Law in the Internet Society

View   r3  >  r2  ...
EricNSecondEssay 3 - 26 Jan 2020 - Main.EricN
Line: 1 to 1
 
META TOPICPARENT name="SecondEssay"
Changed:
<
<

Data Protection in the US - quo vadis?

>
>

The new kid on the Block: CCPA and US Data Protection

 
Changed:
<
<
-- By EricN - 07 Dec 2019
>
>
-- By EricN - 26 Jan 2020
 
Changed:
<
<

Status Quo

The internet user’s perception of data protection and the awareness about the use and storage of one’s personal data has enormously changed in recent years and countries all over the world are either working on or have already implemented new rules and regulations, providing their citizens the legal tools to (purportedly) do something about the potential misuse of their data. The implementation of the GDPR has definitely started a certain movement, but this article wants to focus on the upcoming shift in the US data protection landscape (on a State level, as there is no single, comprehensive data protection framework on a federal level), starting on January 1, 2020 with the implementation of the California Consumer Protection Act (CCPA). So, with only a few weeks’ time left until this historic change in US privacy regulations, the question to be asked is, does the CCPA change anything and where does US data protection go from here?
>
>
The internet user’s perception of data protection and the awareness about the use and storage of one’s personal data has enormously changed in recent years and countries all over the world are either working on or have already implemented new rules and regulations, providing their citizens the legal tools to (purportedly) do something about the potential misuse of their data. The implementation of the GDPR has definitely started a certain movement and this article wants to explore the recent shift in US data protection. With the California Consumer Protection Act (CCPA), a new landmark legislation came into force and the message of the new kid on the (privacy) block is clear: I cannot be ignored! So, it has to be asked if this historic shift in US privacy regulation changes anything? The signs are clear: yes, something has definitely changed!
 
Changed:
<
<

The CCPA

The CCPA is coming into effect in times where data breach scandals such as Cambridge Analytica or the Equifax leak (which resulted in a $575 million settlement with the FTC: https://www.ftc.gov/news-events/press-releases/2019/07/equifax-pay-575-million-part-settlement-ftc-cfpb-states-related) dominate the news headlines. The main goal of the CCPA is therefore primarily to protect the personal data of consumers (well for Californian consumers) and give them better control over their data. Despite the good intention of Californian lawmakers, the general tone in the jurisprudence is that the law is poorly written – it is more than 10’000 words, which is undeniably very long for such a law – and according to Goldman “insanely complicated” (Eric Goldman, Internet Law: Case & Materials, July 2019 version). But in a nutshell, the CCPA will be the toughest and most comprehensive data privacy law in the United States and it is hardly a coincidence that it comes from California (California is not only the largest economy in the United States, but also the world’s fifth largest economy: https://en.wikipedia.org/wiki/Economy_of_California).
>
>

US Data Protection in a nutshell

 
Added:
>
>
Although the Federal Trade Commission (FTC) has the authority to enforce data protection regulations on a federal level, there is no federal data privacy law in the US. Instead, most states have regulated privacy in one way or another on a state level. However, these regulations on a state level have various overlapping or incompatible provisions. For example, all states have data breach notification laws, but there are, for example, different definitions of what constitutes personal data and what constitutes a data breach (The U.S. Approach to Privacy Protection). In one word, US data protection is a patchwork.
 
Deleted:
<
<
Without going into too much technical detail, the CCPA is supposed to provide consumers in California enhanced privacy rights, much like the GDPR. Consumers will have the right to know what personal data is being collected by companies, they have a right to access their data and can request the deletion of their data and, unlike any other data protection law enacted (worldwide), the CCPA requires companies to install an opt-out link on their website, allowing consumers to opt out of sharing their data with any third parties (https://www.dataprotectionreport.com/2019/02/gdpr-ccpa-and-beyond-changes-in-data-privacy-laws-and-enforcement-risks-to-monitor-in-2019/). Although not all of the provisions or the applicability of the CCPA are crystal clear, one can see towards where privacy is shifting, which is essentially the consumer. If the consumer is ready to accept these rights, which also entail the obligation to use the allotted privileges, cannot yet be answered and time will tell.
 
Deleted:
<
<

Quo vadis

California could definitely be described as a pioneer in the legalization of data protection rights in the United States and it already can be observed, how the CCPA has set something in motion. Although the law only applies to California based companies who meet certain thresholds, it must also be observed by out-of-state merchants who sell to Californians (and as said, California is the world’s fifth largest economy). There is chance that companies will not create to different data protection systems, but rather apply the rules of the CCPA nationwide (https://fortune.com/2019/09/13/what-is-ccpa-compliance-california-data-privacy-law/). On the other hand, the CCPA has already influenced 11 states (including New York, Nevada, Maryland, New Jersey and Washington) to introduce similar legislation, which all include their own, slightly different version of consumer rights. On the one hand, these movements amplify the problem of a data protection patchwork, on the other hand, it might motivate companies to implement a nationwide data protection compliance including consumer rights, or it even might result in efforts of the US Congress to step in and implement national comprehensive data privacy legislation.
 
