If you checked your email inbox lately you will realize that the long-awaited California Consumer Privacy Act (CCPA) is officially in effect. As a result, virtually every company with a national footprint must now comply with a long list of new requirements that fundamentally change the business-consumer relationship, as well as relationships with other entities with which those companies exchange information. Understandably, this new privacy regime trigged some consternation amongst stakeholders simply trying to decipher whether they fall under CCPA; the impact on various aspects of their work streams; and how they need to adjust their practices to avoid running afoul of the new law. That’s why, as ACT | The App Association did with GDPR, we’ve created this interactive CCPA resource that provides an overview of all things CCPA, including a rundown of what is necessary to comply with the new rules.
However, before heading over to our CCPA resource we thought it might be useful to provide some important context about how this landmark bill came to pass, key provisions within the bill, recent amendments, and more.
Strangely, CCPA’s journey from conception to California law begins with a wealthy real estate developer from San Francisco named Alastair Mactaggart. As the tale goes, Mactaggart became frightened about the future of consumer privacy at a cocktail party (of all places) when he chatted with a Google engineer who divulged some questionable consumer data practices at the heart of his employer’s business model. The conversation was disturbing enough that Mactaggart decided to launch a California ballot initiative to create a statewide law. The proposal would create a new slate of consumer rights that would enable California residents to take greater control of their data, thus mitigating the perceived abuses by Google and other large tech firms in the state.
Upon reading the initial draft, neither the privacy community nor the state legislature was pleased. Privacy advocates believed the initiative did not go far enough, and the state legislature had concerns about the Initiative’s implementation and impact on some of California’s most powerful tech giants. Furthermore, both sides harbored process-oriented concerns given that Mactaggart himself and a former state legislator working in finance drafted the initiative – two men without tech backgrounds creating sweeping privacy legislation without any input from the state legislature and without the need for the governor’s sign-off.
Yet, aided in part by the public outrage following the Cambridge Analytica scandal, Mactaggart’s initiative quickly racked up the requisite 365,880 signatures to appear on the ballot. This meant that both lawmakers and the business community had to acknowledge the increasingly plausible prospect of Mactaggart’s initiative becoming law. Using this leverage, Mactaggart was able to secure a compromise from the Democratically-controlled state legislature: they would promise to pass a satisfactory version of his bill so long as he removed his initiative from the final ballot. Mactaggart would get what he ultimately wanted—the guarantee of an acceptable statewide privacy bill— while lawmakers and businesses would regain some level of influence over the law prior to passage. With both sides resigned to this arrangement, lawmakers scrambled to rework Mactaggart’s bill ahead of the impending ballot initiative deadline, while balancing the need to accommodate him (if he was summarily displeased, he could resubmit his ballot initiative or sink the bill by opposing it). Eventually settling on this compromise, the legislature rushed to revise the draft initiative. Ultimately, the final bill largely mirrored the original text and was signed into law on June 28, 2018.
CCPA’s most significant contribution is creating five new privacy rights for California consumers. Those rights are:
Under the bill, consumers now have the right to know the categories of personal information collected about them, the sources of that information, the business purposes for which that data was collected, and the categories of third parties with whom that information is shared. Some of these disclosures must be provided through notices provided to consumers via the business’s website, while other disclosures must be provided when a consumer submits a verifiable request to know about the status of their information.
CCPA complements the right to transparency with a new right to access. California-based consumers now have the right to submit a verifiable request compelling businesses that collect personal information to disclose: the categories of personal information collected, the categories of sources from which personal information is collected, the categories of third parties with which that information is shared, and the specific pieces of information the business possesses pertaining to the requesting individual. If the business sells personal information, consumers can submit a verifiable request to compel the business to disclose the categories of information sold.
Opt-Out of Sales
Barring a few exceptions, businesses that sell personal information to other businesses or share that information with third parties in exchange for “monetary or valuable consideration” must permit consumers the opportunity to opt-out of such exchanges. The ability to opt-out must be displayed via a clear link on the business’s website homepage, labeled “DO NOT SELL MY PERSONAL INFORMATION.”
