Next up on the list of governments determined to demonstrate their efforts to enforce strict data protection rules is California. On 1 January 2020, the California Consumer Privacy Act (CCPA) will come into effect, and the new rules are setting the bar higher than anywhere else in the US for businesses that collect and share personal data.
Historically, the Golden State has been a data protection pioneer: in 1972, voters added privacy to California's Constitution's list of inalienable rights of the people, right next to the right of enjoying life and liberty, possessing property or obtaining safety and happiness.
The text in the new bill, however, acknowledges that California law has not kept pace with new technologies: "the proliferation of personal information has limited Californians' ability to properly protect and safeguard their privacy," it reads.
SEE: IT pro's guide to GDPR compliance (free PDF)
This is why the CCPA was proposed. But what are the new rules, who will they affect, and how can businesses make sure that they are compliant?
How did the CCPA come about?
The new rules were signed into law by the state's Governor Jerry Brown on 28 June 2018, after a somewhat unusual process. California citizens can effectively propose that new laws be voted on in future ballots if they secure enough signatures on a petition for the initiative – and in 2018, a petition urging the government to consider drafting a privacy act collected 629,000 signatures.
Once a citizen initiative is approved by voters, it becomes law, and cannot be amended. To avoid a ballot leading to a privacy law that could never be refined and adapted, therefore, legislators hastily drafted the CCPA and passed it just before the ballot deadline closed.
This has led some to argue that the new rules were rushed. Lothar Determann, partner at law firm Baker & McKenzie, told ZDNet: "The law came out of just a few days of negotiations. It was not completely thought through, and I think it can come with unintended consequences."
The good news is that the CCPA is, by nature, not final – so watch this space for future developments.
What are the new Act's key principles?
The main purpose of the CCPA is to give Californians more control over their personal information, by granting them a number of fundamental rights: to know what personal information is being collected about them; to access this information; to know whether it is sold and to whom; to ask that their personal data be deleted, and to refuse to allow that it keeps being sold; and to receive equal service and price, even if they have exercised the previous right to opt-out.
That citizens should not suffer from higher prices or worse service as a result of their privacy choices is unique to the CCPA, and means that some companies may have to rethink their business models – for example, if they relied on data monetization to offer online services for free.
The new bill also provides extra safety for minors, by prohibiting businesses from selling the personal information of consumers under the age of 16, unless specifically authorized by the minor or their parents.
Which businesses are affected by CCPA?
Businesses should make sure they are CCPA-compliant if they meet two conditions. The first one is, understandably enough, that the company collects or participates in the processing of personal information in California.
If, in addition, a company's annual gross revenue exceeds $25 million; or if the business processes the personal information of at least 50,000 consumers, households or devices every year; or, if it derives 50% or more of its revenue from selling users' personal information – then, the company has to comply with the CCPA.
The new bill has a broad definition of "selling personal information", which also includes sharing data for in return for "valuable consideration". This means that some businesses, which don't seek financial compensation from sharing personal data, might find that they still fall under the CCPA's definition of "selling".
For example, explained Determann, an employer paying a service to manage payroll may not see the transaction as "selling" information; and yet it may well be under the CCPA's definition of the term. This in turn means that employees could, in theory, choose to opt-out of having their data "sold".
"The definition of selling in this law captures not just the transfer of information for money," he said, "but also information gained from exchanges – which happen all the time for business or government planning. It is a broad definition that we need to think about."
What is personal information under CCPA?
Essentially, anything that can identify or is capable of being associated to a particular consumer or a household. Think names, nicknames, addresses, passport numbers or social security numbers but also geolocation data, employment or education-related information and physical and behavioral characteristics.
There are some exemptions: personal information does not include any data that is already publicly available from government records. In addition, the law doesn't apply to protected health information – that's already the job of other California laws – or any financial information already regulated by the federal Gramm-Leach-Bliley Act.
The CCPA has a broader definition of personal information than other existing privacy laws. In Europe, for example, the GDPR does not include data that can identify a household.
