Consumers worried about their privacy can only hope the axiom “As goes California, so goes the nation,” will be a dream come true.
On January 1, 2020, the California Consumer Privacy Act (CCPA) goes into effect, marking the strongest pro-consumer privacy law in the land.
Based on the tenet that every consumer has the right to take back control of their personal information, the Golden State’s new law takes its cue from GDPR -- the European Union’s General Data Protection Regulation. That legislation has already put Marriott and British Airways in its crosshairs, spurred changes from Google, and elicited standing ovations from Apple and, would you believe, Facebook.
Created by regular people, not politicians
While any law has to make its way through the legislative process before it sees the light of day, one of the benefits of the new California privacy law is that the leadership team behind it is made up of a group of as-close-to-regular people that one could find.
At the top of the organizational chart is the husband wife team of Alastair and Celine Mactaggart, who the New York Times called the “unlikely activists who took on Silicon Valley and won.”
By trade, Alastair is a real estate developer who fell into his activist role one night over dinner with a Google engineer who told him, “If people really knew what we have on them, they would flip out.”
Here’s how it works
Mctaggart’s go-to sermon is “it's not right that companies you’ve never heard of, can buy more information about you (and sell it for a profit), than even your closest friends know.” And, with that, a law was born.
Here’s the lay of the land on what rights the California Consumer Privacy Act gives consumers in regards to their private information:
The permission to know any and all personal data that any business collects, twice a year, free of charge.
The guarantee that the consumer can refuse the sale of their information to another party.
In cases where there was a data breach, the right to file a lawsuit against the company that collected that data IF the company was reckless or negligent about how it protected the data. In other words, think “identity theft.”
The ability to delete any data a consumer’s posted.
The right to ask a company exactly what categories of data its collecting (e.g. age, zip code, and education, as well as the categories of third parties with whom data is shared.) As ConsumerAffairs understands that, if one company collected a consumer’s age under a “date of birth” category and shared that information with another company that placed that information under a category it calls “age,” the consumer has the right to know that.
The mandate that a company must get opt-in approval from any person under the age of 16 if they want to sell their information.
A statement explaining the purpose for which the company collecting the user’s information is. An example would be an advertising agency that collects data about a client’s users.
Is this THE answer?
While California’s law may be a step in the right direction for the consumer, it’ll be years before we know if this is the end-all and be-all.
“It still has a long way to go before it can adequately protect the personal data of consumers,” writes Nicholas F. Palmieri III in the Hastings Science and Technology Law Journal. “As such, the law in its current form acts merely as a transparency law for Californian consumers and is truly not a system that consumers would want the country to adopt, at least as the law currently stands.”
“Other states, following California’s lead many still adopt data protection laws of their own. Following a similar trend as when the states adopted data breach notification laws, these data protection laws will likely contain the same broad principles as the CCPA but with some very important variations. While the deviations are important in the data breach context, they do not perfectly map onto a data protection context, but would still provide very important and necessary protections.”