The California Consumer Privacy Act (CCPA) is privacy legislation that regulates companies that collect and process data of California residents, even if the company is based elsewhere. The law requires that consumers are given the option to opt-out of data collection/selling, and/or have their data completely removed from those datasets.
As well, any data that is collected still has to be protected. Not only does this protect consumers, but it makes it easier for companies to comply with data deletion requests.
While CCPA came into effect on January 1st, it has yet to create the waves in privacy that many were hoping for.
What is happening to my data privacy?
As of right now, not too much. Many large companies, such as Facebook, have made changes to their privacy policies in order to be compliant, however many others are slow-moving to do so. Rules of compliance continue to be a work in progress, generating both mass confusion and the slow start of some companies fulfilling the changing laws.
Mary Stone Ross, associate director of the electronic privacy information center, says that enforcement of CCPA will likely not start for months, as well as will be an underfunded program. Not only this, it appears the likelihood of prosecuting CCPA cases will be limited to just 3 cases per year.
Because of this, CCPA’s enforcement date for companies will start in July, despite its implementation already passing.
Part of the legislation includes the opportunity to request my data. Is this something companies have started abiding by?
While many companies are complying with CCPA and returning user data, others are making the interaction more complicated than necessary. Some companies are redirecting their customers to multiple outside organizations while others are offering to send data and then never following through.
One writer at the Guardian requested her data from Instagram, and while she received 3.92GB of memory, there was plenty of information that the photo-sharing giant left out from her report.
Despite the 8000 photos, direct messages, and search history, there was not much that couldn’t be found in the app already. The company failed to send the metadata of which they have stated in their data policy to storing. This metadata could include information regarding the location of where photos were taken.
Instagram is not the only application to send incomplete information when requested. Spotify, a leading music streaming platform, complies with CCPA in sharing data. However, after denying one user’s original request, the platform responded with a light 4.7-megabyte file, despite this person having a 9-year-old account.
Such companies are getting away by complying at a bare minimum -and they are allowed to do this. Companies like Instagram can send snippets of data when requested, and users cannot prove that they did not receive all of it.
Because CCPA has not seen a total resurrection, companies are pushing around users into thinking they are abiding by the law, without adequately protecting their data.
Is my data still being sold?
CCPA requires that companies provide users with the opportunity to opt-out of data sharing/selling. However, in many cases, information is often buried, small print, and unclear for a user to find.
Data aggregators have partnered with companies participating in data sharing and are the go-to when users want to opt-out of data sharing.
Acxiom is an example of a company taking the edge off consumers who want their data back. By placing information into the Acxiom site, the authorized agent scours sights requesting the deletion or viewing of your data.
The issue with sites such as Acxiom is that the majority of internet users are unfamiliar with these types of applications. Thus, finding ways to view and delete your data becomes exhausting.
The average Internet user participates in over 6 hours on the Internet per day. With the human attention span decreasing, the number of websites one person may visit per day could be well over 50. User’s visiting a webpage for only one article, or for only a few minutes, would most likely not spend the extra time searching for a Do Not Sell link.
Because of this, companies remain compelled to hide the opportunity for users to take control of their data. And while CCPA should be effective for the average user’s data, it is still unclear the impact it will have.