The long-awaited California Consumer Privacy Act, 2018 (“CCPA”) which was initially proposed as a draft in the Ballot initiative in 2017 was given a nod in 2018 by the state legislature and has come into effect from January 1, 2020, after observing the transition period. The rising tide of privacy issues after being addressed by the European Union’s General Data Protection Regulation (“EU-GDPR”) has alerted authorities worldwide and CCPA is sought to be the strictest privacy norms that the US has come up with. The new regulation puts the technology, media, telecommunication and the entertainment sectors, more generally called Silicon Valley which includes tech giants like Facebook on a spot.
The extraterritorial application of CCPA is on the same lines as EU-GDPR which means that if Facebook were to operate in California i.e. have a business in the state irrespective of having any brick and mortar establishment, the CCPA purports to apply to them. The law rather hits giants like Facebook owing to the massive buckets of either having data of 50,000 (fifty thousand) consumers or devices or gross revenue more than USD 25 million or if it generates 50% (fifty percent) of revenue from sharing personal information hence carving out an exception for a smaller business.
In terms of compliances that companies like Facebook required to adhere, these are widely divided into three categories (i) Relating to individual Rights (ii) Relating to Data Security and (iii) Relating to service providers.
What compliance would Facebook require to adhere to?
The privacy notice compliance requires Facebook to provide residents of California, a privacy notice indicating the organisation’s privacy practices. While the already existing EU-GDPR compliance had covered the majority of the requirements, none of the US federal laws or any of the state laws of the US required companies to comply as the CCPA did. The company before collection of the data is now required to state what the company would be using the data for, whether the collection is offline or online, information regarding how they use and process the personal information, notifying the users of their right to access such information Facebook held of them, notifying of the right to having their information deleted and notifying the kind of entity, their information was sold to.
With the advent of CCPA a stark change has been brought into the privacy regime, the company collecting data, in our case Facebook would now require to include “Do not sell my personal information” link on the website and in the privacy notices as per clause 1798.135 (a) (1) of the CCPA. They now also need to share with the data subjects the information that they share with service providers and other third parties.
The right to access data is also introduced for the first time in any of the data privacy laws of the US, by virtue of this the data subject could request for a copy of the file on the information that the company keeps about the individual. However, the concept is not new and was introduced by the EU-GDPR under Article 15. The concept of right to be forgotten just like the right to access data is the cornerstone of EU-GDPR and now CCPA confers limited right to be forgotten too. Interestingly, CCPA does not provide for a conferred all access right to be forgotten to the data subject. Instead, it states that the business must delete the data on request of the data subject, “which the business has collected from the consumer”. This essentially may imply the meaning that businesses have the leeway to still store the data which they may have formed or created themselves or which it may have received from third parties. Such data could include experiences of the customer, feedback of the customer, specific attributes towards creating a personalised experience for the customer, including but not limited to transactions and prior purchases.
The game-changer of CCPA and the reason for which Silicon Valley giants had issues was the opt-out concept of CCPA. This required that a person had the ability to direct that a business cannot sell the personal information that it held about them. The distinguishing feature from other privacy laws was that other laws never addressed the sale of personal information. For instance, EU-GDPR confers limited right to object the processing of personal data or revoke consent, it never explicitly red-flagged selling of data. CCPA is more of an ‘opt-out’ focused law than it is an ‘opt-in’ focused. Lastly, CCPA introduces the right to equal service and price which inculcates anti-discrimination against consumers exercising rights under CCPA.
Organisations are required to put into place a reasonable security practice, breach of which would permit aggrieved to bring suits of liquidated damage of values ranging from USD 100 to USD 7500 per consumer per incident whereas we could see no value was set by the EU-GDPR. On any regulatory breach by the organisation CCPA puts a punitive penalty of a mere USD 7500 for each violation which dilutes the liability of 2% (two percent) of the total worldwide annual turnover of EUR 10 million as set by the EU-GDPR.
What steps did Facebook take in view of CCPA?
CCPA in its initial drafts cited reasons of Cambridge Analytica fiasco which saw harvesting of Facebook data of around 87 million people without their knowledge or consent, the bill thus “heightened” the privacy controls and data practices.
With a USD 5 billion drain in penalty, Facebook has come up with amends ensuring its decision to embrace CCPA and respect people’s data. The social media giant post-GDPR had come up with the “Access your information” tool in compliance and has further dubbed the tool into a new variation for CCPA compliance. The Californian law imposed even more rigid restrictions on data sharing for commercial purposes and used a broader definition of “personal information”.
With CCPA coming into effect from January 1, 2020, and into enforcement from July 1, 2020 businesses could be fined for non-compliance. Amidst all the confusion looming over the subject, Facebook announced a feature called “Limited Data Use (“LDU”) which gives business more control over how their data could be used in Facebook’s system. The feature as stated by Facebook would be active from July 1 to July 31 and would be enabled for all business accounts. LDU essentially limits the way user data can be stored and processed for users Facebook identified as residents of the State of California.
Moreover, this feature automatically detects if a user resides in California and requires businesses to update their pixel to include an LDU parameter. It enables advertisers/businesses to specify which data should be subject to CCPA data management. The auto-identification needs modification in the Facebook Page view pixel to include a string within the Facebook pixel for data processing options. The LDU feature was by default operative until July 31, post which they are required to re-implement it by updating their pixel if they wanted to restrict the data was shared with Facebook’s business tools.
The compliance implies that if the digital marketing agency does not update one’s pixel on their website, the assumption of responsibility solely comes on to the business. It is anticipated that the feature would impact marketing and revenue performance in the region owing to the limitation of retargeting ads in California. The digital marketers using Facebook as a medium to track customer behaviour in California might face several challenges including audience targeting leading to less efficacy in the advanced customer matching, offline conversion tracking, and retargeting for residents of California. To conclude, Facebook’s LDU feature when active would result in zero target audience if the users are all from California.
The article is authored by Ayush Chowdhury, Co-head, BlockSuits.
Comments