California’s Privacy Act: What you need to know now

This week, California Attorney General Xavier Becerra, published draft guidance for enforcing the state’s landmark privacy legislation.

The draft text of the regulations under the California Consumer Privacy Act (CCPA) will undergo a public consultation period, including a number of public hearings, with submissions open until December 6 this year.

The CCPA itself will take effect in the state on January 1, with a further six months’ grace period before enforcement of the law begins.

“The proposed regulations are intended to operationalize the CCPA and provide practical guidance to consumers and businesses subject to the law,” writes the State of California’s Department of Justice in a press release announcing the draft text. “The regulations would address some of the open issues raised by the CCPA and would be subject to enforcement by the Department of Justice with remedies provided under the law.”

Translation: Here’s the extra detail we think is needed to make the law work.

The CCPA was signed into law in June 2018 — enshrining protections for a subset of US citizens against their data being collected and sold without their knowledge.

The law requires businesses over a certain user and/or revenue threshold to disclose what personal data they collect; the purposes they intend to use the data for; and any third parties it will be shared with; as well as requiring that they provide a discrimination-free opt-out to personal data being sold or shared.

Businesses must also comply with consumer requests for their data to be deleted.

For children under 16, the standard required is opt in consent to their data being collected. A parent or guardian must provide explicit consent for processing the data of children under 13.

(You can find the state’s CCPA factsheet here for a broader overview.)

The new draft regulations under the CCPA are intended to clarify what businesses need to do to comply with the law, as well as providing more detail for consumers on how to exercise their rights.

There are no major surprises contained in the draft proposal. But it sets out further clarifying details, including requirements around privacy polices; how to submit requests to know and delete data; and notices that applicable businesses must provide to consumers if they’re collecting data.

Per the regulation, these data collection notices must list: The categories of personal information about consumers to be collected — “written in a manner that provides consumers a meaningful understanding of the information being collected;” the business or commercial purpose(s) for which each category of data will be used; and if the business sells personal information, and is operating online, a link entitled “Do Not Sell My Personal Information” or “Do Not Sell My Info,” as well as a link to the business’s privacy policy.

“The notice of right to opt-out shall be designed and presented to the consumer in a way that is easy to read and understandable to an average consumer,” it adds.

The draft text also details requirements around verifying the identity of a consumer asking for their data to be deleted; how to weigh verification requirements against the type of data being requested in order to reduce the risk of a fraudulent request being actioned; and what to do when a consumer’s identity cannot be adequately verified.

“A business shall implement reasonable security measures to detect fraudulent identity verification activity and prevent the unauthorized access to or deletion of a consumer’s personal information,” runs the text.

It specifies that businesses are not required to act on requests to know (or delete) personal data that’s been “de-identified” — further clarifying there’s no obligation to “re-identify individual data to verify a consumer request”.

Indeed, a request to delete data under CCPA can be performed by de-identifying that person’s data, per the regulation. Though there’s no further detail given here on acceptable methods of de-identification. (Meanwhile there’s a flourishing field of research in correctly re-identifying ‘anonymized’ data — so greater clarity may perhaps be warranted there.)

The CCPA allows for businesses to offer a financial incentive or service difference to consumers in exchange for keeping or selling their data. Though, if they do so, they must provide adequate notice to the consumer.

On this, the draft text says the notice must include “a good-faith estimate” of the value of their data that forms the basis for the offer, as well as detailing the method used to calculate the data value.

Examples of “reasonable and good-faith” methods for calculating the value of personal data set out in the regulation include revenue, profits and/or expenses generated by the business from the sale, collection or retention of the personal data.

This suggests there could be some interesting data value claim disclosures looming next year — if, for example, certain adtech giants decide they need to offer some kind of carrot to Californians not to opt out of the ‘sharing’ of their data.

A section in the draft on discrimination provides a couple of illustrative examples to explain how a financial incentive can be offered under CCPA in exchange for data without being discriminatory (and therefore prohibited) — with the balancing act here being that a price offer or service difference must be “reasonably related to the value of the consumer’s data.” (Albeit, it’s hardly an exact science to put a value on a particular service feature, so there could be a fair amount of wiggle room for businesses.)

The first example cited is a music streaming business that offers a free service and a premium service priced at $5 per month. “If only the consumers who pay for the music streaming service are allowed to opt-out of the sale of their personal information, then the practice is discriminatory, unless the $5 per month payment is reasonably related to the value of the consumer’s data to the business,” it notes.

A second example given is a retail store that offers discounted prices to consumers who sign up to be on its mailing list. The discrimination test here requires that the discounts for the consumer continue even if they make a subsequent request to know their data, request to delete it, and/or request to opt-out of it being sold.

Other details worth flagging include that businesses that collect data from consumers online must treat privacy settings in a browser or browser plug which signal a wish to opt-out of data being sold as a valid request under CCPA. So not quite ‘Do Not Track’ revived — but a call to arms for developers to offer ‘Do Not Sell’ browser plug-ins to help smooth the browsing experience of Californians wanting to opt out of their data being sold wherever they go online.

The regulation also makes provision for a button or logo to be displayed to allow consumers to express their wish to opt-out. Though a graphical representation of this has, sadly, not yet been published.

