The Right To Be Forgotten: New California Law Aims To Protect Consumers From Online Data Collection

Image via securityboulevard.com

Using the Internet is a daily habit for millions of individuals in our high-tech society.  Countless activities can be done online, such as sharing photos on social media sites, shopping, and reading news from around the world.  Many use the Internet for work, or to conduct mundane activities to pass the time.  The Internet has become such a major facet in our society that according to Pew Research Center approximately ninety percent of adults in the United States used the Internet in 2019.  While the Internet functions as a source of information from around the world right at a user’s fingertips, it also contains a treasure trove of data.

Tech Companies Track How Users Utilize The Internet

On a multitude of websites, Internet users are required to input some of their personal information in order to access the webpage they seek to use.  For example, when creating an account on social media sites, users must provide their name, age, and email address (among other demographic information).  However, a company’s access to a user’s personal data extends far beyond that.  Natasha Singer of the New York Times explains that tech companies track how users (and even non-users) utilize the Internet, including online activity outside of the company’s website.  This information is stored and can be used for any number of purposes but is predominantly used for marketing.   Some companies even buy or sell personal information of their users.  This practice nets corporations, such as Facebook, a large portion of their multi-billion-dollar revenues every year.

However, corporate stockpiling of users’ personal data, coupled with uncertainty over how tech companies use this data, has led to questions over whether the federal government will regulate this practice.  In 2018, Facebook CEO Mark Zuckerberg faced a plethora of questions from Congress on Capitol Hill.  Lawmakers grilled Zuckerberg on a variety of topics ranging from Facebook’s handling of users’ personal information to potential regulations of technology companies.  Despite the high-profile nature of the event, no meaningful, federal legislation stemmed from the hearings.

Action At The State Level

Later that year, the California state government took the issue into its own hands.  The state legislature passed, and then-Governor Jerry Brown signed into law, the California Consumer Privacy Act (CCPA), which provides for a wide range of online rights for residents of the state.  The Act grants Californians the right to know how their online personal information is handled, including what is collected and whether it is used, shared, or even sold.  Furthermore, California residents have the right to request the deletion of any personal information that a company may have.  Additionally, the new law gives residents the right to direct a business to stop the sale of their information.  Finally, the legislation provides that those who take advantage of the rights given under the CCPA cannot be discriminated against for doing so.

What Constitutes Personal Information?

The issue then turns to, what constitutes personal information?  Luckily, the CCPA provides an expansive definition. The language of the statute dictates that personal information includes– but is not limited to– any information that can identify, relate to, describe, or can reasonably be linked with a specific individual or household.  This definition includes individualized information like names and Social Security numbers, but also extends broadly to data like employment and search histories.  The statute also outlines exclusions for information that is publicly available, deidentified information, and aggregate consumer data.

Not all businesses in California are subject to the CCPA.  The Act sets forth specific requirements that prescribe which businesses the law applies to.  A business is subject to the CCPA if it has a gross revenue of more than twenty-five million dollars, or partakes in the buying, receiving, or selling of personal information of 50,000 or more consumers or devices, or derives at least half (fifty percent or more) of its yearly revenue from the sale of consumer personal information.  If a business meets any one of these thresholds, the CCPA is applicable to them.  In Silicon Valley, maybe the most prominent tech-centered region in the country, the new law could have a major impact for the approximately 2,000 tech companies located there.

How Does The Act Define the Collection And Sale Of Personal Information?

One crucial facet of CCPA enforcement is how the Act defines the collection and sale of personal information.  “Collection” under the law includes buying, renting, gathering, receiving, or even having access to personal data.  Furthermore, a business “collects” information for purposes of the Act even if the business is only acting passively, which would include the online monitoring or tracking of individuals.  Moreover, the CCPA describes “selling” beyond the conventional sale or rental of personal information.  Disclosure or communication of personal information by any means also qualifies as “selling” under the law.  However, no matter what method a business uses to obtain a consumer’s personal information, monetary or some other form of valuable consideration must be exchanged for the transaction to constitute a sale.

There Are Several Major Exclusions To CCPA Enforcement

The CCPA provides a major exclusion from enforcement for businesses if the sale of personal information is for a business purpose.  Seven business purposes are enumerated under the Act. These business purposes embody the qualification that the selling of personal information must be “reasonably necessary and proportionate to achieve the operational purpose for which the personal information was collected or processed.”  If a business can show that it meets one of the seven exclusions, the standards set forth in the CCPA do not apply.

For businesses that are not excluded from the CCPA, new obligations have been put in place.  First, consumers must be informed regarding the type of information that a business is collecting about them, as well as what the information will be used for.  Notice of this must be provided at or before the time the data is collected.  Second, businesses must create and implement procedures to respond to deletion requests from consumers.  Given that Californians now have the right to direct the deletion of their personal information and opt out of any sales of it, an efficient system for handling all consumer requests allows for expeditious action.

Implementation Of The CCPA Has Led To Backlash From The Private Sector

Implementation of the CCPA has not come without backlash from the private sector.  Many have already requested a delay in enforcement only a few weeks after the law went into effect.  Businesses claim that the statue is complex and has led to uncertainty in how to meet its standards. However, California Attorney General Xavier Becerra’s office has indicated that, because the CCPA is now effective law, compliance is expected.  Failure to comply with the statute will lead to monetary penalties in the amount of $2,500 per unintentional violation, and $7,500 per intentional violation.

Looking Forward To The Future

While the bill was signed into law in 2018, the CCPA did not take effect until January 1, 2020.  One month in, research indicates that not all Californians feel like their privacy rights are now better protected under the new law.  According to a recent study, over half of those who responded believe that smart home devices they own are still spying on them. Enforcement of the CCPA is still in its infancy but fears of invasion of privacy have not yet subsided in California.

Many More States Have Introduced Similar Bills

With growing concern over the management of consumer personal data, other states have attempted to pass legislation comparable to the CCPA.  Nearly half of the country has begun addressing this issue and have deliberated what action to take on this front.  While only a few states have actually passed legislation, many more have introduced similar bills.  At a minimum, consumer privacy rights regarding personal information has become a topic of discussion within state legislatures.  With the CCPA recently becoming effective, California may serve as an example for the rest of the nation.  The coming weeks and months of CCPA enforcement will be paramount to how California and the United States as a whole work to better protect the personal data of consumers.

Jordan Tehrani
About Jordan Tehrani (3 Articles)
Jordan is a third-year student at Campbell University School of Law and currently serves as a Staff Writer for the Campbell Law Observer. Originally from San Clemente, California, Jordan attended N.C. State University where he obtained his Bachelor’s degree in Environmental Sciences. While at Campbell Law, Jordan interned with the North Carolina Retaliatory Employment Discrimination Bureau. Jordan has also served as both treasurer and secretary of the Law Students Against Sexual Assault and Domestic Violence. He is interested in environmental law, intellectual property law, and public service.