So what will businesses have to do to be CCPA-compliant?
There are a number of steps that businesses will have to take to make sure that customers can exercise their rights, and it starts with making sure that users have the means to request access to their personal information. The law requires at least two ways of doing so, including at a minimum a toll-free telephone number.
When users ask to see their personal data, they should be granted access within 45 days. And if customers request the deletion of their data, businesses have to comply. There are exceptions, however, if the information is needed to detect illegal activities or if deleting the data impedes free speech.
The CCPA also states that businesses will have to warn customers that they are selling personal information – if they do – and provide a clear link on their website titled "Do Not Sell My Personal Information" to let users opt-out if they want.
Again, the rules seem tougher than the GDPR, which grants individuals the right to restrict or object to the processing of their personal data, as well as to erase it, but only in certain circumstances. The European law clearly indicates that these rights are, in fact, not "absolute".
How can businesses actually prepare?
Companies are expected to comply as soon as the law comes into effect on 1 January 2020, only a year and a half after the CCPA was passed. "A year and a half is not a lot of time as anyone who has been working on EU GDPR compliance knows well," said Determann.
The first thing companies will have to do, he explained, is to find out whether they are selling personal information, as defined by the CCPA, and determine if they can change their business model to avoid the exchange of information in return for "valuable consideration".
If not, businesses need to make sure that they have detailed inventories of personal information pertaining to California residents that are ready to be accessed by users. In addition to creating toll-free telephone lines and "Do Not Sell My Personal Information" links, companies should update their privacy policies with the description of Californian's new rights.
Last but not least, companies will have to ramp up their efforts to prevent data breaches through stronger security programs.
What happens if a business doesn't comply?
Violation of the CCPA can cost businesses up to $7,500 per violation. Unauthorized access to personal data, or data breaches, are also punished by the law. In the case of theft or exfiltration of data, companies are liable for fines of up to $750 per consumer per accident.
The bill, therefore, is likely to push businesses to practise data minimization, which consists of deleting any information that has been collected and is not essential. Determann recommended that companies revisit their collection and retention strategies to decide if they can delete more data.
What about other laws?
The CCPA is not the only privacy bill out there, not only in California but in the whole of the US too. Different states, for example, have different laws on notification of data breaches. Inevitably, there will be times when the new rules will clash with the old.
Determann argued that it is necessary to harmonize the "dozens of existing privacy laws" that create "unnecessary complexities" in and outside of California, and the CCPA acknowledges the issue as well.
In the event of a conflict with another law, states the new bill, it is the one that grants "the greatest protection for the right of privacy for consumers" that shall control.
It is likely that, as the new rules come into effect in California, the question of whether a federal law on privacy is needed in the US will be revived. "I think that to have a national legislation on privacy is a hope that many have, whether they are against the CCPA or in favor," said Determann. "And in any case, the CCPA will strongly influence any future legislation."
Whether they were prompted by California's new privacy bill or not, other states in the US have been working on their own laws.
Last May, for instance, Nevada passed an amendment to its online privacy law, which requires businesses to offer users to opt-out of the sale of their personal information – although the definition of "sale", unlike the CCPA, is limited to monetary transactions.
The CCPA, although it is now about to come into effect, might be subject to change in the future; and experts like Determann think that it should. He argued that the law needs to be better tailored to some businesses' needs – particularly those who rely on more, not less data, to deploy technologies such as artificial intelligence or autonomous cars.
His concerns were echoed by Eric Goldman, a law professor at Santa Clara University, who said that the CCPA has been drafted with a limited number of use cases in mind, but nevertheless "applies to thousands of other industry niches who didn't have a voice during the drafting process and now must comply with a law ill-tailored to their issues."
For Determann, it ultimately comes down to defining what is in the consumer's best interest. "We have embraced many innovative services, which would probably never have gained critical mass or developed if companies had to rely on consumer fees for the initial launch," he said.
"All of us in California and elsewhere should carefully consider… how much we value free services versus data regulation."