CCPA: A Real Roller Coaster for Business Entities

CCPA: A Real Roller Coaster for Business Entities

One huge change in 2020 is the new data privacy law called the California Consumer Privacy Act or CCPA, which is effective from January 1st, 2020. Its results are expected to have impacts far beyond California State.

The CCPA is considered as Calfornia’s equivalent of Europe’s General Data Protection Regulation (GDPR). Signed by Governor of California in 2018, the CCPA grants California residents new online privacy and consumer protection. Even if you aren’t a resident of the Golden State, it may affect you.

What is CCPA and What it’s going to do?

This Act is going to give residents of California the right; to know what personal data is being collected on them and for what purpose is their data is used, who the data is sold to or shared with. They will also have the right to request that their data is not sold to third parties and could be deleted if requested. Furthermore, it also gives citizens the right to access their data collected online.

You may already have come across the impacts of CCPA in the form of the new privacy policy on different websites as they prepare for the implementation of this law. Even though the consumers will not notice a major difference daily, it has a great impact on businesses. The law completely changes how companies will treat customer data.

Even if your business doesn’t have a physical presence in California but you conduct business with residents of the state, then the CCPA may affect you too. While the CCPA is California’s state law, customers and businesses all across the united states will likely benefit.

Most businesses won’t want to deal with the extra overhead of applying to different privacy rules; one for California and one for the rest of the country. Just like the GDPR isn’t directly applicable to non-European countries, it paves the way for new data protection regulations across the globe. CCPA it’s self is inspired by GDPR and will now likely serve as an inspiration for other such laws.

Businesses Affected by CCPA

CCPA will affect the businesses selling products or rendering services to the residents of California. If your company buys or sells data on at least 50000 California residents each year, you are obliged to disclose to those residents what you are going to do with their data and they also have the right to not sell their data.

Moreover, companies generating revenue equivalent to, or more than $25 million or get 50% or more of their annual revenue by selling customer information are affected by the CCPA.

Firms that need to Comply with CCPA

Businesses operating online and collecting any sort of customer data needs to comply with CCPA. Following are some businesses that must comply with CCPA regulations:

Identity Verification Services

As identity verification requires sensitive identification data on customers, the verification services are most vulnerable to data breaches and need to place stringent checks on how to protect customers’ data. CCPA requires that all identity verification services implement their privacy policies amid Califonia Consumer Privacy Act.

Social Media Platforms

Being an important part of customers’ online journey, social media is a preferable platform for targeting the audience of interest. Different social media sites are used to advertise products and services and data available on social media platforms, even though mostly unstructured, contains sensitive information. Mostly personal data from social media platforms are bought and sold without prior user consent and which is why CCPA is going to affect social media platforms.

Are Businesses Ready for California’s New Consumer Protection Act?

As with GDPR, no one’s certain about what it means to be compliant with CCPA. With the start of a new decade, the law is in effect and it looks like consumers, businesses and even the regulatory authorities in California are not ready. Draft regulations for enforcing the act is still to be finalized at the state level.

Despite a lot of concerns before it’s official adoptions last year, GDPR went smoothly at least swifter then what was expected but the CCPA is likely to be a greater compliance challenge. Being the United States’ first data privacy law that gives customers control over their data, the CCPA is expected to create a lot of uncertainties.

Most online companies view the CCPA as being in their long term interest as it’s the first step towards data privacy. The companies, however, are not quite sure whether the law is comprehensive enough to cover all the data protection aspects and deal with all the challenges faced by firms and customers online.

Anyhow, California’s Attorney General says that even though widespread enforcement of CCPA isn’t likely until July, companies shouldn’t consider the first six months as a grace period. He further said, “We are going to help companies understand our interpretation of the law.”

Seeing the hesitations and all the uncertainty built around the implementation of CCPA, businesses consider it to be a real roller coaster ride for both the regulators and the firms that aim to comply with CCPA.   

Youtube Stepping up to Protect Minors’ Data Online

Youtube Stepping up to Protect Minors’ Data Online

The explosion of the internet and mobile devices has paved new ways for marketers and Cybercriminals to gather children’s data. The active presence of children on social media platforms is not helping either. Whether it’s about online games or watching cartoons online, a huge number of children are accessing mobiles and other smart devices.

In the modern era of digital technologies and the widespread use of the internet, it is essential to protect the children’s identities and data online. Children, their rights and the interest must not be ignored since their personal data can be processed. The failure to take possible measures can result in hefty fines for businesses and online platforms. 

