What is the CCPA (California Consumer Privacy Act)?
The CCPA is America’s GDPR. The aim of the legislation is to hold businesses accountable and empower consumers by allowing them to gain visibility on the personal information that businesses store and share, or disclose to third-parties.
The legislation specifically aims to protect residents of California. However, the legal obligations apply to any company that does business in California and that meets one or more of the following criteria:
- Has an annual gross revenue in excess of $25 million
- Buys / receives or sells or shares the personal data of 50,000 or more consumers
- Derives 50% or more of its annual revenues from selling consumers’ personal information.
Arguably, even though the CCPA applies to Californian residents, it will have a global impact, given that it may also apply to businesses established outside of California – if they have any consumers resident within the state, or if the business is operating within the state of California. In addition, the introduction of this legislation is likely to have a domino effect with other states following suit.
Given the global nature of large-scale businesses, all companies need to ensure they are compliant and the deadline for compliance (Jan 1st 2020) has already passed. Companies do not have to have a physical location within California, or even within the US. The legislation still applies if they have any consumers resident within California.
When does the CCPA come into force?
The bill has passed and the CCPA came into force on 1 Jan 2020. This means that the law is “operative” and individuals have the right to bring forward suits related to data security breaches. However, enforcement will not really begin until July 2020, because until July, a company cannot be a defendant in a civil action for privacy-related provisions of the CCPA.
In other words, the California attorney general’s office will not take any enforcement action against companies that do not comply, until 1 July 2020.
While individuals can report breaches as the law is now operative, the Attorney General is prohibited from filing a lawsuit until that date.
Companies still have time to ensure that they comply, but many have an inadequate understanding of how their data and processes are impacted by the law.
All companies must perform due diligence across their business to ensure compliance with the new legislation.
What data does the CCPA apply to?
The CCPA takes a similar route to the GDPR, but the data requirements are slightly broader. In the CCPA, personal information is defined as:
“Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
The CCPA also states that that personal information can include, but is not limited to:
- Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier IP address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers
- Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies;
- Biometric information;
- Internet or other electronic network activity information, including browsing history, search history, and information relating to website, application or ad interaction;
- Geolocation data;
- Audio, electronic, visual, thermal, olfactory, or similar information;
- Professional or employment-related information;
- Educational information — other than what is publicly available as defined here; or
- Any inferences drawn from information such as those mentioned above, which is used to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
Given that the definition of personally identifiable data is fairly broad under the terms of the CCPA, a key question is whether WhatsApp messages themselves constitute personally identifiable information.
Given that messages could be used to build up a personal profile of the likes or dislikes or behaviour of a particular individual, arguably, messages could constitute PI information. WhatsApp should not have access to this message content as they are encrypted and stored locally on users’ phones.
However, the CCPA gives consumers the rights to delete their data which is almost impossible for WhatsApp to do given their messages are stored on other users’ phones as well as backed up externally by others users or exported in plain text. Users can request their data in a report from WhatsApp but the report does not include the users’ messages.
What rights does the CCPA give consumers?
The CCPA gives consumers the following rights:
- Consumers (as defined by CCPA) have a right to know what personal information is being collected about the consumer. Companies must disclose what information is being collected as requested by the consumer.
- Consumers have a right to know whether their personal information is being sold or disclosed to third-parties.
- Companies must allow consumers to choose not to have their data shared with third parties.
- Companies cannot discriminate against consumers who choose not to share their personal data. In other words, the business must provide equal service. However, the company can provide incentives to users who disclose personal information.
The CCPA mainly focuses on allowing consumers to opt-out of sharing data or prevent companies selling or disclosing their data to third parties. Under the terms of the legislation, California consumers can ask a company about their own personal data and also request the company delete their personal information under the terms of the new privacy act. Businesses have 45 days to comply with user requests.
What does “selling data” mean under the CCPA?
The CCPA has a very broad definition of what constitutes ‘selling’ customer data. The CCPA defines selling as any arrangement between a business (or “controller” as defined by the GDPR) and third-party company (or “processor”).
For clarity, here is how the CCPA defines selling in its legislation [from Section 9, Part t (1)]:
“ “Sell,” “selling,” “sale,” or “sold,” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”
What does “valuable consideration” mean?
One issue with the definition above, results from a lack of understanding of the meaning of the term, “valuable consideration”. The CCPA doesn’t define what it means by valuable consideration, but the IAPP has published an article proposing an interpretation of what is meant. It is up to California’s Attorney General to provide further clarity on what the CCPA legislation means by “valuable consideration.”
However, according to the IAPP:
“California law defines consideration as “[a]ny benefit conferred, or agreed to be conferred, upon the promisor, by any other person, to which the promisor is not lawfully entitled, or any prejudice suffered, or agreed to be suffered, by such person, other than such as he is at the time of consent lawfully bound to suffer, as an inducement to the promisor, is a good consideration for a promise.”
