Making Heads or Tails of the California Consumer Privacy Act

Topics: Big Data, Corporate Legal, Cybersecurity & Data Privacy, Data Privacy, Data Security, Financial Crime, Fraud, Government, Process Management, Regulatory Intelligence, Risk Management, Thomson Reuters Regulatory Intelligence


Many believed and hoped the California Consumer Privacy Act (CCPA), which went into effect January 1, 2020, would be a saving grace piece of legislation that would finally bring law up to speed with technology.

Sadly, like most pioneers in their field, the CCPA contains drawbacks that hinder its impact in addressing growing privacy concerns. Above all, the CCPA lacks the mechanisms necessary to achieving its purported goals. This can be seen in its “opt-out” structure, its law-enforcement protocol, and discrepancies between it and existing regional privacy laws such as the European Union’s General Data Protection Regulation (GDPR).

Let us begin with the CCPA itself. The CCPA gives California residents new rights for learning  what data containing personal information about them has been collected, sold, and stored. It also gives consumers the right to request that this data not be sold and to ask that it be deleted. In sum, the CCPA gives consumers unprecedented new rights and is a huge leap forward in a U.S. legal landscape that has never comprehensively addressed individual data privacy.

Indeed, the power of the CCPA stands in its ability to force structural change within the operating methods of many companies. To get into compliance with the new law, companies must be more transparent and more cognizant of what data they are collecting from customers and where it is stored. These measures will lead to better privacy practices, eventually.

Opting In or Opting Out

While wielding the potential ability to ignite industry change, the CCPA could have easily taken a stronger stance by requiring explicit consent to opt-in to unfettered data mining and monetization. Instead, the CCPA requires affirmative authorization only “in the case of customers who are less than 13 years in age” (Sec. 1798.120(C)(A). Older customers must affirmatively opt-out of the collection of their personal data. Among other things, the anonymous nature of the internet makes accurate age identification difficult, so it might be arbitrary and possibly ineffective to even set age limitations. Requiring “opt-in” should be extended to all California customers, regardless of age.

The second factor that prevents the CCPA from achieving its goals is the lack of strong law enforcement capabilities, given the law’s reliance on the California Attorney General’s Office (AGO) for enforcement. California Attorney General Xavier Becerra himself acknowledged the constraints of an AGO enforcement apparatus “given that we are an agency with limited resources.” Indeed, the AGO expects to prosecute approximately three cases of CCPA violations a year.

Enforcing the law and holding companies accountable is vital to the successful implementation of the CCPA. While the CCPA also grants consumers the right to privately sue companies if a security breach occurs, this unfairly places the burden and responsibility of pursuing litigation in the name of ethical data mining on an already over-worked and tired population.

The newest round of regulations, released by the AGO in February 2020, further complicate what qualifies as personal information. For example, the AGO changed how an individual’s IP address is classified. Specifically, “If a business collects the IP addresses of visitors to its site… but doesn’t, and couldn’t reasonably, take the extra step of linking that IP address to any individual consumer or household, then the IP address isn’t ‘personal information’ under the law.” This added obstacle in determining how data is maintained allows companies to collect data irresponsibly because it is no longer legally classified as “personal data.”

Reconciling with the GDPR

The third hurdle to the CCPA’s success is its discrepancies with the EU’s GDPR. Large, multinational companies went through a time-extensive and costly process to get into GDPR compliance just two years ago. While the CCPA resembles the GDPR more than any prior privacy laws enacted in the United States, it still bears significant differences. For example, the GDPR grants customers the right to correct any personal data that’s been collected, while the CCPA does not.

The GDPR also allows residents access to all data processed, while the CCPA only covers data collected within the last 12 months. The CCPA explicitly requires the right to equal services and price, while this is only implicit in the GDPR. The discrepancies between these data privacy laws creates buy-in hurdles for those companies who already spent time and money creating systems to get in compliance with the GDPR.

Even with these flaws, the passage of the California Consumer Privacy Act is a momentous first step, especially in the land of huge tech giants. But like many first editions, it has room for improvement. New regulations like the GDPR and the CCPA only mark the trend for privacy laws in the years to come.

The CCPA is laying the foundation for the new era of data privacy in America; an era of law just beginning to catch up with technological advancements. That is precisely why it is so critical that the CCPA be able to achieve its purported mission and goals.