Businesses must secure “opt-in” permission to sell the personal information of consumers under the age of 16. If the consumer is under the age of 13, a parent or guardian must affirmatively authorize that opt-in consent on behalf of that child, while consumers between the ages of 13-16 may do so of their own accord.
Consumers have the right to request the deletion of their personal information that a business owns regarding them. With a verifiable request, consumers can compel businesses to delete personal information held about them, except in certain instances, including when the information is necessary to complete a business transaction when the information is necessary to comply with a legal obligation, when the information is necessary to exercise free speech, or when the information enables internal business uses reasonably aligned with consumer expectations.
Consumers have the right not to be discriminated against for exercising their rights under CCPA. This right prohibits businesses from denying goods and services or providing different levels of quality of those goods and services to those who exercise their rights under CCPA. However, discrimination is not defined in a way that would prevent businesses from charging different prices or provide different qualities of goods and services if the difference is reasonably related to the value provided to the business by the consumer’s data.
Recent Amendments to the CCPA
Since the law’s passage, the California state legislature has passed several amendments, which Governor Gavin Newsom subsequently signed into law on October 13, 2019. Those most relevant to developers are noted below:
AB 25 – Job Applicant and Employee Exemption/Consumer Authentication
This amendment creates an exception that CCPA will not cover the collection of personal information from job applicants, employees, business owners, directors, officers, medical staff, or contractors for one year after the law’s effective date.
This amendment also clarifies that a business may require authentication of a consumer that is reasonable in light of the nature of the information being requested. If a consumer has an account with the business, the business may require that the request for information be submitted through that consumer’s account.
AB 1355 – Business-to-Business and FCRA Exemptions
This amendment clarifies that business-to-business communications or transactions are exempt from notice, access, and deletion requirements in instances in which the consumer is an employee, owner, director, officer, or contractor of a government agency.
The amendment also clarifies that CCPA does not apply to information already covered by the Fair Credit Reporting Act (FCRA).
AB 1564 – Eliminates Toll-Free Number Requirement for Businesses that Operate Exclusively Online
This amendment clarifies that a business that operates (1) exclusively online and (2) has a direct relationship with a consumer with whom it collects personal information is only required to provide an email address for submitting information requests, instead of an email address and toll-free telephone number.
AB 874 – “Personal Information” Definition Update
This amendment clarifies that “personal information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. The new definition excludes publicly available information, as well as deidentified or aggregate consumer information.
Over at Innovators Network Foundation Privacy Fellow Eric Goldman’s blog, you can find a useful summary of all of the amendments passed and subsequently signed into law at the end of the 2019 legislative session.
Failed Amendments/ Unresolved Issues
Several other amendments were proposed but not ultimately enacted, leaving certain areas ambiguous under the current law. Most notably among these, AB 846 would have explicitly carved-out customer loyalty plans from CCPA’s non-discrimination provisions. The amendment would have also eliminated the prohibition on selling personal information collected as part of a loyalty program when consumers opted-in to those transactions. Without these changes, businesses remain unsure if traditional customer loyalty programs can continue to exist without violating CCPA.
Definition of Sale
Currently, the CCPA defines “sale” as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information to another business or a third party for monetary or other valuable consideration.” Given this framework, another remaining area of ambiguity is how the term “valuable consideration” within the definition of “sale” will be interpreted by the courts, as it is not further defined in the law. A broad interpretation of valuable consideration would expand the number of data sharing agreements that fall under the purview of CCPA. Until this matter is resolved, the scope of data exchanges subject to the new consumer rights elucidated in the law will remain unclear.
We’re Here to Help
Here at the App Association, we will continue to be a CCPA resource for you as the law evolves. In the coming months, look for more discussion about the California Attorney General implementing final regulations, consideration of specific aspects of the law, and updates regarding any potential overhauls. While this process certainly presents a steep learning curve for all, we hope you can learn along with us!