We explore the actions US residents can take in light of the California Consumer Privacy Act (CCPA), the first major US data privacy legislation, particularly, but not solely, if they are residents of California (CA).
The steps we have outlined so far in several posts can reduce the amount of personal data collected going forward, but do nothing for the likely massive amount of data already collected about all of us over years. There is a growing body of thought that some data privacy legislation is needed to help consumers discover what has been collected about them and to enable them to request that personal data be deleted.
California’s CCPA is the first US comprehensive data privacy legislation
As the first such initiative in the US (Europe began enforcing its General Data Protection Regulation or GDPR in 2018), CA passed the CCPA, which just went into effect in January 2020. It provides CA residents with certain rights to know what data is collected by companies and to request that they stop selling and/or delete personal data. Details of the CCPA data privacy legislation have been published widely. Examples of resources that will tell you more are as follows, ranging from the detailed legislation on CA’s official site, to a succinct summary on Wikipedia, to several excellent articles on the impact of the new law in leading newspapers and journals:
Wikipedia’s California Consumer Privacy Act
New York Times’ How California’s New Privacy Law Affects You
Forbes’ CCPA Is A Win For Consumers, But Businesses Must Now Step Up On CX (customer experience)
CCPA Key Provisions
The key provisions allow CA consumers to
request a copy of personal data collected
prevent the further sale of personal data
request that personal data be deleted
gain special protections for children
Compliance is demanded of companies above certain designated thresholds of revenue or users, so small businesses are not burdened with this cost for now.
Why you should care if you live in a different US state
Although strictly for CA residents, many major companies, though not all, are applying the same privacy provisions to users not in CA, either for altruistic or PR reasons, or simply because it is less hassle to have one uniform policy rather than separate procedures for CA and non-CA residents, or perhaps because personal data is not a major source of revenue for them anyway. The Washington Post article cited above lists some major companies that offer CCPA rights to all users vs. those that do so only for CA residents.
Benefits and challenges of this data privacy legislation
This legislation, in our view, balances consumer rights to privacy vs. placing a reasonable burden on larger companies, so as such, it is as an important step forward. There are, however, several challenges to users and companies alike:
they need to institute procedures to process requests for personal information collected and to delete personal data upon request, which comes at a cost that will ultimately be passed on to everyone
those whose business model depends on selling or utilizing personal data may have that source of revenue impacted and may need to modify those business models
companies' compliance with the new legislation is not yet a clear, mature concept; for example, some companies are pushing back on the interpretation of “sale of personal data” (e.g., does utilizing the data to serve third-party ads in a more targeted way constitute “sale of personal data?”)
users need to contact each company separately, filling out provided online forms for some and writing your own email message to others (see the New York Times article cited above for a sample letter CA residents could write)
some companies may comply with respect to CA residents only
the Washington Post article (cited above) documents companies that send you too little information about what they have collected, while others dump way too much
instructions on how to download the personal data collected about you or to request its deletion can be obscure
Despite these challenges, we believe it is worth your while, particularly for CA residents, to start by writing to request a copy of personal data collected. We suggest you start with the company websites that you use the most. For non-CA US residents, we suggest you start with those you use that are cited in the Washington Post article as responding positively to all users.
The CCPA is important privacy-rights legislation in the US. We advise the following:
Go to each website that you use, with priorities as delineated in the previous paragraph for CA and non-CA residents above
If you cannot find a website form, then write an email requesting a copy (see sample letter in the NY Times article cited above) for CA residents
For US residents not in CA, start with companies cited in the Washington Post article that accommodate non-CA US residents
Also, consider a letter to your congressional representatives advocating for a national privacy act along the CCPA lines (There are several initiatives in Congress, about which we may write more in a future post).