Privacy and Private Data Protection in California
Our personal data plays an increasingly important role in our daily lives. The global society is moving towards the new era of communications, which could be described as “the Internet of smart transactions”. In the coming years, service providers will interact with our intelligent agents who will be able to utilize our privatize data to get the best value-offerings for us.
When it comes to the protection of privacy and private data, the State of California has been playing a leading role in the US. In 1972, Article 1 of the Constitution of California was amended to expressly protect the right to privacy:
All people are by nature free and independent and have inalienable rights. Among these are enjoying and defending life and liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety, happiness, and privacy.
Over the years, Californian courts have interpreted the right to privacy to apply not only to state actions but also to actions by private individuals and corporations. Over the past decades, California’s legislature adopted many privacy-protecting regulations. The most recent one is the California Consumer Privacy Act (“CCPA”). Stringent laws aim not only to safeguard the interests of consumers and the public, but they also nudge technology companies to innovate and look for new ways of approaching and handling private data.
CCPA is a landmark piece of legislation. This is the most comprehensive privacy and data security law in the US. It was enacted in June 2018 and was amended in September 2018. The CCPA will become effective on January 1, 2020.
When it comes to the protection of privacy and private data, the State of California has been playing a leading role in the US. In 1972, Article 1 of the Constitution of California was amended to expressly protect the right to privacy:
All people are by nature free and independent and have inalienable rights. Among these are enjoying and defending life and liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety, happiness, and privacy.
Over the years, Californian courts have interpreted the right to privacy to apply not only to state actions but also to actions by private individuals and corporations. Over the past decades, California’s legislature adopted many privacy-protecting regulations. The most recent one is the California Consumer Privacy Act (“CCPA”). Stringent laws aim not only to safeguard the interests of consumers and the public, but they also nudge technology companies to innovate and look for new ways of approaching and handling private data.
CCPA is a landmark piece of legislation. This is the most comprehensive privacy and data security law in the US. It was enacted in June 2018 and was amended in September 2018. The CCPA will become effective on January 1, 2020.
What Data is Covered by CCPA?
CCPA contains a broad definition of personal information. CCPA applies to any data that are individually identifiable to a household. In principle, this means that under the Californian law personally identifiable information is any data that can be narrowed down to a household with the particular data set. This also means that the scope of personal information covered by CCPA is much broader than under the GDPR (which covers only the information that is individually identifiable to a person).
Rights Under the CCPA
CCPA has bestowed a number of rights on California residents.
First, California residents have the right to know what happens when companies collect individuals’ information. Individuals may make a request to disclose the purposes and categories of the collection of the data. Individuals can make a more invasive request to disclose the sources of the data from which the personal information is gathered, as well as the categories of third parties that the business is sharing the information with.
Second, California residents have the right to know about the sale of their personal information. CCPA defines the notion of “sale” broadly. “Sale” includes any exchange of personal information for valuable consideration. Accordingly, individuals have the right to know and request an explanation about what information about them was sold or shared for business purposes during the 12 month period prior to the request.
Third, California residents have the right to deletion. This means that an individual who is a resident in California can request the business to delete the personal information which that business is holding about the resident. Those deletion rights are subject to certain defenses which the business can raise.
Fourth, CCPA entrenches also the right to opt out from the sale of personal information for adults. Adults in California can opt out from the sale of their data for any reason; in addition, businesses will be prevented and prohibited from selling personal information on children aged 16 and under without having opt-in consent.
Finally, once the CCPA comes into effect, California residents will have the right to have access to data and have that data delivered in a portable fashion. Furthermore, businesses will not be allowed to discriminate against individuals for exercising any of those rights mentioned above.
First, California residents have the right to know what happens when companies collect individuals’ information. Individuals may make a request to disclose the purposes and categories of the collection of the data. Individuals can make a more invasive request to disclose the sources of the data from which the personal information is gathered, as well as the categories of third parties that the business is sharing the information with.
