Following the recent approval the California Consumer Privacy Act 2018, technology companies, such as Facebook, Google, and PayPal are battling with privacy advocates to make changes before the act comes into effect in January 2020.
The CCPA promises to provide Californian consumers with more transparency over how businesses use their personal information, and, critically, the ability to request data to be deleted and not sold to third parties.
>See also: What are US companies’ view on GDPR?
It shares key features with the European Union’s General Data Protection Regulation (GDPR), although it is not nearly as strict or extensive. Under the CCPA, only organisations that hold data on more than 50,000 people will be subject to this new regulation and violations carry a fine of $7,500.
With the legislation coming into effect in January 2020, organisations now have a window to suggest amendments and are forthcoming.
“Clean-up” your act
In a 20-page letter from 38 trade groups, including the Californian Chamber of Commerce, addressed to Californian lawmakers, a whole host of criticisms have been articulated — putting them at odds with privacy advocates.
The letter argues the law was “hastily passed” and proposes “amendments to address drafting errors, and to fix aspects of this bill that would be unworkable and that would result in negative consequences unintended by the authors.”
>See also: Should the US adopt GDPR?
Significantly, the organisations involved want to remove the requirement for businesses to identify “specific pieces of information” about consumers, claiming it could create the risk of inadvertent disclosure to a
fraudster posing as the consumer.
According to the letter: “In order to facilitate internet commerce while safeguarding consumer privacy and security, businesses typically maintain consumer information in a pseudonymised form. This means that information is not directly linked to an identifiable consumer, but it does not necessarily meet the high standard that the FTC has set for information that is “de-identified.” Directly linking data contravenes best practices for data security and results in a lower standard of protection for consumer personal information.”
Companies are also suggesting a desire to see the part of the law which gives consumers the right to see their personal data in a “readily usable” format “that allows the consumer to transmit this information from one entity to another entity without hindrance.” This could allow organisations to present personal data in an unclear and confusing way making it harder for consumers to grasp.
>See also: What the Cambridge Analytica scandal means for big data
They also want to write out a section about reflecting “the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behaviour, attitudes, intelligence, abilities, and aptitudes.” Arguably, this suggests an ambition to retain the ability to monetise on this information.
This isn’t the first concentrated criticism made of the new regulation. According to Reuters, earlier this year, executives at Alphabet Inc’s Google “had warned that the measure could have unintended consequences but have not said what those might be.”
Google senior vice president Sridhar Ramaswamy, added: “We think there’s a set of ramifications that’s really difficult to understand. User privacy needs to be thoughtfully balanced against legitimate business needs.”
GDPR anniversary: has the regulation backfired? What next?
While the Association of National Advertisers, in comments to the Federal Trade Commission, said: “We anticipate that the Commission will find that laws like the GDPR and CCPA will limit competition, overburden consumers with opt-in notices and make an efficient and effective digital economy harder to maintain.”
>See also: How do you solve a problem like Facebook?
Push Back
In response, numerous privacy advocacy groups sent their own letter accusing the tech giants of trying to “water down the CCPA’s privacy protections.”
It adds: “Even when the letter does identify a provision where a technical fix is needed, the proposed solution is often excessive in nature and would run counter to the clear intention of the legislation.”
“The sky is not falling, as industry suggests…What is allegedly “unworkable” today will be workable once companies comply with the law.”
Nominations are now open for the Women in IT Awards Ireland and Women in IT Awards Silicon Valley. Nominate yourself, a colleague or someone in your network now! The Women in IT Awards Series – organised by Information Age – aims to tackle this issue and redress the gender imbalance, by showcasing the achievements of women in the sector and identifying new role models.