The Great Hack, a documentary about data rights in the U.S., is available to watch on Netflix this week. It's receiving polarized reviews but not in the way you might think. It's kindled a conversation long overdue in the U.S.
So, it's a good time to chat briefly about the CCPA.
On June 28, 2018, Governor Brown signed Assembly Bill 375, now known as the California Consumer Privacy Act of 2018, which grants consumers new rights with respect to the collection of their personal information.
Every US citizen should at least be somewhat familiar with the California Consumer Protection Act (CCPA), which goes into effect on January 2020. This affects companies who collect information about us, sure, but not as much as it impacts each of us as individuals.
The CCPA is responsible for the development of similar legislation in states across the country. We might expect the entire US to provide some data protection laws for all citizens, regardless of what state they live in, before too long.
Illinois is already there and the 2008 Biometric Information Privacy Act (“BIPA”) is having a substantial impact on businesses seeking to introduce facial recognition technology by regulating the collection, use, and sale of our biometric data, including facial and/or retianl scans, their geometry, and also fingerprints. BIPA creates compliance requirements for all companies who collect, store, and use biometric data of consumers in Illinois.
In general, BIPA requires written consent prior to the collection of facial and/or retinal scans, fingerprints, and other types of biometric data, and prohibits sharing of that data. BIPA allows consumers to enforce it by class action lawsuits and there's been a dramatic increase in BIPA class action litigation following the January 2019 Illinois Supreme Court ruling in the case of Rosenbach v. Six Flags Entertainment Corp. This sets the precedent that a person need not allege or prove any injury beyond a violation of their rights under BIPA to be eligible to sue for damages under BIPA.
BIPA has inspired other states to develop similar legislation, including Texas, Hawaii, Alaska, and more.
These are among the first cases in which Americans have been offered any rights to protect the personal information that companies up to now have bought and sold without any regard for ownership of the people it belongs to.
This is why the CCPA is a small step but a significant one that does more for protecting privacy in this country than anything that's been done so far:
The CCPA gives Californians the right to:
- Know what personal information is being collected about them.
- Know whether their personal information is sold or disclosed and to whom.
- Say no to the sale of personal information.
- Access their personal information.
- Equal service and price even if someone exercises these rights.
Who Does the CCPA Apply to?
The CCPA will apply to any business that operates in California (whether it is a California-based business or not).
What's “Personal Information"?
Personal information includes obvious things such as names, addresses, SSNs, and email addresses. However, the CCPA also includes geolocation, IP addresses, shopping history, browsing history, psychological profiles, behaviors, attitudes, consumption behaviors, and consumer preferences.
What's The Right to Opt Out?
As consumers, we now have the right to “opt-out” of a business that sells our information. This also includes businesses who currently sell information to other businesses. They will no longer be able to sell customer information after they acquire it unless they have permission from each customer and only after each customer has received a notice and an opportunity to opt-out of the sale.
What's The Right to Access?
We can request access to our personal information that a business has collected. For example, we can ask what information a business has collected on us and they're required to disclose exactly what information was collected. If they don't comply within 30-days they're fined.
What's The Right to Delete?
We can request to have our information permanently deleted and businesses must comply, with some exceptions, such as financial transactions, security incidents, errors, free speech, and fair use in compliance with various other data protection laws in the contexts of research, internal uses, and legal compliance.
Opt-in for Kids - finally!
Businesses will be required to get the approval or opt-in for children under 16. For children under 13, the opt-in must be granted from a parent or legal guardian. COPPA is still in effect, too, which provides that businesses need to ask consumers if they're under 16. Now, anyone under 16 will have to opt in before data is collected from them whereas before there were no controls in place.
The Right To Say "Do Not Sell My Personal Information"
What are the penalties? As of this writing, the CCPA can enforce fines up to $7,500 per incident/individual. Meaning that a violation that affects 100 people's data may cost the business involved $750,000.
The Great Hack Subsequently, this documentary is a nice overview for everyday folks of some of the events that inspired and led up to creation of the CCPA. It's mandatory viewing for the entire family about why more than ever we all need to care about our right to privacy:
The dark world of data exploitation through the compelling personal journeys of players on different sides of the explosive Cambridge Analytica/Facebook data scandal.