California’s CCPA, or the California Consumer Privacy Act, offers a somewhat reasonable, proactive, and efficacious approach to the protection of the rights and interests of consumers in the data-driven era. While these regulations technically only apply to California residents, many companies are extending them nationwide.
Here’s what you need to know about exercising your privacy rights under the CCPA.
Not in California? Here’s what you need to know about Virginia’s privacy law.
Your privacy rights under the CCPA
The California Consumer Protection Act (CCPA) became effective on January 1, 2020. It introduced four new categories of rights for consumers in California: the right to know, the right to delete, the right to opt-out, and the right to non-discrimination.
#1: The Right to Know
Enshrined under section 1798.100 of the CCPA, this gives you the right to access the personal data companies have stockpiled, utilized, disseminated, and shared. This right also includes information about the specific categories of personal information collected concerning the customer.
To gain access to your personal data, you must make a formal application to a business, asking it to reveal the personal information it has collected, disseminated, and sold. When disclosing the specific pieces of collected personal data, the firm will outline each of the categories of personal data collected from the customer, where it mined the personal data, the commercial motivations behind its decision to collect, and the names of third parties who have seen or accessed the data. Where the request reveals that the company has been selling its customers’ personal data to third parties, the company will have a duty to reveal the general and specific categories of personal data it collected concerning the customer.
Why it matters: By giving customers access to both general and specific data that a company has about them, customers can determine whether companies have been breaching privacy laws or otherwise doing shady things like selling email addresses, mailing addresses, social security numbers, names, geolocation data, login IDs, IP addresses, biometric data, behavioral data, social media handles, and other personally identifiable information (PII) that third parties can use to identify, impersonate, or scam them.
What companies must do: Businesses that intend to collect, use, disseminate, and sell their customers’ personal information have a duty to inform customers about the different categories of information they are collecting and how they will use the data before they commence the collection process. The warning or notice will inform the customer that the company collects the customer data, enumerate the purposes for which it is collecting the data, and outline the specific categories of personal data it wishes to collect.
Once a business has specified the different categories of data it is collecting and their uses, they’re legally not allowed to collect, use, and share additional categories of personal data beyond what’s been disclosed to, and accepted by, the consumer.
Loophole: Companies can circumvent the VCR right to know rules on the ground that it is impossible to attribute their anonymized data to specific customers. The right to know about the general information and personal data in a company’s possession will be limited to instances where the firm can attribute the personal data in its possession to the identities outlined in the verifiable consumer requests.
#2: Right to Delete
Along with the right to know, the CCPA gives consumers the right to delete personal information that businesses have collected from them. Under section 1798.105(a) of the CCPA, customers can compel businesses to erase the personal data. Widely regarded as the right to be forgotten, this right is exercised in conjunction with the right to know and the right to freedom of expression.
Why it matters: It gives consumers the right to withdraw consent on companies’ use, sharing, processing, and sale of their personal data. After consumers withdraw their consent, companies must delete the data without delay.
What companies must do: Delete personal data upon receiving a valid request. Businesses can ignore the right to delete requests in instances where retention of consumers’ personal data is necessary for facilitating the completion of commercial transactions, detecting and preventing incidents of fraud, deception, malice, and unlawful activities, supporting the identification and correction of errors that may impair the functionality of a person’s computer, safeguarding the right to free speech, and facilitating peer-reviewed, statistical, or historical research that is in the interests of the public.
Loopholes: The CCPA provisions on the right to delete recognize that companies’ retention of certain categories of personal data may be necessary for detecting and preventing unlawful activities and identifying and repairing errors that infringe upon a consumers’ use of their computer systems.
The right to erasure also makes it difficult to determine how consumers’ right to erasure aligns with other competing rights like the right to free expression in the context of political speech and media publications. Can consumers use that right to demand that bloggers, digital news websites, websites, and other online sites delete all the personal data they have published on their websites? An inconsistent application of the right will create legal loopholes through which consumers force search engine giants like Yahoo, Google, and Microsoft to erase all personal data related to them. This will be tantamount to rewriting history. Content related to people’s histories and online activities will become difficult to find and, in the process, could infringe upon citizens’ right to freedom of information.
#3: Right to Opt-Out
Consumers can at any time exercise their right to opt-out by demanding that a business refrains from selling their personal information to third parties. Businesses must notify consumers about their decision to sell their personal information but also notify them about their right to opt-out of the arrangement. And businesses cannot sell the personal information of children who are younger than 16 years old without their parents’ or guardians’ consent.
Why it matters: Companies have access to technologies that collect customers’ personal information. They are aware of the value of that information and the various uses that can maximize its value. In contrast, consumers have very limited knowledge of the privacy practices and policies of the firms they are dealing with. They may erroneously believe that the businesses’ information security practices and policies may afford them significant safeguards than they do. On the faith of this erroneous information, consume
What companies must do: There are two mechanisms to protect the rights of consumers. The first of these mechanisms is the opt-in tool. The opt-in tool requires that certain categories of consumers like minors must opt-in before companies can legitimately collect, utilize, disseminate, and sell their personal information. These opt-in guidelines compel businesses to request express permission from guardians and parents in instances where they are collecting personal data from children who are younger than 16 years.
The second mechanism consists of the opt-out tool in which the law compels companies to notify consumers about the specific types of personal information they are collecting and give them an opportunity to opt-out before they continue to use their online services. The opt-out request becomes effective immediately after the business receives it.
Loopholes: Many consumers ignore companies’ privacy policies before exercising their right to opt-out. In most instances, they ignore the policies and assume that the website, online portal, or smartphone application within which they are interacting has a robust information security system. Companies can just bury the privacy opt-out in the footer and prevent consumers from even knowing how to exercise their rights.
#4: Right to Non-Discrimination
The CCPA recognizes and safeguards consumers’ right to non-discrimination. This right protects consumers against retaliatory measures that businesses may wish to implement against consumers who decided to exercise their right to know, right to delete, or right to opt-out.
Why it matters: Companies could punish consumers for exercising their privacy rights. This prevents that. The provision prohibits businesses from retaliating by preventing consumers from purchasing goods or services, imposing different charges to such consumers, lowering the quality of services delivered to these consumers, and suggesting that consumers opt for downgraded service quality or a higher price.
What companies must do: Businesses from implementing retaliatory measures in light of their decision to exercise their right to delete, their right to opt-out, or their right to know. Businesses can circumvent the right to non-discrimination by compensating consumers for collecting, selling, and deleting personal information — but that compensation can’t be usurious, coercive, unreasonable, or unjust.
Loopholes: There’s a claw-back provision that businesses can use to monetize and punish consumers’ exercise of their rights under the CCPA. Indeed, section 1798.125(a)(2) states that the exercise of the right to non-discrimination should not interfere with businesses’ right to impose a different price or deliver low-quality services when that difference is reasonable and directly attributed to the value of the customer’s data. For instance, search engine giants like Google, Yahoo, and Microsoft, and other dominant service providers like Verizon, Amazon, Apple, and eBay can decide to respond to mass personal information erasure requests by redirecting such customers to low-quality webpages in the name of cutting costs. C
How to exercise your privacy rights
The CCPA offers a somewhat reasonable, proactive, and effective approach to the protection of consumers’ privacy rights. There’s still a lot of work to be done — and we all deserve a national privacy law! In the meantime, look for privacy controls in the footers of the websites you visit, or as banners and pop-ups. It may take time but its so worth it!
