The increasing scale of the digital economy has led to major concerns over consumers’ online privacy. As the quantity of personal data on the internet has ballooned, governments and regulators have struggled to keep up with the fast-moving technology industry. There have been concerns over both inappropriate data usage and corporate data breaches.1 Responding to these concerns, the European Union enacted a comprehensive consumer data privacy regulation, the General Data Privacy Regulation, (“GDPR”) which went into effect in May of 2018.2 California followed the EU’s lead in June of 2018 with its own set of digital consumer privacy regulations, the California Consumer Privacy Act (“CCPA”).3
The CCPA, set to go into effect in 2020, is a leading piece of consumer privacy regulation in the United States.4 While regarded as less strict than the European GDPR regulations, the CCPA creates numerous new rights for consumers and could restrict the activities of for profit businesses to store, process, and sell data.5 The CCPA establishes a strong framework for consumer privacy regulations, but it should be preempted at the federal level to avoid a patchwork of state and local regulations that could be confusing, contradictory, and difficult for companies to follow.
The CCPA applies to companies, called covered businesses, that have annual gross revenue of above $25 million, companies that buy, sell, or receive for commercial purposes personal data on over 50,000 consumers, or companies that derive over 50 percent of their annual revenue from selling consumers’ personal information to third parties.6 The CCPA offers four key rights to natural persons over their personal information: (1) the right to know, (2) the right to opt out, (3) the right to deletion, and (4) the right to receive equal service.7
The first right granted to consumers by the CCPA is the right to know.8 The right to know creates a mandatory disclosure regime on covered businesses.9 Consumers have a right to know what types of information has been collected from them, the specific information collected, who the information has been shared with, and the business or commercial purpose for collecting the information.10 Consumers will have a right to request this information through a reasonably accessible method.11
The second right granted to consumers under the CCPA is the right to opt out from the covered business selling the consumer’s information to third parties.12 The right allows consumers to order a covered business not to sell their personal information to a third party.13 For consumers under the age of 16, the right to opt out is reversed in favor of a right to opt in, which requires consumers between the ages of 13 and 16, or their guardians, to opt in to data collection and selling before a covered business may sell their personal data.14
The third right granted to consumers under the CCPA is the right to deletion of personal information.15 Generally, a business must delete a consumer’s personal information when requested by a consumer.16 There are, however, many exceptions to this requirement including retaining the information to exercise free speech rights, to use the information internally in a reasonable manner, and the use of the personal information to comply with legal obligations, among others.17
The final right granted to consumers under the CCPA is the right to equal service from covered businesses without regard to the consumers’ assertion of their rights under the CCPA. (Id. §3 1798.125. (a).)) Covered businesses are prevented from discriminating against consumers that invoke any of the above three CCPA rights.18 There is a specific carve out for allowing business loyalty programs, a business may offer such incentives if “directly related to the value provided to the consumer by the consumer’s data.”19
The CCPA enables the enforcement of consumer privacy rights through governmental enforcement and a private right of action.20 There is also a private right of action in cases of data breach where unredacted and unencrypted personal information is released without the consumers consent.21
The CCPA and GDPR have inspired other US jurisdictions to look more closely at implementing their own data privacy regulations.22 The possibility of multiple different data privacy regimes could be difficult or impossible for businesses to comply with. For instance, how would a state law framework handle the data a New Jersey citizen currently in New York whose data is stored and processed in Washington? Even if it were possible for a business to comply with all applicable laws, the costs could be prohibitive. To prevent a confusing patchwork of different regulations the federal government should implement one uniform standard of data privacy regulations for businesses and clear the field of state consumer data privacy regulations.
The CCPA offers a good starting point for future federal regulations to follow. The federal government should follow the idea of creations of rights for consumers instead of focusing on particular industry focused regulations. The consumer rights-based approach offers clarity due to the rapid changes in digital technology and trends in personal data collection. The identification of consumer rights offers a strong building block for continual consumer privacy protection even as data collection methods and practices continue to evolve in the future. Federal digital privacy rights could then be built on in the future as companies continue to create new ways to gather and use consumer data.
The enforcement mechanisms of the CCPA also offer a strong building block for future federal regulation. Allowing private and government enforcement of future digital privacy regulations will enable private citizens to police corporations more effectively than the government could alone. The ability for individuals to gain compensation for violations of their rights will create significant pressures on corporations to increase data security and privacy protections.
See Craig Johnson, Poll: Americans More Concerned with Equifax Data Breach than Facebook Scandal, Dayton Daily News (Apr. 12, 2018) https://www.daytondailynews.com/business/personal-finance/poll-americans-more-concerned-with-equifax-data-breach-than-facebook-scandal/j2AuAeT0YCn674l52URZyK/. ↩
2018 Reform of EU Data Protection Rules, EUR Union, https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en (last visited Dec. 2, 2018). ↩
Daisuke Wakabayashi, California Passes Sweeping New Law to Protect Online Privacy, N.Y. Times (Jun. 28, 2018), https://www.nytimes.com/2018/06/28/technology/california-online-privacy-law.html. ↩
See Kristen J. Mathews & Courtney M. Bowman, The California Consumer Privacy Act of 2018, Proskauer: Privacy L. Blog (Jul. 13 2018), https://privacylaw.proskauer.com/2018/07/articles/data-privacy-laws/the-california-consumer-privacy-act-of-2018/. ↩
See Id. ↩
California Consumer Privacy Act of 2018, AB 375 §3 1798.140. (c)(1)(A-C) (2018). ↩
California Consumer Privacy Act of 2018, AB 375 (2018). ↩
Id. §2. ↩
Id. §1 1798.100. (a). ↩
Id. §3 1798.110. (a). ↩
Id. §3 1798.130. (a). ↩
Id. §3 1798.120. (a). ↩
Id. §3 1798.120. (c). ↩
Id. §3 1798.105. (a). ↩
Id. §3 1798.105. (c). ↩
Id. §3 1798.105. (d). ↩
Id. §3 1798.125. (d)(2). ↩
Id. §3 1798.150. (a), 155 (b). ↩
Id. §3 1798.150. (a). ↩
See Jeewon Kim Serrato et al., US States Pass Data Protection Laws on the Heels of the GDPR, Data Protection Report (Jul. 9, 2018), https://www.dataprotectionreport.com/2018/07/u-s-states-pass-data-protection-laws-on-the-heels-of-the-gdpr/. ↩