Attitudes to privacy are changing in fast and profound ways. The implications for Australian organisations could be far-reaching.
Hot on the heels of the recently updated Australian Privacy Principles and the EU’s GDPR, comes the latest privacy regime: the California Consumer Privacy Act or CCPA.
Why California Matters
With a population exceeding 40 million, if California was a country, its economy would rank as the world’s fifth largest. Home to many of the world’s leading tech giants including Apple, Google and Facebook, California’s cyber laws have far-reaching worldwide ramifications.
For many Australian organisations, the introduction of the CCPA from 1 January 2020, could have significant implications.
The law applies to any business active in California that collects consumers data and satisfies at least one of the following thresholds:
- Has annual gross revenues in excess of US$25 million;
- Possesses the personal information of 50,000 or more consumers, households, or devices; or
- Earns more than half its annual revenue from selling consumers’ personal information.
The CCPA has been called the American counterpart to Europe’s GDPR as it sets a new high-water mark for consumer privacy protections in the US.
The minimum thresholds mean most Australian small to medium business won’t be impacted, therefore the CCPA will make less of a regulatory splash than the GDPR in Australia. The GDPR extends widely to cover any commercial organisation that handles the personal data of EU citizens.
The good news for larger Australian organisations that fall within the purview of the CCPA is the strong likelihood they are already well prepared for it thanks to the compliance requirements contained in the Australian Privacy Principles (APPs).
So, what makes the CCPA different?
The CCPA is very consumer centric. It defines “personal Information” broadly – even more broadly than the GDPR and the APP. It covers data such as IP addresses and consumer purchasing history.
Importantly, it provides consumers additional rights, some of which don’t exist in Australian privacy law. These include the right to prevent businesses from selling personal information to third parties. CCPA adopts a consumer understanding of what is considered a third party, rather than a strictly corporate law view.
Also new is the prohibition on businesses charging consumers different prices or refusing service based on the exercise of a CCPA privacy right.
This element has led to concern among retailers about the viability of loyalty or rewards programs which could suddenly become unlawful. There are a complicated set of exceptions around this, however the law is still being amended in the California legislature and could be further clarified.
Be Prepared to be Responsive
The Australian Privacy Act already gives Australians the right to access the information held about them. The CCPA gives Californians similar rights – the right to know what personal information a company has collected, where the data came from, how it will be used, and with whom it’s shared.
Companies will need to provide answers in 45 days with a report detailing the last 12 months. In Australia, the APPs stipulate responses to individuals be provided in a “reasonable” timeframe, typically about 30 days.
The practical implications? Your data systems need to have the capacity to automatically output consolidated personal information for a single customer. Many organisations do not have their systems set up to do this yet. The result is wasted time and human resources piecing together data manually from multiple sources, both in hard and soft formats.
Mind Your Own Business looms
Privacy is attracting more political and regulatory attention as the big tech platforms come under fire for negligence around personal information.
The latest US legislative proposal is the marvelously named ‘Mind Your Own Business Bill’ introduced by Oregon Democrat Senator Ron Wyden.
The proposed legislation would allow consumers to control the sale and sharing of their data. It would also allow the US Federal Trade Commission (FTC) to establish minimum privacy and cybersecurity standards for tech platforms. It could also issue fines up to 4 percent of a company’s annual revenue for first-time offenses, similar to provisions in the GDPR. Furthermore, executives who knowingly lie to the FTC about privacy violations could face up to 20 years imprisonment.
It requires companies to assess the algorithms that process consumer data to examine accuracy, fairness, bias, discrimination, privacy, and security.
It would also create a national ‘Do Not Track’ system that empowers consumers to stop third-party companies tracking them on the web by sharing data, selling data, or targeting advertisements based on their personal information.
Confusingly this also includes a requirement for ‘privacy friendly’ versions of products and allows companies to charge extra for it – but not exceeding the amount they are forfeiting by not collecting the user data.
Apart from the puzzle over how to calculate the value of collecting user data, there is also the potential clash with the CCPA which needs to be ironed out. As noted the CCPA doesn’t allow for differential pricing when a consumer exercises their privacy rights, including the ‘do not collect’ right.
While ‘Mind Your Own Business’ is just a proposal at this stage, it’s an indication of which way the wind is blowing in terms of privacy and the extent to which legislators are prepared to go.
Conclusion: the way we think about privacy protection is being transformed
From these developments in the US, it’s clear we are witnessing a paradigm shift in regulatory thinking around privacy.
Once a siloed topic with its own peculiar consent-based requirements, in which the onus of responsibility fell on consumers, there is now a shift towards a principles-based approach. Privacy is moving towards integration with general consumer protection law.
Just to bring home the point: When we buy a blender to make smoothies, we don’t find a sticker on the box announcing that by opening the box we consent to the production methods used to make the blender. We just expect it is built to be safe, and if it isn’t, the company is breaking the law. We don’t need to become experts in the science and engineering of blender safety. Indeed, the idea seems ridiculous.
My belief is that akin to blenders, a company in the digital world that adopts the privacy by design approach is going to have an advantage over competitors who present customers with pages of burdensome privacy settings to wade through.
With so much escalating attention on these issues, consumers are increasingly attracted to companies that take privacy seriously. It pays for organisations to get privacy right so they will be able to positively market their high privacy standards.