Are Companies Adhering to CCPA Requirements?Some Are Not Giving Customers Option to Opt Out of Data Sale, Legal Experts Say
Many companies that were likely expected to offer consumers the ability to opt out of the "sale" of their personal information under the California Consumer Privacy Act are not doing so. Part of this may be due to the law's ambiguities, some legal experts say. CCPA went into effect Jan. 1, but enforcement has been delayed until July..
See Also: 2021: A Cybersecurity Odyssey
"Given the ambiguities in the statute, we're seeing a lot of variances in organizations' compliance efforts," Sadia Mirza, an attorney at the law firm Troutman Sanders, tells Information Security Media Group. "Most organizations don't agree on what constitutes the 'sale' of information," she says.
California's attorney general, Xavier Becerra, is expected to finalize regulations to carry out the law this spring to help clarify ambiguities.
"The attorney general should promulgate regulations reflecting that the transfer of data between unrelated companies for any commercial purpose falls under the definition of sale, so that consumers can opt out of the sharing of their data for targeted advertising," writes the Center for Digital Democracy in a blog.
The Unclear Definitions
CCPA broadly defines "sale" as "selling, renting, releasing, disclosing, disseminating, making available, transferring or otherwise communicating orally, in writing or by electronic or other means, a consumer's personal information by the business to another business or a third party for monetary or other valuable consideration." (See: What CCPA Means to Security Leaders)
The law exempts the transfer of data to "service providers" from the "sale" definition, and many companies are claiming they qualify for that exemption, says Heikki Tolvanen, co-founder of PrivacyAnt, a Finland-based privacy firm.
"Under the service provider exemption, a business is not considered to sell data when it shares personal information with a service provider and it is necessary to perform a business purpose," he says. For instance, an example of a service provider is the Amazon server that hosts data for companies. "Here, you don't need to provide the 'do not sell' functionality as hosting data is the core of the business for Amazon here," says Tolvanen who is advising companies on privacy compliance.
"Clearly, data brokers don't fall under the [service provider] exemption, but many normal business activities will," says Reece Hirsch, a partner at the law firm Morgan, Lewis & Bockius LLP.
Under CCPA, if information is de-identified, then it does not constitute "sale" of data if that information is shared. Also, if a consumer has explicitly agreed to share data with third parties, then they don't have to be offered the opt out provision, regulatory experts say.
"Some people likely expected to have an option to opt out from Facebook's or Google's data sharing practices. It may have been surprising to learn that such entities do not sell personal information, as that term is defined by the CCPA. However, given the ambiguities in the law and the exceptions that exist to the definition of sale, that very well may be the case," Mirza says.
Tolvanen adds: "Google's CCPA Addendum covers only online IDs as personal information that is in the scope of CCPA agreement. This raises questions about what happens with other data disclosed to Google. For example, with Google Analytics, businesses are clearly disclosing more data than just 'Online IDs' to Google."
Some companies, including Amazon and Snapchat, claim in their privacy notices that they do not sell personal information of consumers. Relatively few companies doing business in California, in fact, acknowledge selling personal information, Tolvanen says.
Amazon's privacy notice reads: "No sale of personal information. In the twelve months prior to the effective date of this disclosure, Amazon has not sold any personal information of consumers, as those terms are defined under the California Consumer Privacy Act."
Similarly, SnapChat's privacy notice notes: "We don't sell your data. To keep the lights on at Snap HQ, we do show ads. We do our best to make these ads relevant, so they're enjoyable. Our Support Site provides information on do not track, advertising and interest preferences."
"Due to the complexities and ambiguities in the CCPA, we will continue to evaluate some of our third-party relationships as we wait for final implementing regulations and guidance," Spotify states. "For example, it is currently unclear whether the use of certain types of advertising partners would be considered a sale under CCPA. We provide usage data to advertising partners, which enables us to provide you with interest-based advertising. If you prefer not to receive interest-based advertising, please opt out by going to your account privacy settings and using the tailored ads opt-out toggle."
Tolvanen observes: "So as we can see, personal information is still being disclosed to third parties as always, but consumers don't often have any choice and control for opting out due to the broad definition of 'service providers'."
CCPA also gives consumers the right to know how their data is getting used and the kind of data that is being collected.
But Tolvanen claims that many companies are coming up short when it comes to making such disclosures.
For instance, the Uber App collects all sorts of data from customers - how they rate their drivers, their address and their daily Uber rides. But when a customers leveraged his CCPA rights and asked Uber about the kind of data it collects, Uber chose to not to reveal everything, according to a report in the Washington Post.
"Unfortunately, most laws are open to interpretations," Tolvanen says. He calls for California to form a group of experts "who will review and investigate privacy policies of companies before they get displayed for the public. Otherwise, companies will continue exploiting the law with little change in privacy for consumers."