Consumers in the US already have the right to say and believe what they want. But, under new California regulations effective January 2020, residents in that state will soon have the right to forget what they want, too.
The California Consumer Privacy Act—or CCPA—is among the biggest overhauls of US consumer security policy in decades. Under the law, individuals enjoy much more latitude in deciding how their data is collected and used. This new law could have a profound impact on businesses, though, even those outside of California.
The CCPA: Explained
The California Consumer Privacy Act is like the state’s own version of the General Data Protection Regulation, or GDPR, implemented by the EU back in May 2018. Unlike the GDPR, the new law does not give consumers the right to opt-out of data collection entirely. However, they will have oversight regarding what data is collected and how it’s stored.
Most importantly, consumers can demand that businesses delete any of their personal information at any time. This is what European lawmakers referred to as a “right to be forgotten” when drafting the GDPR.
The CCPA is a complex piece of legislation. However, there are the three key concepts to keep in mind when thinking about the law’s purpose and intent:
#1. Informed Consent: Businesses should get consent from consumers to use their data. Consumers have the right to know what is being collected about them, how it is stored, and who has access to it.
#2. Right to Erasure: Businesses shouldn’t hold on to data longer than necessary. Thus, consumers can request that their data be destroyed at any time, for any reason. That means businesses must know exactly where every piece of personal data is stored at all times.
#3. Privacy by Design: Businesses should integrate privacy best practices into every facet of their organization. Default privacy settings must be stringent, and businesses should disclose any breach of data security as soon as possible.
When EU policymakers adopted the GDPR, they meant it to be a paradigm shift in how we both use and think about data. The CCPA takes up that goal and refines it. For example, unlike the GDPR, the CCPA doesn’t require businesses to ask for explicit consent before collecting customer data. However, it does apply to a broader scope of data, including IP address, browsing or purchasing history, profile information, or even data extrapolated from users’ behavior.
Why the CCPA Matters
As mentioned before, the California Consumer Privacy Act has the potential to impact any business.
“But I’m not based in California,” one might argue. That doesn’t necessarily matter; under the state’s tax laws, online businesses with no physical presence in California, but who do business with individuals in the state, might still be subject. Of course, the Attorney General of California is yet to issue full guidelines on the finer details of the legislation. For now, though, it’s possible that if a business possesses any data collected from a person in California, the CCPA as drafted could apply. Thus, the options seem to be:
- Comply with the law.
- Decline any traffic from the state of California.
Given there are about 40 million consumers in California, option A seems like a more reasonable course of action. Plus, as the largest state in the US and the fifth-largest economy on Earth, California tends to set the pace of regulation throughout the country. Other states, or even the federal government, will probably follow suit eventually now that California has implemented these rules.
There was already interest in expanding the GDPR to new markets from both governments and businesses anyway. For example, Facebook announced they would be enforcing the policy globally in the wake of the Cambridge Analytica scandal.
Remember: this is not just another minor policy update. The impact of legislation like the CCPA and the GDPR are far-reaching. In fact, the privacy rule overhauls will fundamentally change the dynamic of the retail market…and not always for the best.
Why the CCPA Could Be a Problem
Rollout of the California Consumer Privacy Act will probably have a lot of qualities in common with the EMV liability shift in the US; specifically, I’m talking about inconsistent application, confusion, and increased risk exposure for retailers.
We will have incomplete data under the CCPA, as consumers can arbitrarily demand that organizations erase certain information. This complicates the process of identifying developing trends and threats, both on the individual level as well as industry-wide. In turn, this makes it hard to deploy targeted solutions or develop useful strategies to mitigate loss.
While customers have more control over their data, that won’t help much to eliminate fraud in the short term. Plus, criminals are resourceful; by the time the broader impact of these data restrictions produces any tangible effect, fraudsters will have already discovered workarounds to keep stealing data and perpetrating fraud.
The CCPA isn’t necessarily a bad thing. After all, ensuring data security should be a priority for any business. In its current form, though, this legislation places a heavy burden on businesses for protecting data, without offering much in return.