The California Consumer Privacy Act, or CCPA, went into effect on January 1, 2020. The sweeping privacy law gives California residents new rights regarding the collection and sale of their personal data. According to the CCPA, those rights include:
- The right of Californians to know what personal information is being collected about them.
- The right of Californians to know whether their personal information is sold or disclosed and to whom.
- The right of Californians to say no to the sale of personal information.
- The right of Californians to access their personal information.
- The right of Californians to equal service and price, even if they exercise their privacy rights.
While the law won’t be enforceable until July 1, 2020 at the latest, it’s already posing many challenges to tech companies, specifically with regard to data management. Under the law, consumers can request a report showing all the data a business has gathered from them in the past 12 months.
This report is free of charge and must be turned over within 45 days of the initial request. For companies like Pasadena-based Spokeo, a people intelligence and search platform, the new regulations present a unique technical challenge: finding a single set of records among billions of others.
How do you tell users what data you have if you don’t even know yourself?”
Spokeo is used by more than 15 million people a month to search for information on everyone from long lost relatives and old friends to unknown callers and online sellers. Its millions of profiles are composed of data from more than 15 billion records, which are drawn from publicly available directories, indexes and databases.
“I think the first thing that companies need to do is to actually understand what data they have or what data they are collecting,” said CEO and Co-Founder Harrison Tang. “How do you tell users what data you have if you don’t even know yourself? It’s not that easy, especially for a company like Spokeo that’s dealt with a massive amount of data over the past over 10 years. There were a lot of things we needed to do.”
Giving Consumers Control
CCPA was passed in June of 2018, which gave companies 18 months to get their data in order. That was a month after the European Union’s General Data Protection Regulation, better known as GDPR, became law. According to Tang, GDPR-compliant companies were “well on their way” to CCPA compliance. However, while the two laws are similar in spirit, they differ on the details — and not just on whom they apply to. For example, under the GDPR, consumers must consent to having their data processed, while under CCPA it’s an individual’s responsibility to opt out.
Any company that does business in California and meets one of three thresholds is required to comply with CCPA, even if they aren’t based in California.
- Has annual gross revenues in excess of twenty-five million dollars ($25,000,000).
- Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
- Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
For Spokeo, the first step in the process to become CCPA compliant was conducting a complete data audit. A data catalog was built, with information categorized both by type (location, name, contact information) and sensitivity (public, private, internal). By organizing its data in this way, Spokeo can pull an automated report anytime a user submits a request to know what information the company has gathered from them.
Building a user flow that enables consumers to opt out of the sale of their data was the next step in the process. Tang said that while Spokeo has had an opt-out system in place for more than a decade, CCPA presented a new challenge. Prior to the new law, users could only request that specific listings, via their URLs, be removed from the site.
When a user completed the required form, Spokeo flagged their data, which let its system know not to display it again. The flag followed the data, which means that even if the company aggregated the same information, it wouldn’t be displayed.
Doing a comprehensive audit of the data inventory is not a light undertaking.”
While this opt-out process removed a person’s individual profile from the site and prevented their data from being sold, it didn’t show what type of data was collected from them. So, Spokeo built out a new user flow that both enables consumers to opt out from the sale of their data and see the specific types of data Spokeo collected on them. All told, Tang said it took a cross-functional team six months to complete the entire process.
“It sounds much easier than it is,” said Tang. “Doing a comprehensive audit of the data inventory, cataloging it by type and knowing where it’s stored and whether it’s been shared is not a light undertaking. We did it, and I think that’s one of the things that other companies should do as well to be compliant with CCPA.”
The Road Ahead
Despite the time that’s lapsed since it was first passed, the CCPA is still a work in process, Tang said, with tech companies, regulators and lawmakers continuing to iron out the details. That said, a few outcomes are certain, such as the CCPA’s impact beyond the tech industry.
“CCPA doesn’t just apply to data or tech companies,” said Tang. “It applies to all companies that collect data, whether it’s through their own software or third-party software. That’s pretty much every company today.”
While a tech or digitally-native company might be more equipped to handle the challenges posed by CCPA, a legacy retailer or transportation company may have a harder time. Unfortunately, Tang said he hasn’t seen any software that can help companies that may lack technical resources become compliant.
Even though CCPA only applies to California, there’s a high likelihood that it will have nationwide impact as well.”
In addition to being a boon for the consulting industry, the CCPA could also cause companies to reexamine their approaches to cybersecurity. Under the law, class action lawsuits can be filed over data breaches, with damages ranging from $100 to $750 per consumer per incident.
“It places more of an emphasis on the importance of data security and cybersecurity,” said Tang. “We have a data security officer, and I think other companies are also following suit and putting more investment into security experts, systems and tools. The first step with data security is to understand what you have.”
“As California goes, so goes the nation.” If that sentiment holds any truth, then the CCPA could be a catalyst for a new federal data privacy law. But many companies aren’t waiting around for the federal government to act. In November, Microsoft announced it would apply CCPA’s privacy rights to its users nationwide. Spokeo has done the same, offering consumers in all 50 states the ability to opt out of the sale of their data.
“Even though CCPA only applies to California, there’s a high likelihood that it will have nationwide impact as well,” said Tang.
Editor’s note: This piece has been updated to reflect that Spokeo’s original opt-out process, in addition to removing a person’s profile from the site, also prevented their data from being sold.