Why the CCPA Doesn’t Go Far Enough

For the uninitiated, the California Consumer Privacy Act (CCPA) is the state’s newly passed data privacy legislation. The legislation is the first of its kind in the United States, and it’s certainly a massive step forward. It gives Californians an unprecedented amount of control over how businesses use their personal data. To summarize quickly, the initiative made it so that Californians can now find out which of their data points are being collected, they’re given the right to opt in or out of selling that data, as well as the right to sue companies who fail to protect their data. This legislation is a sign of great progress, but the reality is that the bill as it currently stands is a somewhat watered down version of what it once was.

california congress building

Between when the initiative was introduced and when it passed into law, more than 20 bills were introduced to amend the law. Due to lobbying by a variety of deep-pocketed corporate interests, a select few of these amendments went through. Fortunately, the bill still grants Californians the rights to access their data and opt-out of sales. But a key non-discrimination provision was nixed, one that barred companies from charging you more or denying access if a user asks them not to sell personal information. That means that corporations could potentially penalize users for seeking out their data. Another important aspect of the law, which gave individuals the ability to sue corporations if they ignore data requests, was promptly removed from the legislation as well.

Perhaps more importantly, the state’s ability to enforce the rights people do have were severely declawed throughout the legislative process. When the CCPA was first introduced as an initiative, it gave citizens that power to sue companies that violated their rights, with additional support from the state’s attorney general, district attorneys, and city attorneys and prosecutors. As a piece of legislation, now only the attorney general can enforce the CCPA. And considering the high volume of cases that pass through the attorney general’s office, and the backlog of lawsuits this creates, the office predicts that they’d only be able to bring three enforcement actions to the table a year. The office simply doesn’t have the means to truly enforce the bill.

On the bright side, the fight isn’t over. Legislators are still working to amend and strengthen the bill. In late February 2020, a slew of modifications were passed into law. One key modification, for example, clarifies the definition of “personal information.” If the data can be linked to a consumer or household, it fits the classification. One modification added more details around submitting data download and deletion requests, while another specified how businesses must make present the opt-out feature on their sites. The law now specifies that “… a business shall not utilize a method that is designed with the purpose or substantial effect of subverting or impairing a consumer’s decision to opt-out.” If this momentum continues, the bill could very well get back to its original scope. But it’ll be an uphill battle undoubtedly, and one that deserves our attention.