California’s Consumer Privacy Act (CCPA) is notable for being the first data protection legislation introduced in the United States that has clearly been influenced by the European Union’s General Data Protection Regulation (GDPR). It is also notable the the state’s legislature passed CCPA unanimously and it will come into operation from 1st January 2020, a relatively quick implementation period compared to the lengthy gestation and transition period allowed for GDPR.
So why was California in such a hurry to update its existing privacy laws and how did something that has a very European flavour get passed in the heartland of the tech giants that GDPR so clearly had in its sights? “There was increasing interest among consumers about giving companies their data and how it was being used which gave the issue some urgency,” noted Elizabeth O’Callahan, VP legal for NetApp in an interview with DataiQ. Perhaps more pressing was the move by a number of lobby groups and privacy organisations to put a ballot item in front of voters when Californians vote in the November mid-term elections. With over 500,000 signatures already on that motion, it was clear there was a need to act.
“Legislation can be put forward by ballot, but to amend something passed into law that way needs another ballot,” pointed out O’Callahan. To avoid this risk of privacy by plebiscite, the state legislature decided it would be better to draft a new law and put it through the conventional channels. It was signed into law two days later by the state’s governor on 28th June, triggering the countdown to becoming operational 18 months later.
As is often the case with laws in the US, amendments have already been made, although chief among those made on 31st August was to make it clear that the law is already in effect, just not operational. This prevents localities from introducing their own privacy laws that might conflict with CCPA.
"CCPA is modelled on GDPR, but it is not as thorough.”
Comparisons with the preceding law or even GDPR are not entirely relevant, according to O’Callahan. “CCPA is brand new legislation compared to the partial laws it takes over from. It is more comprehensive and is modelled on GDPR, but it is not as thorough.”
While the EU Regulation is about balancing the legitimate, public, emergency or contractual reasons why organisations need to process personal data against the consumer’s rights, the CCPA (caprivacy.org) starts from the proposition that, “your personal information is being sold to companies you don’t even know exist.” That sets a consumer-first tone which might seem surprising in the context of the heartland of tech and digital platforms, but is fully in line with the consumer advocacy approach found in America since 1959 when Ralph Nader first warned about the hazards of how motor cars were being manufactured (an issue he continues to campaign around on nader.org).
So Californians can now find out all the data being collected on them, twice a year for free, creating a more structured, cyclical approach to disclosure than the perpetual Subject Access Requests granted to Europeans. This is bounded by the right to opt-out and to delete data that has been posted. Other key rights cover information security, freedom from discrimination based on disclosed personal data, and disclosure of the categories of third-parties to or from which data is shared.
"For companies interested in privacy, CCPA is not a big issue."
Despite seeming to run counter to the data harvesting practiced in Silicon Valley, O’Callahan says that, “for companies like us that have been interested in privacy, particularly in dealing with the impact of GDPR, CCPA is not a big issue.” But she adds: “For others, it will be.”
She believes the introduction of the Act in California is likely to trigger similar legislation elsewhere in America because companies trading across the nation will not want to work to two different standards. “It has the opportunity to be a model at state level, although it remains to be seen if there will be a consensus around it and even at a federal level - that is not a given,” she said.
California differs in many respects from other US states, not least in being the biggest economically (it is actually the sixth biggest economy worldwide in its own right), but in being home to both idealists and innovators who can be simultaneously at opposite ends of the political spectrum and in close agreement about the benefits of what they do to individuals.
By getting ahead of the curve - or catching up with the EU, depending on your perspective - California is simply doing what is voters have been demanding of it. Embracing that trend should be seen as a positive act, argues O’Callahan: “Anything that can enhance consumer privacy rights and puts the emphasis on the need for companies to manage data should be viewed as an opportunity to improve the business in our view. It is very similar to GDPR in that respect.”