We’ve discussed privacy and the ad industry before on TidBITS, looks like the CCPA is close to being law of the Republic of California at least:
Under CCPA, consumers who reside in California will be able to opt out of having their data collected, shared or used. According to the current version of CCPA, the opt-out clause means websites will have to provide a clear “do not sell my personal information” button. The law gives consumers the right to ask a business twice a year for a report outlining all the data it has collected on them, and it gives consumers the right to tell businesses not to sell that data and to delete it. Consumers will be able to find out which categories of data have been collected on them and with which parties their data has been shared along with the commercial purpose for acquiring the data.
CCPA extends to consumers new rights when there’s been a data breach, including the right to sue for up to $2,500 per violation and $7,500 for intentional violations.
I’m confused about this part (also, paywall). If a company gets hacked and my private information is stolen, I can already today sue them for whatever I want (assuming I have the $$$ to assemble the necessary legal team), right? So is the $2,500/incident actually a fine of sorts?
I think it is a good step in the right direction, but not close to the GDPR’s giant step. The CCPA just protects people in California. The GDPR requires prior consent to collect and sell your information; the CCPA gives the right to opt out only after it has been collected and sold. Companies with annual revenue below $25,000,000, or sells personal information collected from more than 50,000 people, or earns more than 50% of its revenue from selling personal data, are exempt. I’d rather the CCPA’s barriers were set higher.
Re: paywall, sorry, I thought AdWeek had a free tier still.
Re: the $2,500 fine, I’m no lawyer, but I believe some websites use forced arbitration, and stop consumers from suing. Perhaps the CCPA overrides this?
Agreed! I’m just hoping the CCPA has an effect similar to how the California EPA sets policy and the rest of the nation benefits with better fuel economy (or used to before our current era) because it’s easier to implement a single business strategy than multiple ones at the same time.
At least TidBITS Publishing doesn’t meet any of those numbers, so we’re exempt. Back when we had both TidBITS and Take Control accounts, we probably would have had more than 50,000 users, and would have been included.
These things are always balancing acts because they usually have fine intents, but often end up burdening small businesses far more than the large companies that are much more likely to be doing bad things with the data. California is clearly trying to avoid that, but as Marilyn says, those numbers could be higher. In particular, it would be easy for a very small business to have more than 50,000 users while still being nowhere near $25 million in revenues or doing anything with selling personal data.
I was very confused, until I went and read the actual act (here: https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375, specifically 1798.140.c.1.A-C), and it seems the text Adam quoted has the second and third tests backwards, the conjunctions should be ands, not ors, and the second clause isn’t quite right. A business is exempt if it has revenue <= $25m (with some adjustments); and it receives (not just sells) personal information from less than 50k consumers, households, or devices; and it makes < 50% of its revenue from selling personal information. So Adam’s conclusion is correct, if TidBITS had >= 50k users, the CCPA would apply, but that doesn’t follow from what he quoted.
Yes, always best to go to the actual text. But I do think these are ORs because of “satisfies one or more of the following thresholds” bit.
“Business” means:
(1) A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:
(A) Has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.
(B) Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
(C) Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
But you never sold personal information of your members; at least I’ve always thought you never did. Collecting information for targeting within your sites is totally different from selling it to outside parties, like what Facebook did with Cambridge Analytica.
You’re right for the text of the act because that’s, as you say, “one or more”. However, that’s what makes a business qualify, the original text you quoted was what makes a business exempt. That’s the inverse of the act, so you have to apply De Morgan’s Law, so the act’s A or B or C to qualify becomes ~A and ~B and ~C to be exempt.
(B) Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
(Emphasis mine) So it’s not just selling, just receiving is enough.
It’s “receiving for commercial purposes.” TidBITS recently did a survey of its readers that asked questions about editorial features. If Adam does not use the results to sell or target advertising in TidBITS, he’s in the clear.