The California Consumer Privacy Act (CCPA) went into effect January 1, 2020 granting California consumers new rights regarding the commercial use of their personal data. Specifically, the CCPA gives Californians the right to: request a copy of the personal data a company has collected about them, ask the company to delete their personal data, and prohibit the sale of their personal data to third parties. While the CCPA only covers California residents, companies such as Netflix and Microsoft are proactively allowing all Americans to assert the rights contained in the CCPA.
Naturally, the CCPA reminds people of the General Data Protection Regulation (GDPR), the European Union’s consumer privacy act which went into effect summer 2018. However, there are important differences between the two acts. First, the CCPA only covers companies that make at least $25 million per year in revenue or collect data on over 50,000 people, whereas GDPR does not have any minimum scale requirements. Second, CCPA’s primary focus is to give consumers access to their personal data whereas GDPR focuses on regulating businesses’ handling of consumer data. CCPA places the onus on the consumer to be diligent about where their personal data sits rather than holding businesses accountable for how they collect, manage, and share that consumer’s data. In practice, consumers must opt-out of personal data collection that businesses are already gathering under CCPA, but under GDPR, businesses must have opt-in from consumers prior to collecting any data and must have a commercial reason to collect it. While the CCPA certainly gives consumers greater transparency and control over their data, it does not necessarily require companies to take greater care when handling such information.
Despite regulations such as GDPR and CCPA laying the groundwork for stronger consumer privacy rights, critics such as Frederick Lee, CISO at Gusto, argue these regulations fall short of addressing the entitlement some businesses, especially within the technology sector, claim to have over consumers’ data. According to Lee, these regulations merely lead to businesses doing the bare minimum and resorting to a “check-the-box” approach to compliance rather than fundamentally shifting their data management processes to place the consumer’s best interest at the forefront. Lee urges fellow business executives to “build data policies with privacy in mind” and remember that “protecting consumer data is a moral obligation, not just a legal one.”
While a step in the right direction in terms of elevating the importance of privacy, it’s unclear how many California residents will take full advantage of their rights under CCPA or which businesses will actively prioritize the interests of their customers. With enforcement of the CCPA beginning in July 2020 we may have to wait until then to see just how much impact this new regulation will have going forward.
It remains to be seen how many consumers will take full advantage of their rights under the CCPA and actively engage in monitoring companies’ use of their personal data. Additionally, it’s unclear what enforcement will entail. Once enforcement of the CCPA begins in July we will see what the state attorney general’s office addresses and if ambiguities in the law become clearer.