Changed:
<
<

Conclusion

After the endeavors, various companies faced in May 2018 to get up to date and compliant with the GDPR, the CCPA undoubtedly is putting the next regulatory challenge upon many companies. Although the two laws are not completely different, there is still much to do for affected companies to be ready in three weeks’ time.
>
>

The new kid: California Consumer Protection Act

Since January 1, 2020 the CCPA is in force hand its main goal is to primarily protect the personal data of consumers (at least for Californian consumers) and give them better control over their data. Despite the good intention of Californian lawmakers, the general tone in the jurisprudence is that the law is poorly written – it’s more than 10’000 words, which is undeniably very long for such a law – and according to Goldman “insanely complicated” (Eric Goldman, Internet Law: Case & Materials, July 2019 version). But the CCPA will be the toughest and most comprehensive data privacy law in the United States and it is hardly a coincidence that it comes from California (California is not only the largest economy in the United States, but also the world’s fifth largest economy: California at a Glance).

Consumer Rights

The CCPA empowers consumers in California with enhanced privacy rights (Section 2 CCPA), such as the right to access personal data that companies have collected from them and to demand deletion of such personal data. Unlike any other data protection law enacted (worldwide), the CCPA also requires companies to install an opt-out link on their website, allowing consumers to opt out of sharing their data with any third parties (Data Protection Report 2019).

Operational Impacts

 
Changed:
<
<
So, will the CCPA change anything? For us as consumers, this is a question not easy to answer, but the CCPA will definitely give Californian consumers the right to actually know, what data companies are storing about them and to request deletion of such data. If you’re are a company affected by the CCPA, it will definitely change how you will handle consumer data in the future and probably this is a good thing. However, looking at the comprehensive data subject rights under the GDPR and their use by its addresses (only three out of ten European citizens have heard of their new privacy rights: https://www.helpnetsecurity.com/2019/06/18/gdpr-application/), one could come to the sobering realization, that people just don’t care about their data or privacy.
>
>
This last consumer right has already led to visible changes: since January 1, 2020 many homepages have added a “Do Not Sell My Personal Information”. If the consumer is ready to accept his enhanced privacy rights, companies will definitely feel the impacts of the CCPA.

Why should companies care? The penalties under the CCPA are not as high as the potential penalties lurking overseas in Europe for GDPR non-compliance. The maximum penalty of $ 7’500 for intentional violations of the CCPA do not scare the big technology companies, which were essentially the ones who pushed back the hardest against the implementation of the CCPA (Tech Lobbyists Push to Defang California's Landmark Privacy Law). I think it’s the competition and the domino-effect they fear: once your main competitor claims he’s CCPA compliant, you are pressured to follow, because due to the increased privacy awareness, customers actually will perceive this and act accordingly. If you do it right, it could even be a marketing advantage.

CCPA – I came to stay!

California is definitely a pioneer in the legalization of data protection rights in the United States and the CCPA has set something in motion. Although the law only applies to California based companies who meet certain thresholds, it must also be observed by out-of-state merchants who sell to Californians (and as said, California is the world’s fifth largest economy). There is chance that companies will not create to different data protection systems, but rather apply the rules of the CCPA nationwide (Here Comes America’s First Privacy Law: What the CCPA Means for Business and Consumers).

The CCPA has influenced 11 states to introduce similar legislation, which all include their own, slightly different version of consumer rights. These movements amplify the problem of a data protection patchwork, but it might also motivate companies to implement a nationwide data protection compliance, or it even might result in efforts of the US Congress to step in and implement national comprehensive data privacy legislation.

Conclusion

After the endeavors many companies faced in May 2018 to get compliant with the GDPR, the CCPA has undoubtedly put the next regulatory challenge upon many US companies. Peer pressure and the enhanced consumers privacy awareness are just two of many arguments why US companies cannot ignore the CCPA. In terms of implementation costs, manpower and inexistent financial added value, these companies are facing a compliance nightmare, but none of them can afford to do nothing. So the CCPA has definitely changed how affected companies handle consumer data in the future and this is a good thing. If the CCPA were just empty words, it would not have been as strong politically opposed as it was.
 
Changed:
<
<
The tools do something about our privacy are there, but they’re poorly used. Maybe we need a second Cambridge Analytica to wake up. In summary, the initial question whether the CCPA will changes anything or not can definitely be answered with e clear yes. The CCPA has not only set data protection legislation in various other US States into motion, but it also helped to start the process of realization of consumers, that their data is value and that they have certain rights to protect their data. In the end however, it is up to all of us to start appreciating the value of our data and it therefore is in our hand to change the way companies handle our data.
>
>
The tools do something about consumer privacy are there, but so far, they were poorly used (only three out of ten European citizens have heard of their new privacy rights: One year of GDPR application). Has the CCPA changed anything? Definitely yes. The CCPA has not only set data protection legislation in various other US States into motion, it also helped to further increase the privacy awareness of US consumers. In the end, it is up to all of us to start appreciating the value of our data and start using the tools that were given to us by legislation like the CCPA. The new kid on the block definitely has set something in motion.
 
Deleted:
<
<
 
Deleted:
<
<
What was the objective of this draft? It begins by asking whether CCPA will change anything, and ends up saying it doesn't know. This does not make the reader feel that something useful by way of learning or thinking has been returned for the time spent reading. The best route to improvement of the draft is to begin with something it's important to say. Give the reader your idea up front, concisely and with a clear sense of purpose, to motivate reading. Show in the succeeding paragraphs how you came by the idea, that is, what it develops from in the existing conversation, providing the illustrations or reportage that the reader needs in order to understand why your idea is an important contribution. That makes possible a conclusion that the reader can feel is worth something, and that enables her to take another step on her own, by following the implications of your idea.
 


Revision 3r3 - 26 Jan 2020 - 15:01:38 - EricN
Revision 2r2 - 16 Jan 2020 - 15:26:45 - EbenMoglen
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM