Privacy & Security

The California Consumer Privacy Act and Why You Must Still Keep Control of Your Personal Information

If you live in California or elsewhere in the United States, you may have heard of the California Consumer Privacy Act (CCPA). You might not have read the legislation or our take on it for businesses, but you may have seen CCPA mentioned on web sites you access. So, what exactly does CCPA mean for you?

CCPA Benefits You 

If you are a resident of California, this regulation directly benefits you in three ways:

  1. You can decide whether businesses can sell or share your information. 
  2. You retain control over your personal information once a business collects it. 
  3. Businesses are required to safeguard your personal information.

CCPA puts you in charge of your personal information and gives you these four rights:

  1. The right to know, through a general privacy policy, what personal information a business has collected about you, where they sourced it, what they’re using it for, whether they’re disclosing or selling it, and to whom they’re disclosing or selling it.
  2. The right to opt out of allowing a business to sell your personal information to third parties.
  3. The right to have a business delete your personal information upon request, with some exceptions.
  4. The right to receive equal service and pricing from a business, even if you exercise your privacy rights.

If you are not a resident of California, you may receive some indirect benefits if a business  in scope of CCPA provides equivalent protections to all of its customers. CCPA is also being used as a benchmark for some other US state laws and, as discussion about national US legislation continues, CCPA is one of the reference points there as well.

But There Are Some Gotchas

You might think that because the Act has ‘Consumer’ and ‘Privacy’ in its title, you can feel an immediate level of comfort that your privacy will be protected everywhere you browse, shop, sell and socialize online. Sadly, this is not completely the case. CCPA is a good law for protecting consumer privacy and we’re better with it than without it. But CCPA isn’t perfect—laws and regulations never are.

Here are some examples of the fine print in the CCPA:

  • Not all businesses are covered. Smaller businesses or businesses holding smaller amounts of personal data are exempt. Registered data brokers (the engine room of surveillance capitalism) are exempt and there are over 300 of these registered in California.
  • Personal data such as healthcare and employee data are not covered by CCPA, although there is some existing protection under federal laws such as HIPAA.
  • Some businesses will wait to follow how other companies are adapting to CCPA, and to see what actual enforcement results.
  • Some businesses may intentionally plan to do nothing and hope for the best and throw themselves at the mercy of the regulators.
  • Enforcement will only be as good as the State of California is able to fund the agencies responsible for it. This is a typical practical limitation with privacy laws across the world.

Special interest groups were also successful in influencing a number of changes to the CCPA, which weakens the protection it provides. Some of these weaknesses are being addresses in amendments introduced in February 2020. These will hopefully make CCPA better for consumers, but imperfections will always remain.

You Still Have a Role to Play in Protecting Your Personal Information

As you can see, CCPA and other privacy laws help to protect your privacy, but the protection is not perfect, so you still have a role to play. Exempt or negligent businesses will still lose and misuse our personal information. Your view of an ideal privacy law may differ from your government’s view. You still need a ‘personal privacy toolkit’ to stay in control of your personal information, which could include:

  • MySudo to create and use different digital identities with phone and video calling, email and virtual cards, where your legal identity is not required
  • Password Managers to help you use strong, unique passwords for every site that you access
  • Multi-factor authentication solutions for your most important accesses, such as online banking. (You could use your MySudo telephone numbers or a one-time password function built into your Password Manager)
  • Virtual Private Networks (VPN) to keep your network traffic private from your ISP while at home or from strangers on Wi-Fi hotspots when you are elsewhere.

Perhaps as importantly, you could support businesses that support your privacy and withdraw your support for those that don’t—nothing makes a business pay attention more than its bottom line. Where necessary, consciously choose your own compromise between privacy, cost and convenience.

The Future

Years from now, wouldn’t it be great to reflect on this period as a time when fair balance was established between your privacy rights and a productive environment for businesses? We are not there yet. CCPA and its amendments help. A US national privacy law, if enacted, could help further. But you’re still going to need your personal privacy toolkit.