The CCPA, also known as AB-375 and the California Consumer Privacy Act of 2018, is a California privacy law analogous to the European GDPR. The bill was passed September 23, 2018 and went into effect January 1, 2020.
The California legislature passed the CCPA in a hurry to avoid a ballot initiative. It is widely expected that the law would be amended, as indeed it was. Amendments are still being proposed, including AB 713 which would create an exception for data determined by expert to be de-identified, analogous to expert determination under HIPAA. (Update: AB 713 was signed into law September 25, 2020.)
The CCPA says that California residents have the right to control their personal data: to know what’s being collected, to know whether it’s being sold and to whom, to block their data from being sold. It also says that consumers cannot be charged a different price for exercising their privacy rights, with some exceptions.
In section 1798.145 (a), the bill says
The obligations imposed on businesses by this title shall not restrict a business’s ability to … collect, use, retain, sell, or disclose consumer information that is deidentified or in the aggregate consumer information.
The CCPA defines deidentification in section 1798.140 (h):
“Deidentified” means information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, provided that a business that uses deidentified information [has adequate procedures in place].
Interpretation and procedures
It remains to be seen how courts will interpret this section. For example, will it prohibit browser fingerprinting? Browser fingerprints cannot immediately identify particular consumers, but they certainly are directly linked to particular consumers.
The law requires businesses to have “technical safeguards” and “business processes” that prohibit reidentification. What will be considered adequate safeguards and procedures? The law gives no details. The California law does not reference the federal HIPAA regulation, but perhaps companies will look to HIPAA by analogy.
The uncertainty around possible interpretations of CCPA makes differential privacy more attractive since the privacy guarantees are intrinsic to the differential privacy mechanisms and independent of external considerations. This makes a differentially private system less subject to changes in (the interpretation of) law.
If you’d like to get more value from your data while protecting individual privacy, call or email now.
Trusted consultants to some of the world’s leading companies