Back in May of 2018, I published an article explaining a new European privacy legislation called the GDPR (General Data Protection Regulation). To recap for those who missed our last post, the GDPR legislation stated that websites would not be allowed to not track cookies from European IP addresses without the user first consenting to their data being collected. As a European law, the implications of the GDPR lie within European jurisdiction and have little to no effect on American citizens, apart from now having to have to accept or reject the data collection efforts made by a majority of websites. But as of 2020, there is a new player in the internet privacy game, this time on American soil. Enacted in California, new web legislation titled “the California Consumer Privacy Act” (CCPA) has officially gone into effect, adding limitations to what companies can do with the personal data they have collected on users via their website.
For benefit of Californians, the CCPA was filed in the interest of protecting their personal data; these stricter regulations have granted Californian residents the right to know what data has been collected about them, how a company is using that data, and what they can do to protect it. This legislation was filed in California just a few months after the GDPR went into effect in Europe, and taking into account that the global concern over personal data and internet privacy has risen higher and higher with each passing year, it’s safe to assume that what was started in Europe will likely become a national, if not global, standard.
In this article, I will be offering a condensed summation of the information and implications of the new CCPA legislation, as well as the answers to some frequently asked questions, such as; what does this mean for US organizations? How is it any different from the GDPR? And what can I do to make sure my site is compliant?
A Little Background Info:
The right to internet privacy has been a hot topic over the last couple of years, particularly since the emergence of the GDPR in Europe. But many internet users on American soil weren’t very knowledgeable on the subject until Mark Zuckerberg’s awkward testimony to Congress regarding Facebook’s questionable data privacy practices back in April of 2018. After this very public revelation by Facebook’s CEO, many United States citizens became increasingly more aware and concerned about what kind of personal data they were unknowingly giving up to large corporations. That being said, there is a large number of Americans who do not seem particularly perturbed by this news; after all, willingly sharing our internet behavior with organizations does make consumerism easier. For readers who do not know what we mean by this, we are referring to the fact that most (if not all) retailers whose websites you’ve visited in the past are tracking your internet shopping habits in some form or another. With this data, businesses can easily deliver targeted, relatable advertisements and content to your social media feed(s). These companies know their user base very well, they know what gender you are, which retailers you prefer to shop at, what your political affiliation is, which news sources you read, even what kind of computer or phone you are using to access your accounts — the amount of data being collected on any given user is almost endless.
Those who do care about their right to internet privacy, however, have been pushing their cause for years. Netflix’s 2019 documentary The Great Hack provides a brilliant explanation of how data mining works, who’s doing it, and why the collection of personal data can be dangerous and harmful to the general population. Take the Cambridge Analytica data scandal for example. During the period before the 2016 presidential election, the British-based “political consulting” firm conspired with current US President Donald Trump’s marketing team to mine as many personal data points on social media users as possible. With a better understanding of the current user base, the overall political climate, and access to better advertisement targeting features on social media, Trump’s marketing team was able to target very specific ideological advertisements to the people who were more likely to engage with them. Many social media users aren’t aware that every fun facebook quiz that they may have caved into taking over the years has actually collected several data points on them. Many quiz sites are designed to collect information about who you are as a person so that info can then be sold to other organizations to use for whatever they please. Cambridge Analytica bragged that they had collected 5,000 data points on more than 230 million Americans, giving a lot of power to whoever purchases that information. If you are concerned about Facebook spying on you, you can always visit your Ad Preferences to learn more about how their algorithms have identified and defined "you" as a person.
Enter the California Consumer Privacy Act
The GDPR had companies scrambling to make their sites compliant back in 2018. Fast forward to 2020 — a new law in California has followed suit regarding their residents' right to internet privacy. The California Consumer Privacy Act (CCPA) went into effect on January 1st of this year. This means that many U.S.-based organizations are no longer exempt from their obligation to inform visitors that their data is being collected, and, if they haven’t already, will have to make significant changes to the way in which they track data on their website.
What is the CCPA Exactly?
As the first consumer privacy act in the United States, the SB-1121 California Consumer Privacy Act Bill was filed in 2018 and written to go into effect on January 1st of 2020; giving organizations about a year and a half to get their websites up-to-date on the new compliance standards. With California being the world’s fifth-largest economy, this new legislation is a pretty big deal and will affect more than just the large social media companies in the United States. It will affect any business unit that collects large amounts of user data, whether actively (through form submissions) or via cookie tracking applications like Google Analytics.
In an effort to increase transparency between corporations and consumers, any Californian who is visiting a company's website must now be informed that their personal information is being collected. Geographically speaking, this law protects any user with a Californian IP address, even if they are working from a laptop in a different state. They must also be informed as to what their data is being used for, and understand that they have the right to access this data if requested and the right to opt-out of having their data sold to third parties if they so choose. Conversely, minors under the age of 18 must opt-in to having their personal data collected in the first place.
What exactly falls under the umbrella term that is “personal data,” you may ask? Well, the CCPA has used the term broadly to include information that can identify, relate to, describe, be associated with, or be reasonably capable of being associated with a particular consumer or household. This includes cookie data and other “unique identifiers” — referring to any personal identifier that could be used to recognize a consumer, a family, or a device that is linked to a consumer or family, over time and across different services, including, but not limited to, a device identifier, an IP address, cookies, beacons, pixel tags, mobile ad identifiers, or similar technology.
GDPR vs CCPA – What’s the Difference?
