This week I’ve been following up on looking into the CCPA, or California Consumer Privacy Act. Quick intro: the CCPA is a law that came into effect in California on January 1st, 2020, which addresses data security with regards to companies that collect and sell user data. There is a cheatsheet provided by the California government which summarizes the law, available at the end of this post.
Essentially, what it boils down to is pretty similar to the GDPR, the European Union’s data privacy regulation which took effect in May of 2018. California consumers have the right to know what data is being collected, the right to have that data removed from records, the right to know what sorts of companies are buying their information, the right to tell people not to sell their data, and the right to not be retaliated against for exercising any other rights granted by the CCPA.
The laws also only apply to certain businesses (specifically, ones that meet certain thresholds for revenue or user traffic), and they only apply to the sale of data. That’s caused some concern, since companies like Google and Facebook technically don’t sell their users’ data: they sell access to their users, based on the data they have on file.
The laws also only apply to for-profit businesses, which means that non-profits which operate in California and might otherwise meet the CCPA’s criteria are not subject to those regulations; however, if they do business with for-profit institutions that involves user data, they may still have to comply with the CCPA.
While I looked into the CCPA’s effect on for-profit institutions that work with higher education, such as ProQuest and Elseviere, I couldn’t find an official statement from those companies. I did, however, find a cybersecurity law report published by Elseviere. This report mostly touches on those facts already stated earlier, but also makes a point of emphasizing that the CCPA has defined ‘personal information’ in a much broader way than the GDPR, or any other current privacy regulation.
Going forward, it’s not clear what the ramifications of the CCPA will be. Some people claim it goes too far; others are worried that restricting only the sale of personal information doesn’t go far enough, and won’t actually protect people’s privacy. California tends to be a trendsetter where state legislature is concerned, however, so I’ll be looking into other potential privacy bills and seeing where we’ll be going from here.
- CCPA Fact Sheet: https://oag.ca.gov/system/files/attachments/press_releases/CCPA%20Fact%20Sheet%20%2800000002%29.pdf
- California’s new privacy law explained: https://www.vox.com/recode/2019/12/30/21030754/ccpa-2020-california-privacy-law-rights-explained
- Stanford’s CCPA policy: https://uit.stanford.edu/CCPA-Policy
- Privacy Cybersecurity Law Report: https://www.perkinscoie.com/images/content/2/1/v3/217446/Privacy-Cybersecurity-Law-Report.pdf