"Know Your Rights" under the CCPA
I just got done listening to Spotify’s documentary on The Clash and in the documentary it played a clip of one of my favorite Clash tunes — “Know Your Rights” — so I figured I would kick off my review of the California Consumer Privacy Act (CCPA) by reviewing the individual rights that consumers have here in the Golden State vis a vis protection of their personal data. This will parallel a similar exercise I did with the EU’s General Data Protection Regulation (GDPR) where I revisited the individual rights that GDPR gives folks in the EU.
CCPA Background
But first, some CCPA background. In 2015 Alastair Mactaggert, a real estate developer and investor based in San Francisco, had a dinner conversation with a Google engineer and the conversation turned to personal data being collected by the Big Tech companies. Alastair was surprised to learn of the massive scale of the data being collected on individuals and the invasive scope of the “corporate surveillance” happening. He thought something should be done ala the EU’s GDPR, and enlisted a friend, Rick Arney, and in November of 2015 the two of them formed the group Californians for Consumer Privacy. After two years of research and consultation with lawyers as well as privacy and technology experts, the group filed a proposed California ballot initiative in November of 2017.
From January through May 2018 they collected signatures to have the initiative show up on the November 2018 ballot. Approximately 300k signatures were required, and, in the end, they collected over 600k signatures (which is more registered voters than states such as Vermont and Wyoming have!) and the Secretary of State certified the initiative to appear on the November 2018 ballot.
When the initiative began collecting signatures an opposition committee formed of some of the big names in Tech (e.g. Facebook, Google, AT&T, Amazon, Microsoft, Uber, etc.). But with Cambridge Analytica (CA) came to full light in March 2018, the Tech opposition was on the defensive and the whole Facebook/CA scandal dramatically raised awareness for the need for such a bill.
California has a law that a ballot initiator can agree to take their initiative off the ballot within 30 days of the initiative being certified by the Secretary of State. Members of the legislature were interested in passing privacy legislation, so starting in May through June 2020 Alastair et al negotiated with the California legislature, and within hours of the 30 day window closing, a deal was struck and Assembly Bill (AB) 375 passed unanimously in both houses and was signed by Governor Brown in June of 2018. Since then a few amendment bills have passed, but the CCPA has not been watered down, and went into effect on January 1, 2020. Here is a link to the legislation as it currently stands.
Key High-level Benefits of the CCPA
The CCPA represents the most significant privacy legislation passed in the United States since HIPAA and GLBA in the 1990s. Given that California is 1/8th the population of the United States and the 5th largest economy in the world (assuming it was an independent nation-state), the thought process is that the CCPA effectively sets the floor for privacy protection in the US, as many businesses will probably not want to maintain two websites or policies — one for California and one for the rest of the US. Combined with the need to support GDPR’s even stricter privacy protection requirements, the two together have pushed privacy to the forefront.
Californians for Consumer Privacy position the CCPA as delivering three main benefits:
Transparency — it gives consumers “the right to know” what personal data businesses have about them.
Control — gives consumers “the right to say no” by stopping the sale of information and/or requesting their data be deleted
Accountability — this requires businesses to “keep my information safe”
I am going to now focus in this blog post on #1 and #2 above as they relate to the individual privacy rights provided by the CCPA.
CCPA’s Key Individual Rights
To put the key individual rights that CCPA grants us into perspective, let’s make sure we understand the scope of “Who is Regulated?” and “Who is Protected?”. I will get into the weeds in what constitutes personal information vis a vis the CCPA in a subsequent blog post, but suffice to say for this post just consider personal information the stuff you would expect it to be (social security number, passport and other government IDs, biometrics, etc.).
So “Who is Regulated”? A for-profit “Business” that has the following thresholds: (a) gross revenue greater than $25 million OR (b) buys/sells/shares personal information on over 50,000 consumers or devicers; OR (c) derives 50% or more of its revenue from selling consumer personal information.
So “Who is Protected"? A “Consumer” who is natural person that is a California resident. See this for the legal definition of a California resident.
Below are the 7 rights that a Consumer has vis a vis a Business that collects their personal information. I added as a bonus a "compare and contrast" to the GDPR for each right (taken from my GDPR Cheat Sheet).
