The Impact of CCPA & CPRA on Surveillance Capitalism
As Marc Andreessen noted in 2011, software is eating the world. Data is the fuel that feeds software, including the digital exhaust that each person creates as they interact with web sites and services.
The collection and processing of personal data as well as the translation of that information into behavioral data for analysis and sales has led to what Shoshana Zuboff calls “Surveillance Capitalism.” The net result of Surveillance Capitalism is that businesses and governments can purchase access to “digital voodoo dolls” of each one of us. This means there is now unprecedented insight into who we are and what we have been and are currently doing — including our precise geolocation as well as intimate details regarding our health, sexuality, and other sensitive personal information — as well as the ability to predict and influence what we will do. As Alastair Mactaggart, author of Prop 24 (the California Privacy Rights Act) has said: “Standard Oil was powerful … but Standard Oil didn’t know everything about you.”
It gets worse: businesses can potentially leverage this trove of behavioral data to implement algorithmic bias and discriminate against different groups within society. Politicians, political groups and foreign actors can amplify our perceived fears and influence us with highly targeted messaging. And if tech companies and/or large data brokers are hacked, the theft of our personal data can lead to ruined personal lives in the form of drained bank accounts or even blackmail.
One could argue that Surveillance Capitalism is not only a threat to our individual privacy but also our democracy.
The way I look at Surveillance Capitalism is that it represents the unfettered and unlimited collection of personal data (i.e., thousands of collected attributes about you as well as past, present and future digital exhaust) combined with the unfettered and unlimited use of that data (i.e., selling and sharing of that data, behavior and predictive analysis etc.). This graph below gives my simplified view of Surveillance Capitalism:
In light that California has passed two major pieces of privacy legislation — through the legislature in 2018 with the California Consumer Privacy Act (CCPA) and in 2020 through passage of Prop 24 with the California Privacy Rights Act (CPRA) — let’s take a look if the CCPA and CPRA make a major dent in Surveillance Capitalism.
The CCPA’s Impact on Surveillance Capitalism
At the highest level, the CCPA gives consumers both the “Right to Know” and the “Right to Say No.” It also holds businesses accountable for safeguarding consumers’ personal information.
More specifically, the data subject rights found in the CCPA — namely the “Right to be Informed” (aka the “Right to Know” or the “Right to be Notified”), the “Right to Delete” (aka the “Right of Erasure” or the “Right to be Forgotten”) and the “Right of Access” — gives consumers more visibility and control over personal data that businesses collect and process. As consumers become aware and exercise these rights, this should lead to both the reduction of data collected on a given consumer and what a business can and will do with that data. In addition, the CCPA has a “Right of No Retaliation” (aka “Right to not be Discriminated Against”) that should encourage consumers to exercise their privacy rights without worrying about businesses discriminating against them when they do so.
Probably the most significant consumer right found in the CCPA is the “Right to ‘Opt-Out’ of Sale of Personal Information” (aka “Right to Say No”). Given that the CCPA Regulations require a Do Not Sell my Personal Information button and/or link on the home page, this should raise significant visibility to consumers to enable them restrict the use of their personal data by stopping the selling of their personal data.
So CCPA does impact Surveillance Capitalism, mainly by requiring transparency from businesses, giving consumers new rights including limiting the sale of their personal information.
The CPRA’s Impact on Surveillance Capitalism
The CPRA in effect is “Version 2” of the CCPA and takes a much bigger bite out of Surveillance Capitalism.
The CPRA adds the following consumer privacy rights which will both limit the amount of data collected and restrict its usage:
- The “Right to Correct” (aka the “Right to Rectify”) — this lets consumers correct the information that businesses have collected about them. On a side note, this is a big benefit, in that incorrect information online can affect your entire life, e.g., your ability to get a loan or a job.
