By Richard Ulysse
In January 2020, the California Consumer Privacy Act of 2018 (CCPA), a law introducing strict data privacy and digital consumer rights, was implemented. Such regulation has precedent throughout the world, but it constitutes the first significant attempt to address the issue in the U.S. In essence, the law ensured three rights: to know what data is collected, to refuse the sale of our data, and to hold big corporations accountable. Particularly unexpected given the powerful voices coming from Silicon Valley tech companies, the bill received wide media coverage. Yet, while this coverage displayed a broad range of reactions, opinions and implications, there is something that those comments never failed to bring up: the comparison with the General Data Protection Regulation (GDPR). Introduced in European Union (EU) law in 2016 to ensure data protection and privacy, the GDPR constitutes an important component of EU privacy law and of human rights law. It inspired a framework that Californian privacy advocates and legislators translated to their own environment to address the same concern, the widely acknowledged lack of oversight on data collectors and their obscure advertising purpose. However, key differences exist between the two legislations [2], starting with GDPR’s strong legal basis—that has no equivalent in the CCPA [3][4]. I argue that the media played a crucial role in the validating the CCPA due to its similarities with GDPR. Essentially, the CCPA benefited from its GDPR’s political and legal credit though it did not provide the same safeguards.
Your Data is Yours. Until it Isn’t.
The CCPA’s limitations of scope widely differ from those of GDPR. The two policies do not protect the same subjects. On one hand, the GDPR’s data subjects define any “identified or identifiable natural person”, which includes not only EU residents but also those who are within its territories at the time of data collection. For example, a Chinese citizen temporarily residing within the borders fixed by the policy would be protected the same way permanent residents are. On the other hand, the CCPA only protects California residents, thus excluding temporary visitors. But when thoroughly assessing both policies’ scope, the organizations they apply to also must be considered. Once again, the GDPR’s safeguards provide tighter guarantees. Encompassing every company processing personal data of any individual residing in the EU, its compliance standards can hardly be circumvented. Potential other factors such as the company’s annual revenue, the volume of data processing or the source of revenue do not affect the need for a company to comply in any way. The CCPA’s compliance window appears narrower, as it only targets big corporations. Indeed, multiple factors govern the law’s application: the company must 1) be a for profit with a revenue of at least $25,000,000, 2) buy, receive, sell, or share personal information of more than 50,000 consumers, households, or devices on an annual basis and for commercial reasons, and 3) selling consumer personal information must constitute 50% or more of its annual revenue. Furthermore, the CCPA’s provisions exempt information collected by a business about a natural person during the person acting as a job applicant, employee, owner, director, officer, medical staff member, or contractor of a business [5].
No, Thank You
A second major difference between both policies regards their consent requirements. Looking at the rights introduced by the CCPA, it is safe to argue that it is a real jump in terms of privacy. However, it does not require affirmative consent upfront— and favors a right to opt out instead. Three main contradictions seem to appear within its clauses. First, it requires consent between 13 and 16 years old, or a parental validation when under 13 years old. Considering that in contractual law, kids under 18 are not allowed to sign contracts and be bound by them, this consent makes little sense, and its legal validity could be considered null and void. Then comes the difficulty to apply the law to the concrete world: how can this consent be implemented? The common solution of an age gateway could encourage lying and does not appear as a satisfying one, though according to federal law, no company could be held responsible in that case. The last challenge emerges when looking into the different types of cookies and tracking software. While first- and second-party cookies—logging the consumer into a site—seem manageable, regulating the diversity of third-party cookies floating around when navigating through the Internet would require a much more robust framework than what the current version of the CCPA provides. Contrarily, the GDPR is better equipped to implement its theoretical ideals. While both the two substantial scope distinctions—the subject protected and compliance rules—and the consent requirements difference are substantial enough to be pointed out, those are often overlooked by traditional media coverage.