For starters, some may argue that the CCPA is somewhat “looser” than the GDPR. It incorporates several GDPR concepts, such as the rights of data access, portability, and data deletion. That being said, there are still several areas where the CCPA requirements are more specific than those of the GDPR. The CCPA is generally more focused on protecting user data from being sold to third parties without their consent. The new law states that businesses must include a “Do Not Sell My Personal Information” link in a clear and conspicuous location on the homepage of their website. One weird catch about the CCPA is that businesses are still allowed to ask consumers for reauthorization to collect and sell their information even if they have already opted-out in the past, as long as businesses wait 12 months before re-asking users for permission.
The scope and territorial reach of the GDPR is much broader, applying to any “data controllers and data processors” (business websites) around the world that collect information on any user with an EU-based IP address. Unlike the CCPA, the GDPR does not include the very specific right to “opt-out of personal data sales” but users can reach the same result by requesting websites to opt-out of processing their data for marketing purposes, and to withdraw consent for processing activities.
Personal Data Defined
The GDPR’s broad definition of “personal data” includes “any information relating to an identified or identifiable data subject.” This kind of information (which we listed out in the previous section) is very specifically defined in the CCPA, and, unlike the GDPR also includes information linked and the household or device level. It is also worth mentioning that the CCPA’s definition of personal information does not include any publicly available government records.
In both the CCPA and the GDPR, legally speaking, “consumers” (CCPA) and “data subjects” (GDPR) both have the right to access their personal information and to request additional information on why the business in question is collecting their data and what it is being used for. In terms of consent, the CCPA states that children aged 13-16 can directly provide consent for their data to be collected, but their data cannot be sold if they are under 16. Children under 13 require parental consent before their user data can be collected. The GDPR has marked the default age of consent at 16, but the personal data of children is also subject to heightened security requirements. In a similar fashion, the GDPR also holds parents responsible for providing consent before their children’s data can be collected and processed.
Whom Does the CCPA Apply to?
More businesses are exempt from the CCPA than the GDPR. The CCPA aims at regulating “Any for-profit entity doing business in the state of California that meets one of the following requirements:”
- Annually buys, receives, sells, or shares the personal information of more than 50,000 consumers, households, or devices for commercial purposes.
- Has a gross revenue greater than $25 million.
- Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
On top of this, the CCPA applies to any entity that either:
- Controls or is controlled by a covered business.
- Shares branding with a covered business (i.e. shared name, trademark, service mark, etc.).
The GDPR is substantially different with regards to which parties are regulated, and identifies data controllers and processors that:
- Operate from the European Union and process the personal data of any number of European citizens. Regardless of where the data processing takes place, it applies to businesses processing data from within and outside of the European Union.
- Are not established in the EU but still process data subjects’ personal data for the purpose of offering goods or services, or simply just to monitor their behavior.
What’s at Stake?
If the CCPA applies to your company’s website, and if your site is currently not complying with the standards imposed in this new legislation, you run the risk of private attorneys bringing legal action to your doorstep. Non-compliant businesses should also be prepared to handle class-action lawsuits for statutory damages ranging from $100 to $750 per violation, or actual damages — whichever is greater. That being said, the CCPA still grants companies a 30-day grace period to resolve violations if at all possible.
For especially severe violations, The GDPR sets forth fines of up to 20 million euros in the case of an undertaking or up to 4% of the company’s total global turnover of the preceding fiscal year — whichever is higher. Less severe violations can still be fined up to 10 million euros. Company websites can be “caught” and punished in various ways, such as a proactive inspection conducted by independent data protection authorities, customers, an unsatisfied employee who complains to authorities, revelations made by investigative journalists, or even an accidental self-denouncement made by the company in question. You can view all of the data controllers and processors who have already been fined and penalized since the GDPR legislation went into effect via the GDPR Enforcement Tracker.
How Can I Meet the CCPA’s New Compliancy Standards?
If you have taken measures in the past to become GDPR compliant then the good news is that you have already completed over half of the work that needs to be done to meet CCPA standards. Outside of GDPR standards, here’s what else needs to be updated on your website:
Ease of Opting-Out
The language on your website’s opt-in/opt-out checkbox (GDPR compliant websites will already have this set up) now needs to be updated to meet CCPA requirements for both adults and children. Opt-out check boxes must be added any and everywhere data is collected on the website.
Answering Requests for Personal Information
If your company does not already have procedures set in place for your IT team to access personal information and subsequently respond to user requests for access to their own personal information; these protocols must be developed immediately. By law, users who request access to their own personal information must first prove their identification, usually via an email address or SMS message. Once their identity has been verified, users may request to have their personal information delivered electronically. They also then have the right to request for all of their information to be deleted from their records.
Updating Frontend & Backend Data Collection and Processes
On the front end, make sure you add a “Do Not Sell My Personal Information” link on your homepage that is easily accessible to any visitor (i.e. not inconspicuous). On the flip side, and related to the section above, a backend system must be created to verify the identities of anyone requesting user data.
The California Consumer Privacy Act is an active law that applicable businesses must comply with whether they are ready to or not. Non-compliance will put any company that does business with Californians and meets the above requirements at serious risk. Thankfully, DesignHammer's team of expert designers and developers are here to offer support to any businesses who are concerned about the recent CCPA legislation and want to learn whether or not it affects their website. If the CCPA does apply to you, take solace in the fact that DesignHammer offers simple CCPA and GDPR compliance solutions for business websites and can make your website compliant in no time.