In 2018, California passed the California Consumer Privacy Act, more commonly known as the CCPA. A California version of the European Union’s General Data Protection Regulations (GDPR), the CCPA affords to California residents (and unfortunately, only California residents, even if the business is based out of California) certain privacy protections. The most crucial of these is the “right to know”; consumers are entitled under the law to know what data is being collected, how it is being collected, how it is being used (including how it is being sold), and the exact data that companies have.
Unfortunately, the “right to know” protections are woefully inadequate. Under the current text of the CCPA, businesses only have to respond to RTK requests within 45 days (CIV sec. 1798.110(a)(5)). This is just for an initial response, similar to the California Public Records Act’s 10-day initial response window. Businesses then have free reign (without any justification, unlike the PRA where the agency must provide one) to extend the period by another 45 days before they have to provide any documents.
What this means in practice is that businesses can generally refuse to comply. For all but the most dedicated searchers, three months is more than enough time to forget a request exists – allowing the businesses to just forget about the request, as most people are unlikely to enforce it. Most cases don’t qualify for pro bono assistance from most legal aid clinics, so there isn’t any legal enforcement – most people won’t pay thousands of dollars to hire a lawyer to enforce the Act. CCPA enforcement actions are, as a result, rare; anyone who tries runs the risk of getting a corporate-friendly judge who will completely dismiss the concept.
The same problems exist to a lesser degree with the GDPR. Take Apple, who says they’ll fulfill GDPR requests in 7 days. However, they’ll write up whatever extensions they want, and cases from several users have shown that they just never disclose user data.
The CCPA also suffers from a fatal limitation: revenue limits. It only applies to businesses with revenues of >$25 million USD per year; while this does cover most large businesses, it means small companies can get away with selling information and not disclosing almost anything to users.
Overall, the CCPA needs a major overhaul. It is not currently adequate for protecting California residents in its current form. To protect the right of users to privacy and information, major changes to the CCPA must be instituted by the legislature or by California voters.
Monica Hanson