A Cunningly-Orchestrated Minimization
The dynamics between the different stakeholders affected by the introduction of the CCPA provides explanatory factors for the minimization of those differences. If mentioning digital technology users seems obvious, their side is not necessarily unequivocal, as their potential decisions are on a spectrum between total control over their data vs. the benefits of having a personalized experience on the internet. Though they have limited impact individually, they can vote and form consensus to promote their ideas. Contrarily, tech companies have a more consistent stance. As they play the middle man between users and advertisers, their use of data must conciliate the claimed purpose of collecting it in the first place—an optimized user experience—and their economic needs—i.e., advertisers’ interests. Benefiting from a crucial influence due to their central posture, their major challenge is to elaborate strategies to reuse data within legal and ethical limits. Beyond digital technology users, the companies collecting the data and the state, the interests of two other major lobbying powers seem relevant to analyze: consumer privacy, Non-Government Organizations (NGOs) and advertisers. Since NGOs’ core purpose is to voice and systematize individual user’s concerns, they necessarily advocate in favor of the protection of consumers’ data and the regulation of data manipulation by tech companies. Beyond their potential for collective action by raising awareness among citizens, their influence through lobbying on legislators is significant. The CCPA is the perfect example of this influence, as it has been initiated by the organization Californians for Consumer Privacy and their founder Alastair Mactaggart. Those NGOs had interest in highlighting that on the other side of the Atlantic, their claims had already been turned into law. Emphasizing the similarities between the CCPA and the GDPR rather than what split them apart thus became part of privacy advocates’ strategy. In the opposition to a strong regulation, advertisers tended to side with the tech companies. As they process users’ data to better identify and reach their target audience, this raw material is at the heart of their system and is necessary to conduct analysis. The fact that most tech companies’ business models are based on advertisements give advertisers power over the debate. Unsurprisingly, advertisers advocate in favor of limited regulation, if at all. However, this has consequences on their propensity to normalize the comparison with the GDPR: the safer the CCPA is considered by the public opinion, the less likely it is to support the tightening of regulation. As a result, both advocates for and against regulation push for the same comparison to be widely acknowledged. Newspapers could therefore use the metaphor without having to make its political implications explicit, since both sides of the political spectrum pushed for the parallel to be made. Does a political consensus between stakeholders necessarily means that something is apolitical? Does advancing everyone’s interest at the same time mean that a move is politically neutral? By judging the clarification superfluous, the media contributed to the mythification of the CCPA as a comparable safeguard to the GDPR, thus serving as the smokescreen behind which skirmishes between stakeholders were taking place.
From Technical Confusion to Political Manipulation
Overall, we found that the media played an important role in the debate around the CCPA, contributing to raising its legitimacy by the repeated comparison with the GDPR. While, as we have shown, both come with key differences in their approach to consumer privacy, this gap has often been overlooked by convenience, allowing the CCPA to benefit from his big brother’s political ethos. This confusion has significant implications in the aftermath of the bill’s implementation, influencing the debate on the CCPA’s successor, the California Privacy Rights Act (CPRA, “CCPA 2.0”) in 2020. As the CPRA extended the CCPA with opt-out requirements, consumer privacy requests, audit & risk assessments, and enforcement, its implementation has been widely influenced by the CCPA’s wide popularity. This cloud was turned into an argument for opponents against furthering regulations to soften the bill’s language. Therefore, if the current system was meeting the needs of consumers why would it need to be changed?
References
[1] Cowan, Jill, and Natasha Singer. “How California’s New Privacy Law Affects You.” The New York Times. The New York Times, January 3, 2020. https://www.nytimes.com/2020/01/03/us/ccpa california-privacy-law.html.
[2] “CCPA vs GDPR: Key Differences in the Legislation.” GDPR EU, Novembre 4, 2020. https://www.gdpreu.org/ccpa-vs-gdpr/
[3] “California Consumer Privacy Act 2020 (CCPA) Explained.” Privacy End, August 16, 2021. https://www.privacyend.com/ccpa/
[4] “CCPA vs. GDPR.” Recruiting Resources: How to Recruit and Hire Better, September 28, 2021. https://resources.workable.com/hr-terms/ccpa-vs-gdpr#
[5]Wilcox, Manon. “Which Organizations Must Comply with the CCPA?” Colors, October 5, 2020. https://colors-newyork.com/which-organizations-must-comply-with-the
ccpa/#Who_is_exempt_from_CCPA.
Be First to Comment