Howsoever it ends up looking, this button/logo may act as a shortcut and/or visual flag but cannot replace the fuller notice about data collected and purposes the law requires consumers to be provided with — at, or before, the point of collection.

Zooming out, the tech giant/adtech and telco lobbies continue to scream into the void where the federal privacy law they had hoped to scrambled into existence before CCPA came into force still isn’t — with the likes of the Internet Advertising Bureau responding to the draft regulation by citing initial compliance estimates for CCPA of up to $55BN.

So expect plenty more such heavy weather in the coming months. It is, as they say, always darkest before the dawn. (Meanwhile Europeans have enjoyed rights over their personal data since, er, 1995… )

The costs of compliance attached to the EU’s most recent privacy law update — the General Data Protection Regulation (GDPR), which came into force in May 2018 — have been absorbed without, seemingly, transforming the bloc into a digital business wilderness.

Nor has GDPR sunk the local adtech industry. Though some of its methods do now look to be operating on borrowed time. But that’s good news for consumers and startups alike, as it’s providing an incentive to spur consumer-centric innovation and pro-privacy business models that don’t rely on keeping people in the dark about exactly WTF is being done with their data.

That in turn is good for consumer trust. Which most people would agree is essential for digital business over the long run, given that more of everything we do is ending up as data uploaded to a cloud somewhere.

This explains why European legislators could all get behind GDPR. (Though frenzied industry lobbying in its wake has stalled efforts to update ePrivacy cookie rules.)

It’s worth noting there are some substantial differences between Europe’s comprehensive data protection framework and what’s incoming in California. Including who the rules apply to; how personal data is defined; and the spectrum of rights consumers are afforded.

Basically Europeans have a more expansive/finer-grained suite of rights — including a right of rectification of data held on them; the right to restrict or object to data processing, and to object to automated decision making. GDPR also has specific obligations around data breach notifications.

While California’s law has a narrower focus — likely as a consequence of the urgency with which it got drafted. (Ohhai Facebook! Hey there Cambridge Analytica!)

On the penalties front, as with GDPR, the CCPA includes a regime of government fines for violations. Though it uses a different formula — set at up to $7,500 per intentional violation and up to $2,000 for others.

The law also empowers consumers to file class action lawsuits seeking damages. And it’s a safe bet that financial penalties for CCPA breaches involving tens of thousands of consumers could easily scale to millions of dollars.

In GDPR’s case maximum fines can be calculated based on a percentage (up to 4%) of a company’s global annual turnover. Which means some tech giants could, in theory, be on the hook for billions if found to be flouting the rules. So far, though, there have been relatively few headline-grabbing GDPR fines.

Google got stung $57M in January in a complaint related to consent violations. The size of that fine was dwarfed by a $230M penalty slapped on British Airways this summer after a data breach affected 500,000 users.

At the same time, though, multiple large-scale GDPR investigations remain on EU watchdogs’ plates. Most notably Ireland’s Data Protection Commission (DPC), which is where many tech giants have their European headquarters — suggesting GDPR penalties we’ve seen so far are just the tip of the iceberg.

The DPC’s case backlog includes ongoing investigations into Apple, Facebook, Google, LinkedIn and Twitter, to name a few. Major decisions could be coming in a matter of months — as the watchdog recently suggested some judgements would be finalized this summer.

Certainly the next year looks to be make or break for GDPR enforcement. And it’s not just fines; the framework also empowers regulators to order changes to how data is processed. For data-gobbling giants that’s a far more scary prospect.

While the enforcement of EU data protection law remains a work in progress, there are signs that privacy rules with real bite can positively reshape commercial activity by resetting businesses’ priorities in a way that prevents individual concerns from simply being overwritten in the rush for a self-serving notion of ‘progress’.

Such as, for example, in the area of AI assistant technology — where a number of tech giants recently suspended and/or amended human review programs of audio snippets which they’d quietly deployed to train AIs, after coming under critical media attention and regulatory scrutiny in Europe over their outsourced manhandling (and leaking) of sensitive audio recordings.

The presence of an enforceable framework around people’s data looks like a powerful regulatory tool in and of itself. A necessary check on technosocial data-mining platforms that can scale so big it’s no longer us shaping them but platforms deforming and manipulating us.

This is what makes California’s privacy law so exciting, given the state is home to so many of the Internet’s tech giants who are also dominating and crowding out competition. CCPA could help encourage a new generation of founders to innovate and get ahead by developing next-gen business models that don’t treat consumers as a commodity to be exploited for eyeballs and the last drop of data.

An enforced shift in perspective around the value of data could also help steer platforms and the entire industry in a more humanitarian direction by incentivizing companies to work for individuals and with civic society. To see citizens and hard won democratic structures as assets to serve, rather than resources to be mined, flattened and reduced to the sum of their transactions.

“GDPR gave us something to work with but we’re plowing new ground,” said Becerra this week. “We’re going where nobody in America has gone before.

“We are at a crossroads. Americans should not have to give up their privacy to thrive in this digital age.”

Come 2020, California turning for privacy could shift the Internet down a whole new path.