Collected, bought and sold. For decades, personal data has been used by businesses to learn everything about their consumers — from names to shopping preferences and addresses — and commodified for greater profit at the price of consumer privacy. However, as of Jan. 1, the California Consumer Privacy Act (CCPA) has created a massive shift in the data privacy sector by requiring all businesses to inform consumers of their data being collected and provide the option to opt out of the sale of personal information.
Passed by the California State Legislature as Assembly Bill 25, the CCPA is a new initiative focused on ensuring data privacy for California residents. For the CCPA to apply to a business, it must earn more than $25 million in gross annual revenue, come into contact with the personal information of more than 50,000 consumers, households or devices and derive 50 percent or more of their annual revenue from selling consumers’ personal information. Additionally, the CCPA applies not only to California-based businesses, but any company engaging in business with California residents.
Although fairly new to the U.S., comprehensive internet privacy laws based on the globally understood Fair Information Practices have already been passed in many other countries, including Canada, Brazil, Russia and Europe. Similar to the United Kingdom’s General Data Protection Regulation (GDPR), the CCPA focuses on consumer privacy rights. However, it is unique because it also focuses on existing privacy abuses not covered in the GDPR, like online advertisement targeting. While ad targeting has existed for decades, it has never been as extreme as it is currently. Expanding on the old strategies of targeted commercials on television programs, the digital age of the Internet has brought “microtargeting”, a new type of marketing in which consumers are shown extremely specific ads based on their previous online behavior.

The bill gives California consumers the right to request all information about them which companies have saved, including a full list of third parties with whom their data is shared. It also gives them the choice to opt out of data mining, the process of companies collecting data from consumers.
Data can be collected by companies in several ways, many of which are disregarded by consumers as they are subtly placed on the company’s websites. One example is cookies — small files in a user’s computer that hold data specific to each client or website. Cookies are one of the most commonly used tracking tools for companies, as they allow the website to tailor content to the user through their recorded preferences and keep that data for future visits. Strength of WiFi, Bluetooth and cellular communication are also used to track users’ day-to-day activities and determine whether advertisers were successful in prompting consumers to make in-store purchases.
“From a consumer standpoint, it’s pretty easy to say, I don’t care that much about the ad targeting — we are all pretty good at ignoring the ads anyway,” said Peggy Eisenhauer, privacy law consultant and founder of Privacy & Information Management Services. “But we also live in a world where these algorithms are being used for other purposes; to shape political opinions, to influence elections, to spread misinformation, to sow geopolitical division, et cetera. There are enormous social and civil liberties issues here, and the platforms are wholly unprepared to manage these risks.”

Customers may opt-out of data mining on eligible businesses’ websites through links that say, “Do not sell my information,” which will be accessible on most CCPA-applicable businesses’ websites by July 1. Some companies, such as Vizio and Amazon, have already implemented this feature, with many others currently in the process of doing so. Social media platforms like Facebook have also added features to meet CCPA requirements, including a disconnect feature that removes any association between a person’s name and their collected information. Beginning July 1, companies in violation will be fined for noncompliance with the CCPA. This penalty can range from $2,500 for an unintentional violation of the CCPA to $7,500 for an intentional violation, with each case assessed by the Attorney General.

“Businesses have been collecting information about their customers for so long that many of them do not fully understand what data they are collecting, where they are storing it, how they are using it or who they are sharing it with,” said Ginny Sanderson, an internet advertising attorney and partner at Kronenberger Rosenfeld. “Thus, the first thing any business that is required to comply with the CCPA must do is figure out these things. In addition, business websites must be updated to clearly explain to users, through their privacy policy, how their information is being collected and used. They must also respond to certain user requests.”

Provisions under the CCPA also prevent businesses from discriminating in pricing, products or service based on a consumer’s choice to opt-out of the sale of personal data. However, companies can still vary their pricing as long as they can prove the price difference is based on the value of the consumers’ data. To explain this price difference, businesses are required to disclose to customers the value of their data as well as the methods they used to calculate it.
Free services, such as streaming companies and news sites, are also subject to the CCPA requirements; however, they are exempt from the product and service discrimination provision of the act. Because of this, free services may penalize users who opt out of data mining by lowering the quality of their web service.
“Online ecommerce is largely driven by businesses analyzing their customers’ buying behaviors,” said senior Cindy Xu. “Amazon for example definitely tracks user data. Because of this I’m really mindful of when a business tracks the items that I purchase and browse through. So [if] the CCPA is enforced, it [will] be a big milestone for California.”

Opting out of data mining, however, doesn’t always mean that the collected data is deleted since the CCPA permits anonymous data collection. Companies have the opportunity to decline requests if the data is used for “business purposes,” the scope of which must be clearly defined to consumers for the duration of all data collection. There are seven “business purposes” protected by the CCPA: auditing; protecting against security incidents; debugging to identify and repair errors; short-term transient use; performing services on behalf of the business or provider, such as providing customer service or processing orders; undertaking internal research for technological development and demonstration and verifying or maintaining the quality of a service controlled by the business.

“The CCPA gives consumers several tools to take more control of their privacy, but only if they choose to use them,” Sanderson said. “It does not prevent businesses from collecting information about consumers. It only requires companies to be more transparent about what they are doing. So if you are the type of internet or mobile app user that always clicks to agree to privacy policies without reading them, you will not be better off as a result of the CCPA.”
Though the CCPA represents a leap toward user privacy, there are downsides to these new privacy laws. By asking a company to delete all of their information on a user, that user’s whole account may be deleted, as without their personal data there would be almost nothing left. Another downside of the CCPA is its ambiguity. Some sections of the act seem rushed and unclear, forcing companies to guess at their meanings and causing confusion for both businesses and consumers. Moreover, since advertisements contribute the majority of revenue for many websites, fewer targeted ads based on personal data may lead to a shortage of free content being put out on websites.
“CCPA compliance is needlessly difficult in certain contexts. In other aspects, the language is unclear, and businesses and their lawyers are forced to guess what it means or how it will be interpreted,” Sanderson said. “That said, I believe that an increased emphasis on privacy is a good thing.”
The CCPA is a major step toward greater consumer privacy rights and personal data protection. Consumers will be able to better protect their information, which can be especially vulnerable in this digital age. For businesses and consumers alike, the CCPA will mean more accountability, privacy and transparency.