Taming the Wild West? California’s Consumer Privacy Law
Kurt Hornburg, March 5th, 2020
The groundbreaking California Consumer Privacy Act (CCPA) went into effect 1st January 2020. What is amazing about this law is that it is happening not just in the US, often characterized as lacking good privacy standards, but that it was initiated in California (CA), which is home to many of the world’s largest tech firms. What happens in CA does matter, as the worlds 5th largest economy, it affects not only every state but also any company in the world that does business in CA. Many US tech firms which are leaders in AI, will take the decision to roll out compliance throughout the US – Microsoft has already announced its plans to roll-out the CCPA nationally. (Source: Brull, Julie. Microsoft 2019 Nov. 11) https://blogs.microsoft.com/on-the-issues/2019/11/11/microsoft-california-privacy-rights/
The law applies to an extensive range of companies based on a number of criteria; any business with a minimum of $25k revenues, businesses with 50k customer base, or if it makes over 50% of its profits from selling customer data. Businesses which process personal data for more than 4 million customers will have additional obligations. Companies have a 6-month grace period before the law will be enforced.
The GDPR created a world-class standard which is being used as a benchmark regulatory framework and observers have recognized many areas where the two laws are in alignment. The GDPR has raised awareness of data privacy and helped expose firms’ abuses in their handling of personal data – 250,000 formal complaints have been lodged based on provisions in the EU law. (Source: “Companies should take California’s new data-privacy law seriously”. The Economist 2019 Dec. 21).
One of the most far reaching aspects of the CCPA, lets individuals opt-out of the sale of their personal information. The provision mandates firms must include a button – “Do Not Sell My Info” link on their website or mobile app. This appears to be much simpler than the GDPR implementation, which requires the user to navigate through confusing privacy settings. Companies also have to provide you with all the personal data they collect on you, at your request and at no cost, up to 2-times per year.
Another major provision of the CCPA is the law’s definition of personal data – most interpretations include IP, network, biometric, location, employment and inferences drawn from this data. The CCPA definition of personal data is much broader than that in the GDPR, however, the Final Amendments approved in November 2019, subtlety modified the provision by adding the word ‘reasonable’:
Section 1798.140 (o) (1) “Personal information” is anything that identifies, relates to, describes, or is reasonable capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”.
Source: California Consumer Privacy Law https://www.oag.ca.gov/privacy/ccpa
This amendment may have been done to address concerns for firms which process large volumes of de-identified data for AI applications. A further amendment, AB 874 clarifies ‘personal information’ does not include de-identified or aggregate consumer information.
Some observers have suggested that, “California’s law is the biggest U.S. effort yet to confront surveillance capitalism”. (Source: “California is expanding digital privacy”. CBS News 2019 Dec. 30). https://www.cbsnews.com/news/ccpa-california-consumer-privacy-act-california-vastly-expands-digital-privacy-will-people-use-it/
This underestimates the deeply entrenched and predictive products which can be derived from ‘behavioral surplus’, as described by Shoshana Zuboff in her 2019 book, “The Age of Surveillance Capitalism”. The CCPA is not likely to deter Google, Facebook and others in their use of behavioral data to develop sophisticated AI predictive products.
However, the CCPA does includes text which specifically defines ‘inferences drawn’ from personal data as a category of personal data. Therefore, inferences using AI techniques are subject to consumer ‘right to data access’ and ‘right to disclosure’. The CCPA appears to provide stronger protection than the GDPR. Professor Sandra Wachtel, in her research at the Oxford Internet Institute, argues there should be more emphasis on assuring transparency and fairness when AI is used to make automated decisions about humans. Due to the “novel risks of inferential analytics”, the current regulations provide limited transparency and accountability. https://www.oii.ox.ac.uk/research/projects/ai-and-the-right-to-reasonable-algorithmic-inferences/?overview
The impact of the ‘Do not sell my info’ opt-out and the broad definition of personal data, might be significant, depending on the interpretation of the courts. Under the GDPR, customers must Opt-in to Cookies when they use a service, which is a narrow restriction when compared to the CCPA ‘Do not sell my info” opt-out. The CCPA ‘opt-out’ is a more powerful privacy protection for the consumer.
Privacy ‘informed consent’ is usually presented as an ‘all or nothing’ proposition. Many consumers find sharing data to receive discounts on their favorite products as acceptable. However, when insurance companies use non-transparent, ‘black box’ algorithms to make automated decisions on eligibility and rates – customers may find it unacceptable. How the fluid concept of privacy is handled under the CCPA, will determine if it addresses consumer concerns. Firms, especially financial and insurance companies using AI techniques, should address these transparency concerns, even if it isn’t explicitly required in data regulations.
Another amendment, AB-1202 requires data brokers to register with the CA Attorney General. This amendment provides more transparency than the GDPR. Data Brokers are companies which trade in third-party data – defined as personal information collected by firms that do not have a direct relationship with the consumer. The GDPR does not require companies to name the data brokers or other firms for which they share personal information. Under GDPR obligations, firms must disclose with whom they ‘share’ personal data, but vague and opaque answers are usually provided, such as– marketing, IT, research firms and partners.
A similar data broker registration provision enacted in the state of Vermont provided a rare glimpse into the flourishing business in trading personal data – resulted in 121 firms registering. (Source: Steven Melendez and Alex Pasternack. “Here are the data brokers quietly buying and selling your personal information”. Fast Company 2019, Feb.02.)
US Senate Democrats recently unveiled their proposed privacy legislation – Consumer Online Privacy Rights Act (COPRA), a comprehensive bill, rhyming with the CCPA which would provide, if passed, a federal or national baseline for data privacy. https://www.cantwell.senate.gov/news/press-releases/cantwell-senate-democrats-unveil-strong-online-privacy-rights 26.11.19
Comprehensive, regulatory frameworks are needed to ensure AI services are transparent, accountable and non-discriminatory. It is unlikely that the Trump Administration will be able to modify or water-down the CCPA with the current divided US congress, nor would the Democrats be able to pass their data privacy bill this year, so the most likely chance for federal regulation is in 2021.