The California Consumer Protection Act (CCPA)

In June 2018 California enacted a new privacy law that adopts some of the requirements of the European Union’s privacy regulations that recently went into effect. The California law goes into effect on January 1, 2020 and will affect a lot of US companies, including many not located in California. The law applies to any company that collects and processes personal information of California residents. For now, small companies that have revenues of less than $25 million per year along with non-profit entities are exempt.

The law defines personal information much more broadly than any other US privacy legislation. Personal information is defined as, “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Using information that just identifies an address is a big expansion of privacy rules since prior rules only considered personal information of residents. The law includes a list of examples of personal data such as Social Security numbers, credit card numbers, and drivers’ license numbers, but goes a lot further and covers things like information captured and tracked by marketing cookies that capture information like IP addresses or information about computers or phones. While the law excludes information that is publicly available, essentially any information a company collects about customers is considered as private.

The new law provides specific rights to consumers:

Disclosure: A business must notify customers about its data collection practices. Companies must disclose the personal information that is being collected, describe how it’s being collected and used, and disclose if that data is being disclosed or sold to anybody else. This is to be provided in a publicly posted privacy notice and also needs to be made available to consumers upon request.

Opt-Out. Customers must be provided an easy-to-understand process for opting out of having their data sold to third parties. Consumers under 16 must opt-in to having data sold. Parents must provide consent for children under the age of 13. Companies must provide a “Do Not Sell My Personal Information” button on their main home page.

Information Removal: Customers must be provided the ability to have businesses delete their personal information, and companies must let customers know they have this right. If a customer chooses this option a business must not only delete the information from their own records but must ensure that the records are deleted by any third-party contractors that have been provided with the personal information.

No Discrimination: Businesses cannot discriminate against customer who elect to keep their data private. Businesses can’t charge an extra fee for a customer electing a privacy option. Interestingly though, businesses can offer an incentive for customers to make their data available, such as offering a discount for allowing the business to use the data.

In the same manner that recently happened in Europe, US companies that are covered by this law have a lot of things to put into place by the first of next year. Most companies won’t find it hard to make the needed disclosures and notices, but putting processes in place that delete customer data, including data that was passed on to somebody else can be a huge challenge. One of the hardest requirements to meet will be the one that requires companies to make all reasonable efforts to protect against data breaches.

The penalties for not complying with the law are high. A company can be charged up to $2,500 for every violation and up to $7,500 for each intentional violation (such as not deleting data after assuring a customer it was done). Companies can avoid fines by coming into compliance within 30 days of being notified by an attorney general of a violation.

The law also opens companies to litigation from customers. The law gives consumers the right to bring lawsuits if their data is disclosed due to negligence of the business. Consumers can file individual or class action lawsuits and can recover between $100 and $750 in damages per incident. This law will almost certainly spur a class-action lawsuit every time there is a big data breach.

I’ve reported on this law for a few reasons. California often leads the country on new legislation and it’s likely that some version of this law will spread elsewhere across the country. For instance, as I was writing this blog the state of Maine passes legislation that is even more stringent in a few areas. There is also a bipartisan effort in Congress looking at privacy rules and this law is certain to influence that effort.

This law doesn’t just apply to web-vendors. Parts of this law apply to anybody that collects sensitive customer data from the Internet such as ISPs and utilities. It’s a warning to every business to take steps to protect against breaches of customer information.

Telling Customers the Truth

FCC_New_LogoThe FCC got a recommendation from its Staff to finally implement one of the aspects of net neutrality that large ISPs are bound to hate. They are recommending that ISPs publish consumer disclosure forms that declare all of the relevant facts about their broadband products.

This is not a new requirement and was originally ordered in the first FCC net neutrality decision several years ago. Since it was never challenged in court, this portion of the original order always remained in effect. But the FCC never got around to telling carriers specifically what they must disclose to customers.

The list of what Staff is recommending to be disclosed is really thorough and includes all of the information that customers ought to know about their broadband product. This includes:

  • What the product would cost if bought as a standalone product, not part of a bundle.
  • Details of how those prices change if the product is in a bundle.
  • Details of the charges. For instance, if there is a data cap, then what is the base fee and how much is additional data?
  • Any associated charges for a modem, WiFi router, or other equipment.
  • Details of other monthly fees. This is a great requirement because large carriers have been inventing various fees to make their base prices look lower, and a customer has no way of knowing in most cases if these fees represent taxes the carriers must pay or are just pocketed by the carrier.
  • A list of the taxes that apply to the service.
  • Average data speeds. The FCC wants carriers to report the average peak download and upload speeds that come from FCC testing or carrier tests. This will be a real challenge for some carriers since broadband speeds can vary widely within their network. For instance, DSL speeds vary by the distance from the central office. Cable modem speeds can vary a lot between different network nodes. And some technologies varies by the number of users on the system.
  • Average latency. This is the network delay in getting data from the web.
  • Average packet loss. How much of the data you are downloading comes through accurately. This and latency are two things that carriers rarely disclose.
  • A list of network management practices that might affect service. The FCC wants details about how such practices are triggered and applied to the network.
  • The company’s privacy policy.
  • How to make complaints.

For now these rules are only going to apply to carriers with more than 100,000 customers. The FCC is going to consider, however, how this might apply to smaller carriers at some later date. One has to imagine that at least some of this is going to be required for everybody.

That is an incredibly detailed list of requirements and covers every aspect of selling a data product. Carriers that deliver honest speeds are going to have no problems with these requirements. In fact, if you deliver a fast data product that actually delivers what you advertise, then these disclosure forms could become a competitive edge since you will be able to point to the competitor’s forms that tell a different story.

One thing that this ought to stop is carriers selling ‘up-to’ speeds since they are now going to have to disclose the actual speeds they deliver. It’s very common to see the large companies selling the same speeds in every market although the speeds they advertise are only available in urban parts of the states. This results in people thinking they are buying one speed but getting something far slower.

I’ve always wondered why the FCC took so long to do this. This requirement has been on the books now for many years and basically all that was needed was for the FCC to tell the carriers to implement what had been ordered. But it’s finally here and I am looking forward to seeing how the big companies comply with this. This level of required detail doesn’t give carriers a lot of wiggle room and perhaps customers are finally going to have a way to compare competing data products.