CCPA or California Consumer Privacy Act or AB 375 was passed by the State of California in the month of June in 2018. The bill will be enforced from the 1st of January 2020. CCPA’s design closely resembles that of Europe’s GDPR (General Data Protection Regulation) which came into effect on 28th of May 2018. 

Under the CCPA, an individual has the authority to demand all relevant information pertaining to that individual from a specific company (or companies) and third-party association with whom the data has been shared with (or sold to). CCPA puts emphasis on first-party data, whose collection and sale has been authorised. The users, however, have the option to opt-out from the sale of their personal information. By mandate, all websites must have a link on their front page which reads as follows, “Do Not Sell My Personal Information”. It could also be a simple button at the end of the page or a simple phone call should do the trick too. 

The law encompasses all companies that serve Californian citizens regardless of having a physical presence in the state or not. All companies who make 50% of their revenue or more from the sale of personal information, companies (irrespective of size) with data of more than 50,000 users, and companies with annual revenue of $25 million must comply with the CCPA.

Both CCPA and GDPR seeks to improve consumer privacy and information security by giving more powers to the user who can regulate or have a say in the usage of their personal information and preferences by the advertising companies, social media companies, tech giants and other similar agencies. 

What makes the CCPA more formidable than the GDPR is the inclusion of a provision which allows individuals to file lawsuits against companies. The companies must now categorise users based on their privacy policy updates and be able to produce the details of the same in front of appropriate agencies when called for. This would mean going through an overwhelming amount of unsegregated data and documenting the same in an orderly fashion. 

“Cross-silo file management is a major challenge. It is difficult to understand the context for each file if they are scattered inside different repositories,” says Aaron Ganek of Cloudtenna. 

The companies will now have to disclose all related information, even their dealing with other companies and advertisement agencies, for all users for the past 12 months. A provision in the CCPA states (an overarching view only) that the companies must provide the same kind and quality of utility to all its users which is in conflict with its other provision allowing the companies to provide additional support to users who have opted for upgraded facilities. 

Limitations of the CCPA

The bill has its own set of limitations. The tools and legacy systems that are in use are not adequate enough to handle this complex problem and newer tools are required to be designed and implemented. Adherence to such stringent policies is almost an impossible task as the companies can, unintentionally or unknowingly, access personal information without user consent which can result in a lawsuit. Such vague policies have left the tech companies completely vulnerable to malicious individuals and lawyers are now prowling to sue companies for anything and everything on the basis of ‘their’ interpretation of the CCPA.

Companies will be given around 30-45 day time period to respond to reported violations, and if the companies fail to follow the procedure or choose to disobey, a fine of $7,500 can be levied on the company for every instance of violation observed, by the district attorney on behalf of the people. Tech giants like Google and Facebook, often the subject of data mismanagement scandals, along with other companies were quick to sound their woes. During a data breach which has been frequent recently, personal data of thousands are stolen and the companies cannot afford to pay individuals fines.

Individual users are also entitled to reimbursements to the tune of $100 – 750 depending on the severity of the data breach or infringement of user’s privacy policy. Additionally, users may seek reparations for damages incurred such as defamation, loss of employment, or injury to personal assets, if it exceeds the fine amount. The companies, on the other hand, will incur massive additional expenses logistically in an effort to address users queries individually. 

Outlook

The State of California has released a report which states that the companies are planning to spend $55 billion to make their operations CCPA compliant. Tech companies like Facebook and Google, who already face billion-dollar GDPR lawsuits, are fighting back. Facebook said that it does not deal in ‘selling’ of user information, hence, the company has no need to update their privacy policies. Google has already launched an extension which allows users to block Google Analytics from collecting data. Twitter, in December of last year, also announced its plans to set-up a ‘privacy centre’. By law, all affected companies will have to establish an online help centre which will work to procure information for the users when requested or necessary.