2018 was the year of GDPR: the General Data Protection Regulation, a comprehensive update to privacy laws enacted by the European Union.
The legislation, adopted by the European Parliament in 2016, formally came into force on the 25th May 2018, and the months leading up to GDPR’s enforcement saw businesses and marketers across the world racing to comply with its requirements by this deadline. Repermissioning emails were sent in droves, new marketing technology was created to track consent, and websites were blocked to EU visitors on “GDPR day” in a bid to give their owners more time to comply.
Amid all the excitement about GDPR, it’s easy to overlook another piece of legislation that passed during roughly the same period: the California Consumer Protection Act (CCPA). Compared with the GDPR, the CCPA had a very short inception period, famously passing after just a week of debate. Nevertheless, its impact on the data privacy landscape in the United States has already been significant – and could become even more so as time goes on.
What is the California Consumer Privacy Act (CCPA)?
The CCPA is a major update to privacy law in the state of California that gives new rights to Californian consumers – defined as any permanent resident of the state – to know what personal data is being collected about them, access it, request its deletion, and opt out of having their personal data collected.
Any for-profit company that does business in California (which includes businesses that sell into the state, pay taxes there, and more) and meets certain other thresholds is required to comply with the legislation, which comes into effect on January 1st, 2020.
The CCPA was created as an alternative to a much stricter piece of privacy legislation called the California Consumer Personal Information Disclosure and Sale Initiative, which was sponsored by an advocacy group called Californians for Consumer Privacy. Although the group had raised enough support for its initiative to be included on the ballot, it agreed to withdraw the initiative if a compromise bill was passed before the withdrawal deadline in the last week of June.
This resulted in the California Consumer Privacy Act of 2018 being introduced by state assemblymember Ed Chau and state senator Robert Hertzberg, and passing with unanimous support on June 28th. In a statement to Wired after his bill passed, Hertzberg called the CCPA “the most comprehensive privacy law in the country”.
Although the CCPA is often referred to informally as “the American GDPR” or “California’s GDPR”, it has a slightly different focus and scope to its European counterpart, being more focused on commercial uses of data as opposed to data processing of all kinds. It also works on an opt-out basis, while under the GDPR, consent (one of the lawful bases for data processing, though by no means the only one) requires “a positive opt-in”.
For more detail on the scope of the CCPA, who it applies to, and the differences between the CCPA and the GDPR, Econsultancy subscribers can read our briefing, A Marketer’s Guide to the California Consumer Privacy Act (CCPA).
The GDPR has a much further-reaching scope and scale than the CCPA, but the CCPA is still a highly significant piece of legislation in its own right. Not just because it was passed in the most populous state in the US, a state in which numerous major tech companies operate, but because it has already inspired numerous copycat bills in other states – and many people are pushing for a law to be passed at the federal level.
The CCPA effect
The GDPR and the CCPA both passed into law in a new age of data privacy awareness among consumers. As the CCPA says in its second section, “It is almost impossible to apply for a job, raise a child, drive a car, or make an appointment without sharing personal information. As the role of technology and data in the every daily [sic] lives of consumers increases, there is an increase in the amount of personal information shared by consumers with businesses.”
The Cambridge Analytica data scandal in 2018 brought the scale of personal data collection by businesses – and the potential impacts of its disclosure – into a new and shocking light, but it was by no means the first high-profile data breach. Small wonder, then, that consumers and advocacy groups are pushing for laws that will require businesses to disclose what data they collect about people and what they do with it, as well as give them the right to obtain and delete, or opt out of the collection of, that data.
Since the CCPA passed into law in California, close to a dozen other states have either drafted or introduced similar legislation that would give consumers new rights with regard to their personal data. These range from the nearly identical, like the Mississippi Consumer Privacy Act (which has already died in the committee stage); to more expansive bills, like the one proposed in Hawaii, which extends applicability to all businesses operating in the state, or the one proposed in Maryland, which has a much more expansive deletion right; to the minimalist, like North Dakota’s bill, which deems an individual guilty of an offence if that person “obtains or attempts to obtain, transfers, records, or uses or attempts to use” personally identifiable information without the “express written consent” (by mail or email) of the individual it belongs to.
All these new privacy laws model themselves on the CCPA to some extent, with the exception of the Washington Privacy Act, which took the GDPR as its model. (Washington’s bill has also stalled in the committee stage and is not expected to pass this year, though the bill’s primary sponsor has said he is “committed” to passing it in 2020).
