The CCPA applies to all persons living in California. The text of the law reads:
Consumer means a natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations, as that section read on September 1, 2017, however identified, including by any unique identifier. – AB 375, Section 3, 1798.140
A "natural person" can simply be thought of as an individual human being. A "legal person," by contrast, might just be a legal entity. The definition of resident is:
The term “resident,” as defined in the law, includes (1) every individual who is in the State for other than a temporary or transitory purpose, and (2) every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose. All other individuals are nonresidents. – California Code of Regulations, Title 18, Section 17014
A clever technologist in your organization may suggest filtering users by state, giving those in California a different experience. But there are three flaws in this approach.
First, California residents are protected regardless of whether they are in the state at the time. Second, the tools we use to determine a user's location are imperfect. And third, maintaining a separate website experience just for users in California would be an additional,
Note that throughout the text of the law (including the title) the word "Consumers" is used to mean all natural persons who are residents of California. It's an odd choice because individuals are not required to purchase goods or services to be protected by the law.
What is protected?
The CCPA protects the personal information of California residents. Personal information is information that can be associated with an individual or household, directly or indirectly.
Be aware that it's entirely possible to collect data on an anonymous user, by Cookie or IP address, for example, and then relate that data to an individual at a later date. This means the data "can be associated" with a person.
So if the CCPA applies to your business, you must disclose this collection to the individual when the data is gathered - even if the person has not yet or never will be identified. Because it's possible to identify the person means you must comply. Personal information includes, but is not limited to:
(A) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
(B) Any categories of personal information described in subdivision (e) of Section 1798.80.
(C) Characteristics of protected classifications under California or federal law.
(D) Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
(E) Biometric information.
(F) Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.
(G) Geolocation data.
(H) Audio, electronic, visual, thermal, olfactory, or similar information.
(I) Professional or employment-related information.
(J) Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).
(K) Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
– AB 375, Section 3, 1798.140
What organizations must comply?
If your organization does not do business in the State of California, you are in the clear. And someone who browses your website from within California does not signify an intent to do business in the state. But if your company does do business in California, you must ask yourself a few questions:
- Does your organization have annual gross revenues exceeding $25 million? (Note that the figure adjusts with the Consumer Price Index).
- Does your organization deal in the personal information of 50,000 or more consumers, households or devices each year?
- Does your organization get 50 percent or more of its annual revenues from selling consumers’ personal information?
If you can answer yes to any of these three questions, then your organization must comply. If your organization falls under all of these thresholds but is owned by a larger entity (with more than 50% control) that exceeds any one of them, then again, your organization must comply.
The Consumers' Rights
The rights granted to residents of California under this law bear many similarities to those granted to citizens of the EU under GDPR. Like GDPR, businesses must let users know when they are collecting data and what exactly they will do with it before the information is gathered:
A business that collects a consumer’s personal information shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used – AB 375, Section 3, 1798.100(b)
And they are entitled to request all their data that a business has collected:
A consumer shall have the right to request that a business that collects a consumer’s personal information disclose to that consumer the categories and specific pieces of personal information the business has collected – AB 375, Section 3, 1798.100(a)
Building on this, consumers have the right to know the categories of sources from where the information was collected, the business purpose of the data collection and the categories of 3rd parties with whom the information is shared.
Also, users have the right to request that their data be deleted from your records and from the records of all your service providers.
A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer – AB 375, Section 3, 1798.105(a)
If your core business is in dealing with consumers' personal data, there are additional rights you need to be aware of and prepared to respond to. But again, this article is not for you.
How to Comply with CCPA
First and foremost, you must notify users of all data collection in advance. Unlike GDPR, the CCPA does not require a positive consent mechanism. For example, when a user fills out a form, a simple statement that discloses what you'll do with the data will suffice. The user does not need to check a box explaining that he or she understands and consents to the collection.
You must provide users with at least two methods to request their data, or to have their data deleted. One of these methods must be a toll-free number; the other can simply be a website address.
All requests must be verified and responded to within 45 days. This time period can be extended by an additional 45 days as long as you let the consumer know within the first 45 day period. Your disclosure to the user must include the previous 12 months of data collection, so make sure you are able to store and retrieve necessary data from July 1, 2019.
A business that receives a verifiable consumer request from a consumer to access personal information shall promptly take steps to disclose and deliver, free of charge to the consumer, the personal information required by this section – AB 375, Section 3, 1798.100(d)
You are not obliged to respond to any single user's requests for data more than once in any 12 month period.
As stated above, one of those methods must be a toll-free number. You also must disclose all the categories of information you have collected in the previous 12 months and keep that information updated at least once every 12 months.
At the same time, you have to ensure that all individuals who handle consumer inquiries about the business' privacy practices or compliance with this title are informed of all requirements. They also need to know how to direct consumers to exercise their rights under those sections.
You may see some people advising that you must have a link on your homepage titled "Do Not Sell My Personal Information," but that requirement is specific to businesses that sell consumers' personal information. As I mentioned earlier in this article, if you sell consumers' personal information, this article is not for you.
Finally, you cannot discriminate against users who have exercised their privacy rights granted by the CCPA. Discrimination includes denying goods or services, charging higher prices or providing a different level or quality of goods and services.
You may offer financial incentives for the collection of personal information. But be careful that these incentive programs are not coercive or usurious in nature.
Penalties for Non-Compliance
The penalties assessed by the California Attorney General are relatively small compared to those that come with GDPR infractions. Note that in the event of an alleged violation, you will be given 30 days to rectify the issue, and you will only be required to pay the penalty if you fail to do so.
If you are found in violation and do not fix the problem, you will face a civil fine of $2,500 for an unintentional violation and $7,500 for an intentional violation. These penalties are so mild that some companies will surely choose to ignore the law. But they do so at great peril.
The greater cost raised by being found in violation of the CCPA is the increased risk of exposure to class action lawsuits. Statutory damages are limited to $100 - $750 per consumer per incident or actual damages, whichever is greater. But since it is common to manage the data of thousands of individuals, the total damages across a class action can be substantial.
Perhaps the most worrisome thing about these new laws is the knowledge that there are more to come. Either we will start seeing more state laws designed to protect our data privacy or a federal law that will be passed and preempts or overrides the state laws.
It's impossible to know what these future laws might include, but we can make some educated guesses. And there are a couple of additional practices that will help ensure compliance across all states and the EU:
- Define a process to dispose of customer data after a set period of time
- Require a positive consent mechanism at all points of data collection
- Collect less data!
That last suggestion is easy to realize and it absolves you of a lot of responsibility. There are many things on most modern websites that record, track and harness user activity.
The vast majority of these things don't actually collect data for the website owner; they collect data for targeted advertising networks. "Free" services like analytics, font hosting, content delivery networks, sharing widgets and the like are anything but free.
You are paying for them with your users' privacy. Don't use them on your website whenever possible, or configure them in a way that you are no longer disclosing your users' personal data.