CCPA: Big step for privacy, small step for taking control of your data

It’s been a full month now since California’s new privacy law went into effect. The CCPA is landmark legislation for the US so we, as privacy advocates developing tools to help consumers take full advantage of their new rights, wanted to see how the new law is doing. Specifically:

1. ‌How‌ ‌well are companies complying with the new law?‌
   
   
2. Are consumers in a better position to take back control over our personal data?

We took a deep dive into the websites of 161 of the biggest, most prominent consumer-facing companies across 10 different industries to start to figure that out.

Today, we’ll focus on two key provisions of the CCPA: privacy policy updates and “do not sell” requirements. In subsequent blog posts, we’ll look at how companies are complying with other components of the law.

Most companies have complied with new privacy policy requirements… but that’s the easiest thing for them to do

According to our analysis, 143 of these 161 companies (89%) have updated their privacy policies to, in the words of the California Attorney General’s latest regulations,

“...provide consumers with a comprehensive description of a business’s online and offline practices regarding the collection, use, disclosure, and sale of personal information and of the rights of consumers regarding their personal information.”

In most cases, companies have added separate California-specific sections to their existing privacy policies that address all the key CCPA requirements. Or they have updated their full policies more holistically to incorporate new CCPA-friendly language. (One clear giveaway: the new privacy policies were dated effective December 2019 or later!)

Our hunch is that these bigger companies are facing more public scrutiny and are thus much more likely to have complied than mid-sized companies that are out of the public spotlight. But we’d have to look more closely at those companies doing $50M-$100M in annual revenue to know for sure.

Of course this also means that 18 of these 161 big companies (11%) aren’t complying with clearer, updated privacy policies. So who are the laggards in our analysis?

• Foreign-based companies including Bertelsmann, Louis Vuitton Moet Hennessy, Lufthansa, SAP, and Vivendi -- who may feel less pressure to comply with California law
  
  
• Healthcare/Pharma companies like Aetna, AmerisourceBergen, Humana, Kaiser Permanente, and UnitedHealth Group -- who are covered by federal health privacy legislation (HIPAA)
  
  
• Airlines including American, United, and Delta -- who are regulated by the federal government

Even these laggards, however, are required to comply with the CCPA because they serve California residents and generate more than $25 million in annual revenue. Updating privacy policies should be one of the easiest ways to follow the law. It’s time for them to step up!

Are Californians protected against another Cambridge Analytica? We're not so sure...

One of the main goals of the CCPA is to empower consumers to easily opt out of companies selling their personal data -- in justifiable reaction to the Facebook and Cambridge Analytica scandals, among many others.

Under the CCPA, companies that sell consumers’ personal information are required to add a prominent “Do Not Sell My Personal Data” link at the bottom of their website home pages so that consumers can exercise this right -- and to provide an easy webform for submitting these Do Not Sell requests.

What does it mean to “sell” personal information? That’s a thorny topic that will likely be litigated in the courts and could be the subject of many future posts. At a minimum, it means sharing a consumer’s personal information with another third party for “money or other valuable consideration” -- like selling a list of customer data. But, depending on your interpretation, it could also mean allowing third parties to cookie-target your consumers with advertising.

At this point, individual companies and their attorneys are interpreting the definition of a “sale” for themselves, to decide whether they should or shouldn’t provide a Do Not Sell link. 81 of the 161 companies in our analysis (50%) have determined themselves that they qualify as a seller of personal information -- because they’ve added a Do Not Sell link to their home pages, created a Do Not Sell webform, and/or have indicated that they qualify somewhere in the text of their privacy policies.

However, 24 of these companies (30% of the 81 data-selling companies, or 15% of the total universe) are deficient in fully complying with the Do Not Sell provisions of the law.

What do we mean by that?

• 15 of these 81 companies (18%) don’t have a “Do Not Sell My Info” link at the bottom of their home page. Either they have a link that’s called something else (like “CA Privacy Rights”) or they don’t have a link at all. Laggards here include Alaska Airlines, Citibank, Conde Nast, Safeway, and Warner Media.
  
  
• 13 of these 81 companies (16%) don’t provide a simple, easy-to-use webform that any consumer can use. Some companies require you to send an email; others require a lot of complicated verification requirements; and others require you to log in or provide some kind of account number, which requires you to be a customer to opt out. None of those things are allowable under the law. Laggards here include Altria, Anheuser-Busch, Kraft Heinz, and Priceline.
  
  
• 3 of these 81 companies (4%) don’t have any kind of “Do Not Sell” mechanism at all -- even though their privacy policies suggest they sell data with other companies. Laggards here include JBS, Nestle, and Tyson Foods.
  
  
• 7 of these companies have multiple deficiencies

The CCPA was intended to make Do Not Sell requests easy for consumers to execute -- easy to locate, easy to complete, easy to verify. But too many companies are still making these requests too difficult for consumers, and that must be fixed.

More broadly, there is also too much wiggle room in how a company interprets “sell.” What if they “gave data away” without receiving any “valuable consideration”? It’s theoretically possible. A consumer is worried about their personal data being shared without their consent, regardless of the reason, not just if there was monetary value exchanged.

Ultimately we believe that many more than 50% of companies will need to offer a Do Not Sell function to consumers. We expect that as we near July, when the California Attorney General’s office begins officially enforcing the law, that these compliance numbers will improve. But there’s no time like the present for companies to begin doing the right thing!

We’ll keep an eye on this in the weeks ahead.

A few bright spots

Some companies already appear to be embracing the full spirit of the CCPA when it comes to offering consumers more control over their personal information.

Shout-outs to AT&T, Coca-Cola, McDonald’s, and Southwest Airlines for making their privacy policies more consumer-friendly and making it easy for people to exercise their “Do Not Sell” choices.

Stay tuned for future posts -- when we’ll examine how these 161 major consumer-facing companies are complying with other elements of the law (including processing Delete and Access requests), as well as take a deeper look at a whole other group of companies: data brokers.

About Confidently

Confidently is the consumer's privacy champion. We’re building a new platform to help people manage their privacy and take back control of their personal data across their entire digital footprint.

Sign up for Confidently Delete, our beta product, here -- and we’ll get to work deleting your personal data from 60+ data brokers that well your data without your permission! We’ll be rolling out many new powerful privacy features in the days and weeks ahead.