The impact of this is that the new privacy bills all use broadly similar language and uphold similar priorities to the CCPA, focusing on consumer rights rather than organizational practices, and taking a broad definition of consumer information that encompasses things like biometric data, internet activity, unique identifiers other than a name (like an IP address or cookie data), and other things that could reasonably used to identify a person.
Many of the bills also mimic the CCPA in using language that encompasses “household” data as well as individual personal data, a provision that may be designed to include things like data collected by smart devices which are used by a household rather a single individual.
All of this means that California’s privacy bill, however hastily it may have been passed, is setting the standard for a new generation of privacy legislation across the United States that may dictate data privacy and transparency for years to come. While each US state has its own distinct priorities, and its own legislators who may feel quite differently towards the stipulations of a CCPA-esque privacy bill than their Californian counterparts, the rest of the United States is watching California closely, scrutinizing the amendments that are passed, and accounting for the CCPA’s shortcomings in their own legislation.
A new federal privacy law?
With such a wave of similar legislation cropping up across America, numerous commentators have argued that it would be more effective – and certainly more straightforward – to pass a single, federal privacy law that applies to all states equally, instead of businesses needing to worry about complying with a patchwork of different state-level privacy legislation with slightly different specifications and requirements. Critics of the CCPA – for example, those who believe it places too much of a burden on consumers to make choices that protect their privacy, instead of on the businesses collecting consumer data – also believe that a new federal law could improve on the shortcomings inherent in California’s legislation.
Another advantage of having a single, nationwide privacy law would be that if the European Union recognized the legislation as providing an adequate level of data protection, data from the EU and EEA (European Economic Area) could be transferred to the United States without the need for any additional safeguards or agreements. At the moment, this can only take place if the recipient in the US is a member of the EU-US Privacy Shield framework.
The Federal Trade Commission is one major body in favor of passing a privacy law at the federal level, in part because this would give it a greater ability to police trade violations and more authority to impose penalties on companies taking a cavalier attitude towards data protection. Many of the biggest tech giants are also lobbying in favor of a federal law in the hope that it will give them more leeway over how they handle personal data – and that they will get a say in the new law as it is drafted.
However, California’s representatives have expressed indignation at the idea of the CCPA being subsumed by a new, federal law. “California’s bill is the best. Why would we want to preempt it?” Jackie Speier, US Representative for California’s 14th congressional district and a member of the Democratic Party, said in an interview with Politico. “I would look askance at any measure that tried to preempt it … I would hope that all 53 members [of California’s House delegation] would oppose it.”
Politico goes on to note that members of both parties have acknowledged that the issue of preemption is “among the thorniest under discussion in legislative talks, which have already stalled relative to optimistic early projections”. While there are strong arguments in favor of a national law, it may face stiff opposition from Californian Democrats in the Senate unless the proposed legislation is at least as robust in its protections as the CCPA – something that the big tech companies are much less likely to be happy with.
A number of federal-level privacy bills have already been proposed. One is the Data Care Act, put forward by a group of 15 Democratic senators the day after Google’s Sundar Pichai was questioned on data privacy in a congressional hearing. Another is the Consumer Data Protection Act, proposed by Oregon senator Ron Wyden – a stringent bill that has attracted attention due to its proposed prison sentences for CEOs who fail to protect Americans’ data. Most recently, Senator Marco Rubio has proposed the American Data Dissemination Act, a much less rigorous privacy law that would ask the FTC to recommend rules and regulations that Congress would finalize, rather than giving it the authority to create regulations.
Each of these bills has its own obstacles to overcome, not least the existence of multiple other ‘competitor’ bills with similar aims. Whichever piece of legislation becomes federal law (if any) will need to garner broad bipartisan support and satisfy a range of competing interests.
In the meantime, the California Consumer Privacy Act is already law, and the countdown to its implementation has begun. The longer businesses have to adjust to its requirements, the more likely they will expect any subsequent laws at a state or federal level to follow its example, if only for the sake of simplicity and consistency. Understanding the CCPA looks increasingly like the key to understanding the future of data privacy and protection in the United States.
For more on the California Consumer Privacy Act and how it will impact marketing, subscribers can read our in-depth briefing, A Marketer’s Guide to the California Consumer Privacy Act (CCPA).