The California Consumer Privacy Act (CCPA) is the first statewide legislation in the US that offers consumers the strongest protection of their privacy. Enacted in 2018, it allows consumers to know how businesses use their personal information and request businesses to delete such information. While CCPA strengthens consumers’ claims to privacy, it also leaves some unresolved problems and creates new ambiguities. In this paper, I discuss the major concerns about CCPA for both businesses and consumers.
In essence, CCPA grants four types of rights to consumers: the right to know what personal information is used, the right to delete their personal information, the right to opt-out of the sales of their personal information, and the right to non-discrimination when they exercise the three rights above (California Department of Justice 2018). CCPA also imposes stringent requirements for qualified businesses. Besides timely responses to consumer requests, businesses must also notify consumers when they collect personal data, disclose how they calculate the value of personal data, and maintain a record of compliance for at least 24 months (California Department of Justice 2018). The concerns towards CCPA mainly include the broader definitions of key terms and consumers’ ability to take full advantage of CCPA, among other unintended consequences that arise during implementation.
CCPA’s definition of “personal information contains ambiguous terms that may create inequality between companies of different practice areas and varying technical resources. CCPA defines personal information as information that can be “reasonably” linked to a particular consumer or household. However, companies often find it challenging to ascertain if the information they collected can reasonably identify individual consumers. Even after they remove personal identifiers like name, bank account, and user ID from the data collected, it is still possible to re-identify personal information through a combination of quasi-personal identifiers. Harvard University Professor Latanya Sweetney conducted a study that shows that the combination of gender, birth dates, and postal codes is sufficient to identify 87% of individuals in the United States (Sweetney 2000). These three attributes are readily available in public records.
Companies in industries like healthcare may have a particularly difficult time determining if the information they collected can be reasonably linked to consumers, as there are many ways to cross-reference their seemingly anonymous data with public records and uncover personal information about consumers. Concededly, the privacy challenges brought by quasi-identifiers are not impossible to conquer. For example, by modifying the original data, statistical techniques like k-anonymization can make multiple consumers share the same combination of quasi-identifiers, thereby increasing the difficulty to uncover consumers’ private information. However, companies in the traditional industries may not have the resources to have statisticians look at their datasets one by one, enumerate ways their datasets can be used to identify consumers, and design statistical techniques to forestall such risks. Moreover, companies can lose the most original data when they employ such statistical techniques to mitigate privacy concerns.
True de-identification of personal information is hard to achieve, especially for companies whose data often overlap with public records and for companies with limited resources to employ de-identification techniques. CCPA recognizes this problem and hence gives companies some leeway to determine if their data can be “reasonably” linked to individual consumers. Yet the word “reasonably” is still ambiguous by nature and often insufficient to offer companies and consumers the level of clarity they both need.
“Personal information” is not the only ambiguous phase found in the CCPA. Companies also expressed confusion about using publicly available information. CCPA excludes publicly available information from personal information. However, to benefit from this exclusion, CCPA states that companies must use the data for the same purpose for which it is publicly maintained. Alison Pepper, Senior Vice-President at the American Association of Advertising Agency, points out that it is currently unclear who determines whether a business uses public information in the manner that CCPA expects. Is it determined by the public agency providing the information, the CCPA, or the business itself? Nevertheless, the CCPA deserves credit for anticipating potential misuse of publicly available information and adding clauses to prevent the misuse. It might take a few legal cases to gradually resolve the confusions that companies may share.
On the other hand, consumer advocates generally welcome CCPA’s privacy protection framework. But many of them believe that the CCPA could go even further. While CCPA now allows consumers to request companies to delete their personal information, many consumers do not know which companies have already collected their information. Brian Olson from Point Cyber Security gave an example during a CCPA public hearing in Fresno. When people drive down the road, they may notice that there are street cameras shooting their pictures. Yet they do not know which companies operate those cameras and which one of these companies possess their personal information. (California Department of Justice 2019). Therefore, people who are concerned about their privacy may not always know how to take advantage of the rights CCPA offers to them. Consequently, some consumer advocates have petitioned that CCPA should create a mechanism to help consumers find the companies that have their personal information. If such a mechanism were to be created, consumers would certainly welcome it while businesses would vehemently oppose. Lawmakers must balance interests from both sides, making sure CCPA can truly benefit consumers without imposing unreasonable rules on businesses.
While lawmakers have anticipated many challenges when drafting the CCPA, the implementation of CCPA also creates unintended consequences that may betray the spirit of the law. For example, CCPA may discourage companies from pseudonymising user data and hence risk consumer privacy. Data pseudonymization is a technique that replaces personal identifiers with pseudonyms, so that people can no longer use the data to identify individual consumers. Since pseudonymization is reversible, e.g. people can re-identify personal information if they know the mapping between pseudonyms and the raw data, CCPA currently subjects pseudonymized data to the same rules as raw personal information. Therefore, companies may lose the incentive to pseudonymise their user data, even if pseudonymization would enhance consumer privacy. To ensure that companies always put their best effort to protect consumer privacy, CCPA could create tiered treatments for personal data at its original form, pseudonymised form, and irreversibly de-identified form, so that companies can find incentives for each additional step they take to increase data privacy.
CCPA may also unintentionally encourage companies to collect more personal information. To verify that a request to delete personal information truly comes from the owner of the information, CCPA requires businesses to establish a robust method to examine the authenticity of user requests. For businesses that originally do not collect much user data, they may now have to collect more user data (e.g. users’ phone numbers) to create a robust authentication process. Such a result would undermine user privacy and run contrary to CCPA’s principles.
Despite many unintended consequences, as well as concerns for businesses and consumers, CCPA’s contribution to protecting consumer privacy is beyond dispute. Furthermore, lawmakers have continued to solicit public comments, so as to improve the details of CCPA’s implementation. As of March 11, 2019, lawmakers had held 4 public hearings, consolidated public feedback, and proposed two sets of modifications to the initial CCPA regulations. Currently, most participants at public hearings come from either an affected company or a consumer advocacy group. Lawmakers should invite more neutral voices to the hearings, including experts in privacy and technology who do not represent a party with a direct interest at stake. Since these parties are likely less biased, their opinions can enable lawmakers to better balance the demands from businesses and consumers, creating an exemplary legislation for other states and countries to follow.