What the CCPA Says
The California Consumer Privacy Act gives users a host of new rights when it comes to controlling their data, which we described in detail in our article of the 29th of November. Furthermore, the Act stipulates that businesses are not allowed to discriminate against consumers for exercising these rights. Two definitions within the Act are important to note with regards to the CCPA’s global implications. These are:
“Consumer” means a natural person who is a California resident. Or as Ford motor company bluntly pointed out on their website: “If we are not able to verify your identity and that you are a California resident, we may not honor your access or deletion request.” “Businesses” is any business that meets at least one of the following criteria: generates an annual gross turnover in excess of $25 million; buys, receives, sells or shares the personal data of more than 50,000 users for commercial purposes; and/or earns more than half of their business’s annual revenues selling consumers’ personal information.
This means that the CCPA applies to ANY company that meets one of the above mentioned criteria and collects personal information from California residents and/or does business in California, not just Californian companies. This is regardless of whether a company has an office in California or not. The full text of the bill is available online.
The Difference With GDPR
There are some distinct differences between California’s CCPA and Europe’s GDPR that both businesses and consumers should be aware of. For example, under the GDPR users must explicitly opt-in to share their personal information. California residents over the age of 16 can only opt-out. To facilitate this, a link titled “Do not sell My Personal Information” must be clearly displayed on all homepages, alongside a privacy policy. Another key difference is in how far reaching the definition of personal information is under the CCPA. It includes not only personal identifiers, but also biometric data, geolocation data, internet browsing history, professional information and inferences used to create consumer profiles. On the other hand, California’s new Privacy Act does not recognize publicly available information as personal data, whereas the GDPR does. Also, the CCPA states that companies only need to delete information they have obtained directly “from” the consumer. Under the GDPR, on the other hand, this extends to data obtained from other sources or derived from the customer’s journey. Furthermore, companies that fall under the CCPA’s legislative requirements must clearly state “at or before the point of collection” what the purpose is for collecting any personal information.
What About Non-Resident Social Media Users?
California is the hub of famous tech giants and social media companies that do business all over the world. Google, Apple, Facebook, Twitter, LinkedIn and Instagram for example, to name just a few. Nonetheless the CCPA only applies to consumers who reside in California. If you are a non-resident, you still benefit from some of the CCPA’s requirements. At the very least, you will get added transparency. Moreover, global companies usually adhere to the most restrictive regulations of all the countries they do business with. After all, it is easier to roll out a single solution for all countries rather than country specific solutions. That is why most tech giants and social media companies adhere to Europe’s GDPR, which came into effect in 2018. Twitter, like other social media giants, are now updating their privacy policy. In line with the CCPA, their new privacy policy will give consumers more transparency and control over their personal information. “The goal is to provide those same experiences to people all around the world”, Twitter said.
Data Party Put to An End
Of course, the CCAP is not the only state-level privacy law coming into effect. This Act is currently the most stringent in the US, but other states are expected to bring in laws that mirror it. Undoubtedly this confirms a global trend. Just like other heavily regulated industries, such as banking and pharmaceuticals, data-driven businesses face stricter regulations. This does mean data protection and data regulations will become exponentially harder to comply with. But also, that the “data party” that some companies currently take for granted is most definitely coming to an end.