Why in news?
California’s new privacy law, the California Consumer Privacy Act (CCPA), recently went into effect.
What does the Act aim at?
- The Act gives Californians new controls over how companies use their data.
- These controls include -
- the right to access the data
- the right to ask for its deletion
- the right to prevent its sale to third parties
- Significantly, because of the global nature of the Internet, these changes will affect users worldwide.
What rights does the CCPA give Californian users?
- The users will have the right to see what personal information businesses collect about them, and the purpose and process of the collection.
- [Personal information refers to any information that can be linked back to the user.]
- Users can request and view what inferences the businesses make about them.
- They also have the right to see details about their personal information being sold or given to a third party.
- Users can make businesses delete their personal information, and opt out of having their data sold to third parties.
- The law lays out some exceptions too.
- These include information necessary for completing transactions, providing a service, protecting consumer security, and protecting freedom of speech.
- Users can get a copy of the collected personal information for free.
- Parents have to give permission to companies before the companies can sell the data of their children under the age of 13 to third parties.
Which companies does the law apply to?
- The law only applies to businesses -
- with gross annual revenues of more than $25 million
- that buy, receive or sell the personal information of 50,000 or more consumers in California
- that derive more than half of their annual revenue from selling consumers’ personal information
- The law applies to businesses collecting information of Californians and not just to businesses that operate in the state.
What will the implications be?
- Unintentional noncompliance will lead to fines of $2,500 per violation.
- Intentional noncompliance will attract a penalty of $7,500 per violation.
- Some studies estimate it will cost businesses $55 billion to initially meet the standards.
- Of this, $16 billion is expected to be spent over the next decade.
- Reportedly, the law protects $12 billion worth of personal information that is used for advertising in California every year.
What has changed in practical terms?
- The law went into effect on January 1, 2020.
- The California Attorney General (AG) has not begun enforcing the act yet.
- The AG will be allowed to take action 6 months after the rules are finalised.
- At the very least, companies will need to set up web pages and phone numbers to take requests.
- Users also may begin to see a new button on websites stating “Do Not Sell My Personal Information”.
- Several large companies have set up new infrastructure to comply.
- Google launched a Chrome extension to block Google Analytics from collecting data.
- Facebook has said that the law does not apply to them since they do not “sell” data, and that they already have features that comply with the law.
How does this affect non-Californians?
- Primarily, even Indian companies that have customers in California would have to comply with the law.
- Many firms are finding it easier to make the legal changes for all users rather than trying to distinguish users from California.
- E.g. the European Union’s General Data Protection Regulation (GDPR) too, shifted the entire Internet economy, not just that of the EU
What are the concerns?
- The Act gives users the right to stop the selling of their data, but not the collection of their data.
- So, this regulates the data broker system.
- However, it does not do much to affect companies like Facebook and Google that make most of their money by collecting the data, not by selling it.
- Advertisers pay Facebook to target ads to users based on that data; they do not pay Facebook for the data itself.
- Also, the Act seems to place the burden of navigating this complex economy on users.
- There are also concerns that many of the provisions are vaguely worded.
- E.g. the Act leaves concepts such as “third-party sharing” or “selling” to interpretation
- Also, compliance challenges are expected to be greater with CCPA than with the GDPR.
How does this differ from India’s proposed data protection bill?
- Several of the rights discussed above are also in India’s Personal Data Protection Bill.
- These include the right to access a copy of one’s data, and the right to deletion.
- India’s bill goes further in some regards, including the right to correction.
- However, India’s bill is more focused on users’ rights over collections.
- On the other hand, California’s act is focused more on the third-party sharing and selling of a user’s data.
Source: Indian Express