Second, California residents have the right to know about the sale of their personal information. CCPA defines the notion of “sale” broadly. “Sale” includes any exchange of personal information for valuable consideration. Accordingly, individuals have the right to know and request an explanation about what information about them was sold or shared for business purposes during the 12 month period prior to the request.
Third, California residents have the right to deletion. This means that an individual who is a resident in California can request the business to delete the personal information which that business is holding about the resident. Those deletion rights are subject to certain defenses which the business can raise.
Fourth, CCPA entrenches also the right to opt out from the sale of personal information for adults. Adults in California can opt out from the sale of their data for any reason; in addition, businesses will be prevented and prohibited from selling personal information on children aged 16 and under without having opt-in consent.
Finally, once the CCPA comes into effect, California residents will have the right to have access to data and have that data delivered in a portable fashion. Furthermore, businesses will not be allowed to discriminate against individuals for exercising any of those rights mentioned above.
What Businesses Will Be Affected by CCPA?
CCPA applies to any company that is doing business in and collecting personal information from California residents if one of the following three conditions apply:
Additionally, the CCPA imposes three additional obligations upon businesses. Those obligations are independent of consumer rights mentioned above. Thus, regardless of the fact whether an individual files a request, the business has the following obligations.
First, businesses have to train all employees that collect personal information from California residents about their right to request information about their data and all other rights that are made available under the CCPA.
Second, businesses have to create at least two designated methods through which consumers can assert their rights under the CCPA. For instance, a business may set up an 800-number or provide an additional explanation on the company’s website with detailed explanations. The bottom line is that there should be a place where the customers can exercise their rights granted by the CCPA. It should be noted, that the CA Attorney General will be promulgating regulations and guidelines about additional appropriate methods to inform consumers about the exercise of their rights.
Third, in order to avoid liability that may arise out of the activities of their vendors for the violation of the CCPA, businesses have to add specific terms in their agreements with third-party vendors in order to shift liability to the vendor for those violations that are committed by third-party vendors. For example, the agreement should stipulate that the vendor will not use or sell the data that they are otherwise collecting on the businesses’ behalf for any other purpose that is outside of the agreement that exists between the company and third-party vendor. There will have to be also a certification from the vendor where they commit to complying with the obligations that are established in the CCPA.
- they are collecting personal information from 50,000 or more California residents; or
- they have revenue that is over $25 million; or
- they are selling the information from CA residents and they derive 50% or more of their revenue from the sale of CA resident data.
Additionally, the CCPA imposes three additional obligations upon businesses. Those obligations are independent of consumer rights mentioned above. Thus, regardless of the fact whether an individual files a request, the business has the following obligations.
First, businesses have to train all employees that collect personal information from California residents about their right to request information about their data and all other rights that are made available under the CCPA.
Second, businesses have to create at least two designated methods through which consumers can assert their rights under the CCPA. For instance, a business may set up an 800-number or provide an additional explanation on the company’s website with detailed explanations. The bottom line is that there should be a place where the customers can exercise their rights granted by the CCPA. It should be noted, that the CA Attorney General will be promulgating regulations and guidelines about additional appropriate methods to inform consumers about the exercise of their rights.
Third, in order to avoid liability that may arise out of the activities of their vendors for the violation of the CCPA, businesses have to add specific terms in their agreements with third-party vendors in order to shift liability to the vendor for those violations that are committed by third-party vendors. For example, the agreement should stipulate that the vendor will not use or sell the data that they are otherwise collecting on the businesses’ behalf for any other purpose that is outside of the agreement that exists between the company and third-party vendor. There will have to be also a certification from the vendor where they commit to complying with the obligations that are established in the CCPA.
Path to the Future
CCPA is one of the most prominent milestones that illustrate the growing attention to privacy and private data management. Other US states have started adopting similar regulations. There is also growing support to encourage Congress to adopt a Federal Act that would set forth general principles of privacy and handling private data. Similar trends of paying more respect to the privacy and personal information can be noticed in other countries and continents as well.