- Limit the Use of Sensitive Personal Information — the CPRA introduces a powerful new concept covering your most sensitive personal information. Under CCPA, you only have the right to stop the sale of your personal information. CPRA goes much further, and lets you tell businesses not to use your most sensitive information, unless it’s to deliver you a product you are asking for. Sensitive personal information includes race, precise geolocation, religion, union membership, genetics, biometrics, sexual orientation, contents of communications, etc.
- The Right to Stop Businesses from Profiling You — this is also known as the “Right to Object to Automated Decision-Making.” This new right lets you find out about the profiles businesses are collecting about you, and stop the automated processing of your information based on the profiles businesses have created about you. This will help consumers answer questions such as: Are you seeing only certain jobs because of your race, your education, your political leanings? Is some algorithm determining your future by only showing you jobs it thinks you’re qualified for
- Extending the Right to ‘Opt-Out’ of the Sale of Your Personal Information to include the Sharing of Your Personal Information — it turns out that many businesses don’t “sell” your personal data per se, but share it with other businesses for other benefits. By extending this Right to say “Sale or Sharing” it broadens the restrictions on the usage of your personal data.
- Right to opt out of cross-context behavioral advertising — this fixes a weakness in the CCPA weakness. Namely, the CPRA now limits the ability for businesses to “retarget” you with digital ads based on your internet behavior and activity by giving you further control over the use of our personal data.
- Right to see ALL your information, not just the last 12 months — under the CCPA, you can only see the last 12 months of information a business has collected about you. The CPRA will require businesses to tell you all the information they’ve collected about you, starting on January 1, 2022.
The CPRA also adds additional business obligations that will also regulate the collection and use of data:
- Purpose limitation — businesses can now only use a consumer’s info for a stated purpose. Which means if they collect your cell phone number for the purpose of providing advanced security in the form of two-factor authentication, they can’t turn around and use your phone number for another purpose such as sending you SMS texts with product offers.
- Storage limitation — this means businesses can only keep your personal info as long as the business has said it will. This will help prevent businesses from collecting and storing more information from you than necessary.
- Data minimization — businesses can longer more personal data than necessary.
- Deletion expansion — businesses must be able to tell businesses they’ve sold personal info to, or shared it with, to delete info when a deletion request is received.
The net net is that the CPRA significantly moves the needle when it comes to regulating Surveillance Capitalism, much more so than the CCPA — so thank goodness that Prop 24 was passed! It gets California closer to fulfilling the right of privacy that is in the California Constitution.
Apple Sets its Sights on Surveillance Capitalism
So far, I have talked about CCPA and CPRA and their impact on Surveillance Capitalism, but I would be remiss to not point out that recent new features in Apple’s widely deployed iOS mobile operating system will also help increase privacy. Namely Apple’s App Tracking Transparency and Privacy Labels (think the privacy equivalent of a Nutrition Label on a food item in a store) will hopefully lead to the reduction of personal data collected by Big Tech companies like Facebook.
Already one survey has shown that 96% of Apple users who have upgraded to iOS 14.5 have opted out of app tracking. This could significantly reduce the amount of our digital exhaust that our Apple devices could emit.
What more can be done to put a dent into Surveillance Capitalism?
i.e., what else can be done to further limit/restrict the collection and use of personal data? Here are some ideas:
- A “Do Not Sell & Share My Data Registry” (ala Do Not Call) that has been proposed by myself and others (e.g. Senator Wyden in Section 6 of this proposed bill).
- Have the California Privacy Protection Agency regulate and require websites to support Global Privacy Controls that automatically signal/communicate a Do Not Sell request through a browser plug-in/extension.
- It would be great that if there were more tools/software that consumers can use to either directly and/or use authorized agents to (a) delete personal data from data brokers and (b) initiate data subject requests. I was happy to see a free solution called PrivacyBot.io emerge from a team of Graduate Students at UC Berkeley.
Finally, other States besides California are slowly working to add equivalent laws to CCPA (many are not yet caught up on CPRA) — here is a good tracker from IAPP. Unfortunately, we still have not seen any good progress at the federal level for a comprehensive national privacy law.