“Given the potentially overbroad scope of “valuable consideration,” the key factor to determine if a transaction is a sale under the CCPA will likely be whether it falls within one of the four exceptions to the definition of “sale.” Those are: (1.) transfers directed by the consumer; (2.) use of data to alert third parties of opt-outs; (3.) disclosure of data to “service provider"; and (4.) transfers of data in transactions where the acquirer assumes control of the business.
Two things are required of any business handling customer data. Firstly, they must ensure that they provide proper notice to consumers about personal information sharing practices. Secondly, if the business uses any service providers, they must oblige those service providers not to collect, sell or use the personal data, except as a necessary means to perform the function that the business has hired them to do.
As highlighted above, disclosure of any data to an external service provider falls under the category of “valuable consideration”. The definition of selling is broad enough to include any company that shares their data with a third-party, even if the vendor is processing the data for their own analytics or other secondary process.
Part of the provisions necessitates that companies include a “Do Not Sell my Data” button on their website and this is a requirement by law. Part of CCPA necessitates that companies have appropriate mechanisms in place to allow consumers to opt-out of data sharing or selling.
The CCPA legislation is clear and unambiguous about providing appropriate links to allow consumers to opt out of selling data. The legislation provides clarity on this issue, in Section 1798.135, as per below:
“(a) A business that is required to comply with Section 1798.120 shall, in a form that is reasonably accessible to consumers:
(1) Provide a clear and conspicuous link on the business’s Internet homepage, titled “Do Not Sell My Personal Information,” to an Internet Web page that enables a consumer, or a person authorized by the consumer, to opt-out of the sale of the consumer’s personal information. A business shall not require a consumer to create an account in order to direct the business not to sell the consumer’s personal information.
(2) Include a description of a consumer’s rights pursuant to Section 1798.120, along with a separate link to the “Do Not Sell My Personal Information” Internet Web page…”
ShareThis is one example of a company that now has this page on their website, as the screenshot below shows:
Facebook argues it is not selling data
Facebook has argued that the CCPA regulations do not apply to them, since the company isn’t in the business of selling data.
In a statement on its website, Facebook has this to say about the CCPA:
“The CCPA also requires companies to provide people with thorough descriptions of their privacy practices, including whether they sell people’s data. We’re committed to clearly explaining how our products work, including the fact that we do not sell people’s data.”
The company does share data with third-parties, but the social network doesn’t classify this as selling data. To understand why Facebook thinks the business is exempt from the CCPA, it is important to understand how the social network collects data about its users.
Facebook allows business users to download Pixel free-of charge. This is a snippet of code that tracks web activity on an external website, building a personal profile of the site’s individual users.
This data is then used by Facebook, and businesses pay Facebook to deliver ads that are based on the harvested website information.
Because the data isn’t sold to those businesses, or made available or shown to them, Facebook argues the company doesn’t sell the data itself. Effectively, Facebook classifies itself as a tech provider, or middleman, providing anonymized information to businesses to deliver ads. However, using Facebook pixel does lead to a transfer of data between the external website and Facebook, and if Facebook use this data for their own internal purposes, for any other purpose other than delivering ads, this could be interpreted as sale of data for “valuable consideration” under the terms of the CCPA.
The business (that has installed the pixel snippet) has provided Facebook with the general demographics to target ads to. Facebook then targets their ads to users it believes fit the requested profile.
While Facebook claims the CCPA doesn’t apply to them, at least three legal experts who spoke to Vox’s Recode felt differently. They contend that the company will not be successful in maintaining its exemption.
The transfer of personal data as part of the web tracking services is regarded as a sale, under the terms of the CCPA, if Facebook is using the data for its own purposes, or deriving any other “valuable consideration” from it.
Therefore, if Facebook is using the data for any other purpose other than providing ads to businesses, then the network cannot claim exemption. Roger Allan Ford, a law professor at the University of New Hampshire specialising in technology law spoke to Vox Recode and said:
“CCPA allows data transfers to service providers so they can provide services and says those transfers don’t count as selling user data…. But Facebook also seems to use the data for its own purposes, separate from providing ad services, and can’t rely on the service provider exception for those uses. So if Facebook does use tracking data for its own business purposes, then its argument is wrong.”
Jacob Snow, a technology and civil liberties attorney for the ACLU of Northern California, said:
“When a website delivers massive volumes of personal information to Facebook, that’s a sale under the CCPA,” he said. “Facebook’s plans to disregard the law is but another example demonstrating that industry will do anything to protect their bottom line at the expense of Californians’ rights.”
While on the surface, companies may argue they aren’t selling the data, the act of sharing is still considered to be a sale, as defined by the legislation itself, according to Mary Stone Ross, co-author of the CCPA, and associate director at the Electronic Privacy Information Center, or EPIC.
"The definition of 'sell' is written in a way to include the sharing of personal information"
Does WhatsApp comply with the CCPA?
