What does California’s Consumer Privacy Act (CCPA) mean for you?

Originally written in Feb, 2020. Special thanks to Andy Roth (Head of Privacy @ Intuit), Prof. Jennifer King (Director of Privacy @ Stanford Law), and Joseph Ternasky (Head of Privacy & Data Use @ Facebook) for their comments.

Consumers are unsure, lawyers are skeptical, and businesses are scrambling to get the basics in place. On 1st Jan 2020, the biggest privacy act passed by the United States just came into effect — the California Consumer Privacy Act, also known as the CCPA — and it’s making big waves.

CCPA is the biggest legislative step taken in the realm of digital privacy since GDPR [ Wired has a great analysis on GDPR]. It has the potential to shape the next generation of technology by tackling the ‘ Privacy Problem’ that businesses are facing-the delicate balance between intelligent systems and user data. You can read the full bill here.

What is CCPA?

Following the European Union’s GDPR initiative and motivated by the Cambridge Analytica scandal [ Read more] amongst others, the CCPA (California Consumer Privacy Act) outlines a new set of terms businesses need to follow if they serve residents in California. It gives citizens the right to

On 1st Jan 2020, all major tech companies updated their privacy policies to reflect these changes.

While this legally applies to only Californian users, it is easier for businesses to roll this out to their entire audience. We saw a similar impact with the GDPR rights being given to users all over the world, even though only EU citizens were legally given its benefits. Some companies like Microsoft are spearheading the change: Julie Brill, Microsoft’s Chief Privacy Officer announced that the company will be extending the main principles of CCPA to all their users.

Data collection vs. Transparency

The biggest wave in technology is the rise of intelligence. This could range from the delightful Spotify Discover Weekly to futuristic self-driving cars. But any and every intelligent system is built on data. How much would users trust businesses to share their data? How will businesses use this data? Joseph Ternasky, the Director of Privacy and Data Use at Facebook says that “Data selling is a red herring. People like to talk about it but it’s not the primary problem in privacy. It’s really about transparency.”

Take the context of ads: People understand ads when they can trace its source — the causal train. If you search for ‘shoes’ on Google-you will see an ad for Nike. You expect that. But when you go on Nike and start seeing Nike ads on Facebook, you start wondering who is tracking everything you’re doing on the internet. How did Facebook know you were there? As described by Jennifer King, the Director of Privacy at Stanford Law School, when people don’t know where the predictions came from, it makes them feel unsafe.

It’s not the data, it’s the transparency which matters. The best products use your data to add value to your life. Good examples of this are Google Maps, which uses your location to find the best restaurants near you, or Netflix, which helps you discover movies you would like, or news apps, which learn your interests to show you the articles most relevant to you. The fight for privacy is not about data collection. It’s about increasing transparency on what is collected and why. According to Joseph Ternasky, “GDPR describes this as the Purpose of Use. However, this is a problem that is not easy to solve for businesses since it is too vague and can be skirted across.”

And that’s exactly what CCPA and a number of other laws in motion in the Californian legislative process are doubling down on: stopping businesses from selling data to third parties without users’ permission and making users aware of what data is being collected.

Take a waiter at a restaurant who knows your preferences — “So Tim, same pasta as last time with extra olive oil?” — you can’t help but smile and feel special. But take a creepy old guy staring from the corner of the restaurant, coming up and saying “Sooooo, Tim, I see you like this pasta…. would you like some more olive oil?” — makes you shiver. Both have the same information and are using it in the same way, but you are aware of the intentions of the waiter and know you gave the information by your own will- and that is the ‘Privacy problem’ at its core. Businesses and consumers aren’t on opposite sides of the rope. At the end of the day, they both coexist by adding value to each other.

A waiter who knows your preferences can make your day. But it’s the two-sided conversation that matters

You’re not alone

71% of Americans don’t trust businesses with data collection. Americans are relatively distrusting of businesses, especially in light of Cambridge Analytica or other horror stories, such as Copley Advertising using location data to send pro-life mobile ads to people who were near abortion clinics [ Source].

74% of Americans want to be in control of what information businesses collect about them.

This research is from 2015. These numbers are larger today with growing privacy concerns. [ Source]

What can you expect to see?

  1. The privacy policies of companies will comprehensively describe what information they collect about you. Be mindful that this tends to be dense legal jargon and may be hard to navigate through. But it’s there for the well-informed and cautious-minded.
  2. You can submit a request to know who your data is being sold to. Caveat: They won’t list names, only the types of third parties involved.
  3. You’ll begin to see ‘Do not sell my info’ on the homepages of businesses. You can request them to stop tracking you completely.
  4. You can also find instructions to get access to (and even delete) all your collected personal information.
  5. Even if you delete all your information and prevent them from tracking, you will not lose access to the functionality of the product or service provided by the company. Businesses can’t discriminate between users based on levels of data access you provide them; however, you may get rewards and discounts if you keep sharing your data.

The rights provided by GDPR and CCPA are similar. However, the key difference is that CCPA is opt-out while GDPR is opt-in. This small difference means that these changes are only accessible to the tech-literate. Stanford’s Jennifer King believes that consumer-facing privacy laws can only do so much. The major changes need to come in at a structural level: especially to prevent the buying & selling of data that most businesses take for granted under no restrictions. Only laws at this level can bring in major safeguards that we need for digital privacy.

What’s next in store?

CCPA, while being an important first step of many, has its own drawbacks. Users need to read through dense legal jargon (aka the Privacy Policy) to see what data is being collected. And not many people do that. Joseph mentioned “Facebook’s Off Activity feature lets users view all the data being tracked about them and lets users delete and stop tracking. But less than 1% of people use it.” Companies need to make it easier, not harder for users to learn about how their data is being used. One big reason is these don’t exist in the users flow. It might actually be in the company’s favor to interact with users while they’re collecting data and using it: The human psyche needs to know ‘Why?’ and if the business provides a compelling reason, it builds more trust — which, in the long term, will be one of the key competitive advantages a business can have. Netflix for example, shows you why it’s recommending a particular movie or show with their “Because you watched …” feature.

While laws can start a change, it is in our power to incentivize companies to drive it.

There need to be future amendments that make it easier for users to see and control what data gets collected. What might it look like? Perhaps it would look like a list of all sources / types of data that is collected about you and the ability to delete specific collections and stop the tracking of particular actions altogether. Just like how you can control mobile notifications.

Android allows you to give specific permissions to the app to access your data and send you notifications.

Would this hurt businesses? In the short term, yes. In the long term — I’d say it’s necessary. When I heard Facebook buys information about my Safeway club card — it made me stop using my card completely and lose trust in Facebook. If Facebook told me it’s buying my Safeway shopping history to help me find better deals on Fage yogurt that I love to eat, I would be all in for it. Businesses need to look at consumers as their kin. But that’s a matter for another article.

Update: Acxiom used to provide Facebook with data sources like Safeway’s Club Card but Facebook has broken ties with them since Cambridge Analytica.

Further Reading

  1. Stanford Law’s Jen King on California’s New Privacy Law [ Source]
  2. Microsoft vows to ‘honor’ California’s sweeping privacy law across entire US [ Source]
  3. Recode — California’s new privacy law, explained [ Source]
  4. The Verge — No one is ready for California’s new consumer privacy law [ Source]
  5. CCPA is here: California’s privacy law gives you new rights [ Source]

Originally published at https://tanaykothari.substack.com.

Life is like Stochastic Gradient Descent: A little momentum can always help, Stanford ‘20