#1 Right to be Informed
Per the CCPA, “a business that collects a consumer’s personal information shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. A business shall not collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice consistent with this section.” Cal. Civ. Code § 1798.100(b) [Note if you don’t know what that weird symbol means, see this blog post on the topic of “What’s the “Cal. Civ. Code” and this Weird § Symbol?” I will drop Cal. Civ. Code for the remainder of this post.]
Furthermore, businesses must also inform consumers what rights the consumer has vis a vis the personal data, e.g. consumers need to be told they also have the right to request deletion of their personal data. § 1798.105(b)
This is akin to GDPR’s Articles 13 and 14 that the business collecting data must “provide the data subject detailed information about its data collection and protection activities.”
#2 Right to Access
The CCPA stipulates that “A consumer shall have the right to request that a business that collects a consumer’s personal information disclose to that consumer the categories and specific pieces of personal information the business has collected.” § 1798.100(a) And that the business shall provide that information once they verified the consumer request. § 1798.100(c) Furthermore, a business shall “promptly take steps to disclose and deliver, free of charge to the consumer, the personal information.” § 1798.100(d)
This is analogous to GDPR’s Section 15 that states that “data subjects have the right to obtain from the controller whether or not personal data about the subject is being processed, and if that is the case, be able to access that personal data.”
#3 Right to Erasure
The CCPA also lets consumers request businesses delete their personal information: “a consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.” § 1798.105(a) The business must also direct any service providers that the business utilizes to also delete the consumer’s personal information from their records. § 1798.105(c)
This right to deletion is akin to GDPR’s right to erasure found in Article 17.
Note the CCPA has a bunch of carveouts here as it relates to deletion requests in § 1798.105(d) while the GDPR has 6 carveouts. Here is a nifty table from a law firm’s whitepaper that shows the exceptions:
#4 Right to Data Portability
Once you request access to your personal data from a business, and that request is verified, the “information shall be in a portable and, to the extent technically feasible, readily useable format that allows the consumer to transmit the information to another entity without hindrance.” § 1798.100(d)
This is analogous to GDPR Article 20 that gives the data subject the right to receive “the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller.”
#5 Right to Opt-Out from Having Information Sold
As the CCPA states: “a consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information. This right may be referred to as the right to opt-out.” § 1798.120(a)
If you were to compare this right to GDPR, this is not one of GDPR’s formal defined rights per se, but GDPR does provide other rights that can net the same result. e.g. the right to object: “Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.” [Article 21] Furthermore, data subjects could revoke their right of consent as part of their right of erasure vis a vis direct marketing. [Article 17].
#6 Right for Minors: Opt-In to Having Information Sold
Per the CCPA, “a business shall not sell the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of consumers at least 13 years of age and less than 16 years of age, or the consumer’s parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale of the consumer’s personal information. … This right may be referred to as the “right to opt-in.” § 1798.120(c)
The GDPR Article 8 has something comparable: “Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorized by the holder of parental responsibility over the child.”
#7 Right to not be Discriminated Against
The CCPA states that if a consumer requests access or any of their individual rights, they can’t be discriminated against. Examples include (and directly quoted from § 1798.125(a)):
(A) Denying goods or services to the consumer.
(B) Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties.
(C) Providing a different level or quality of goods or services to the consumer.
(D) Suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services.
This is not one of GDPR’s formal defined rights per se, but GDPR is implicit that discrimination is not allowed. e.g. “The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to … rise to discrimination”. [GDPR Recital 75]
....................................
So that covers the Individual Rights found in the CCPA. Which rights does the GDPR have that the CCPA does not? I see four key ones (see the GDPR Cheat Sheet for definitions):
Right to Rectification
Right to Object to Processing
Right to Restrict Processing
Right to Reject Automated Decision Making and Profiling
Luckily CCPA “Version 2.0” — the California Privacy Rights Act (CPRA) — is coming to the California ballot in November 2020. If passed it will add such rights including the right to correct data aka the “Right to Rectification,” so we may see the "rights" gap between GDPR and CCPA narrow. Note my look at CPRA is a few blog posts away.
Next up, the CCPA Cheat Sheet!