As a business operating within the state of California, WhatsApp must of course comply with the regulations as set out by the CCPA.
Even if WhatsApp is not directly selling customer data for money, Facebook has confirmed they are integrating the back end of WhatsApp with Instagram and Messenger so data can more easily be shared across Facebook companies.
More broadly WhatsApp’s terms of service state that “we share your information to help us operate, provide, improve, understand, customize, support, and market our Services” and that “users with whom you communicate may store or reshare your information (including your phone number or messages) with others on and off our Services.”
This sharing would clearly appear to be ‘selling’ as defined by the CCPA and so there need to be mechanisms in place for users to opt-out.
With WhatsApp, users share information about other users, in particular by giving the details of those contacts in their mobile address books. This is explained in WhatsApp’s legal terms:
“Your Account Information. You provide your mobile phone number to create a WhatsApp account. You provide us the phone numbers in your mobile address book on a regular basis, including those of both the users of our Services and your other contacts. You confirm you are authorized to provide us such numbers. You may also add other information to your account, such as a profile name, profile picture, and status message.
Information Others Provide About You. We receive information other people provide us, which may include information about you. For example, when other users you know use our Services, they may provide your phone number from their mobile address book (just as you may provide theirs), or they may send you a message, send messages to groups to which you belong, or call you.”
WhatsApp make it clear that it is up to the users themselves, and any third party businesses, to ensure they have all the necessary lawful rights to share in these ways:
“We require each of these users and businesses to have lawful rights to collect, use, and share your information before providing any information to us.”
As a WhatsApp user, if you allow WhatsApp to sync with your address book, then you are effectively “selling” all your contacts’ information. Not just at the point of first syncing but in an ongoing way: as you add or update more details e.g. home/work addresses then you to continue to share/sell that data with WhatsApp.
If your information has been shared in this way on WhatsApp, but you are not a WhatsApp user, it is hard to see how you can effectuate your rights under the CCPA to stop this ‘selling’ of your data. And it would be extremely hard to get your data deleted as it would be hard to identify and near impossible to retrieve and remove from other users’ phones.
What about WhatsApp Business and the CCPA?
Since summer 2018, many businesses have been testing WhatsApp’s API for business. Often the use cases are customer service or support where the communications between brand and customer happen over WhatsApp. WhatsApp is also moving into ecommerce and allowing merchants to list their products on WhatsApp for users to browse and buy.
Your business has to share (‘sell’ in CCPA terms) customer data with WhatsApp, often also with a third-party integration provider like Twilio, in order to provide a service. Under CCPA you will need to provide a way to stop this sharing without harming the service you are offering. And, if one of your users requests it, you will need a way to delete any data you have passed on. In some cases this might be easy if partners are not storing any data but it will be important to understand what data WhatsApp is storing, if any, from what you share with them.
Though the CCPA focuses on Californian residents, it will have global ramifications for any business with customers based in this state. Companies are under greater scrutiny to protect users’ data and allow their customers to control who has access to their personal information. Any company caught in non-compliance with the new CCPA risks hefty fines.
In terms of WhatsApp, it seems:
- Facebook argue they are not bound by the CCPA but many experts, including lawyers, do not agree.
- The kind of ‘sharing’ that users do on WhatsApp clearly appears to be ‘selling’ of data under the CCPA definition but Facebook do not agree.
- Under the CCPA WhatsApp needs to provide users with the ability to stop any such sharing without that compromising the service they offer. Presumably this will apply to the preventing of sharing of customer data with advertisers when WhatsApp brings in advertising this year.
- When WhatsApp introduces adverts and is fully integrated with Instagram and Messenger, Facebook will need to ensure it is clear to WhatsApp users how their data is stored, shared and disclosed to third-parties.
- If you’ve had your data put into WhatsApp (by another user or third party) then it is hard to see how WhatsApp can retrieve or delete that for you even though the CCPA gives you that right.
- If you are a business integrating with WhatsApp Business then you will need to be careful that you are not exposing yourself to breech of the CCPA by sharing data with intermediaries, or WhatsApp, without properly notifying your customers and providing means to stop such sharing and delete any data shared upon request.
California Legislative Information: Assembly Bill No. 375: An act to add Title 1.81.5 (commencing with Section 1798.100) to Part 4 of Division 3 of the Civil Code, relating to privacy.
Comparing privacy laws: GDPR v. CCPA
Californians for Consumer Privacy
Xavier Becerra, Attorney General: California Consumer Privacy Act (CCPA)
Clarip: Clarity in Priavacy: CCPA Right to Opt Out for the Sale of Personal Information
CNET: California's new privacy law puts you first. Too bad companies are ignoring it
CPO Magazine: Facebook Refuses to Change Web Tracking Practices, Believes That CCPA Does Not Apply to Them, Scott Ikeda
The Guardian: California's ground-breaking privacy law takes effect in January. What does it do?
What does 'valuable consideration' mean under the CCPA?