Children’s Online Privacy Protection Act (COPPA)

The Children’s Online Privacy Protection Act obliges the online platforms and commercial websites to put parents/guardians in control of whatever information they collect from their children online. Congress passed this act to give parents complete control over their children’s data who are under 13. The Federal Trade Commission (FTC) issued the child’s online privacy protection rule and it has been in place since 2000.

The organizations that run commercial websites or operate ad networks third-party services/plugins used by kid-directed sites are obliged to COPPA compliance. The failure to do so can not only result in strict actions from authorities, but also hefty fines and brand damage.

GDPR- Consent and Minors

The General Data Protection Regulation aims to protect consumer data in online performs. Article 8 in GDPR specifically focuses on the issue of consent and minors in the digital world. According to this article, when the online services (that need consent) are directly provided to any child, the processing of a child’s data is lawful if the children are above or at least 16 years old. 

If the child is below 16, then the collection of processing of data is only legal when parents or guardians give consent. An important obligation here is that the controllers/ marketers need to take rational measures to verify consent is authorized by the parents or legal guardians only, as per available technology.

FTC fines Google for Violation of Children’s privacy law

Youtube is one of the widely used platforms by children these days and is obliged by the child protection laws. Recently, the Federal Trade Commission fined Google $170 million following the investigations into Youtube over alleged violations of children’s privacy law. The faction of 23 child advocacy, consumer and privacy groups filed a complaint to the US Federal Trade Commission that Google is collecting the personal data of children and showing an advertisement to those who are aged under 13, hence, violating the child protection laws.

The group – including Center for Digital Democracy, Campaign for a Commercial-Free Childhood (CCFC), and 21 other organizations – alleged that even though Google claims that Youtube is for people above 13 it clearly knows that underage children also use this platform. Moreover, it collects the personal information of underage children such as device identifiers, location, phone number, gender, etc. and tracks them across multiple sites. All this data collection and processing was done without parental consent.

After proper investigations, the New York attorney general and FTC alleged that Google has marketed Youtube to advertisers even after knowing that many channels are popular among younger audiences. In addition, it tracked and processed the search and viewing histories of children to show them relative ads. It clearly violates the Children’s Online Privacy Protection Act (COPPA).

Joe Simons, chairman FTC said in his talk:

“YouTube touted its popularity with children to prospective corporate clients. Yet when it came to complying with COPPA, the company refused to acknowledge that portions of its platform were clearly directed to kids. There’s no excuse for YouTube’s violations of the law.”

 It is reported that $170 million is the largest COPPA fine to date, overshadowing the fine that TikTok’s parent company received in February 2018 for violation of the very same law.

Youtube Step-ups the Protection Game

Taking into account the fine imposed by FTC, last month Youtube formally announced its new policy for creators to label any video that may be appealing to kids. This policy is to be implemented in January 2020. Afterward, if the creators label any video as “directed at kids” then the data collection will be blocked for every viewer of that particular video.

Google confirms that this new policy is the outcome of the $170 million settlement. 

As per the terms of the settlement, YouTube is required to 

“develop, implement, and maintain a system for Channel Owners to designate whether their Content on the YouTube Service is directed to children.” 

The Challenges for Creators

One of the major challenges with this new label system is that the videos will result in reduced ad revenues.  For, once the video is labeled as kids all the personalized ads will automatically shut off, only the contextualized advertising will be enabled based on the video. Now, youtube can’t operate its ad-targeting system on children under the age of 13 – a notable problem for the platform with a majority of the young audiences.

Moreover, the child-directed videos will have fewer advantages on their plates since they will lose some of the features. It includes comments sections, end screens, click-through info cards, notification functions, and the community tab. With the removal of all-powerful tools, the creators won’t be able to drive viewers back to a channel.

The Consequences

These new changes in the working of Youtube have left many channel owners in the confusion that whether they are subject to these new policies or not. The creators are reeling over what is exactly the kids’ content. This is making some of the most popular Youtube categories – including gaming videos, toy reviews, family vlogging, etc. – fall into the gray area. Creators are worried about what would happen if they mistakenly mislabel some video.

The consequences of not properly labeling the video as “child-directed” can be very severe for the creators. FTC clearly announced in its September order that it could sue the individual channel owners who fail or abuse this new labeling system. It means the lawsuits will fall entirely on the creators instead of Youtube. The sole responsibility of Youtube is to maintain the new system and provide the creators with ongoing data policy updates.