How the California Consumer Privacy Act of 2018 will change the privacy landscape

When the Cambridge Analytica Scandal broke in March 2018, the public was shocked to find out that the private data of more than 50 million Facebook users were collected without their knowledge or consent and used to target political advertisement during the Trump presidential campaign.

This led to the California ballot initiative on data privacy in May. Supporters filed more than 600,000 signatures in support of the initiative, but it was not the best way to address the complex subject of data privacy, as ballot initiatives are difficult to improve before the enactment, and even harder to amend afterwards. California legislators had no choice but to take over.

They enacted the Consumer Privacy Act (CCPA), which aims to protect technology users’ data by imposing rules concerning gathering, usage, and sharing of personal data over the internet. The law will take effect in January 2020. There are several points in the act that can still be improved in 18 months, but there’s no doubt that the act will revolutionize the privacy landscape. Here’s how.

Opt-in notification to collection

Online services use tracking tools to gather personal data from users when they visit websites. They monetize personal data and use them to sell targeted advertising. CCPA does not require opt-in or consent before collecting personal data yet, but it requires notice at or before the point of collection about the data to be collected, the categories of collected data, the purpose of the collection, and with whom the information will be shared.

Deletion of personal information

Users can demand a business to delete their collected personal information, but the act also provides a few exceptions. First, the business need not delete the information if it needs to exercise free speech, ensure the right of another consumer to exercise his or her right to free speech, or exercise another right provided for by law. Second, if they’ll use the information to enable solely internal uses that are reasonably aligned with the expectations of the consumer’s relationship with the business, they can keep the data.

Users also have the right to opt out of sales. To facilitate this, businesses will put up a “do not sell my personal information” link to their homepages.

Non-discrimination

Businesses cannot deny service, charge a higher price, or provide lower quality to customers in exchange for data privacy rights. However, businesses can offer incentives to a user to collect and sell their data, including payments.

Waivers

Because of large businesses’ bargaining powers, users may unwittingly waive their privacy rights, or find themselves stuck with mandatory arbitration of their privacy rights. This is why CCPA expressly voids contract provisions if a business uses them to waive or limit a user’s privacy rights and enforcement remedies under the act.

How can the act be improved?

• “Right to know” about data gathering and sharing
  CCPA should also allow users to have a right to know what personal information a business has about them, where that information was retrieved, and with whom the business shared the information. However, this right should not interfere with other rights, such as the right of free speech.
• Opt-in consent before data sharing
  Opt-in consent should also be required before a company shares personal data with a third party. This way, technology users have control over how and when their data may be transferred from one entity to another.
• Data portability
  Users should have a copy of the data they provided to an online service. If the data is provided electronically, it should be portable and in a readily usable format that allows a consumer to send the information to another party.
• Empower users to enforce the law
  The act must empower users to take violators to court, often called a “private cause of action.” In case government agencies fail to enforce privacy laws due to lack of resources, competing priorities, or regulatory capture, users should have the power to decide for themselves whether to enforce the law, or not.

If you want to learn more about the California Consumer Privacy Act and get tips on compliance, visit our website. Compliance regulation is a critical part of business in the global market. At OC-IT, we meet the strictest regulations with full confidence. Partner with us for in-depth consultation and services.