A few years ago, you probably noticed that the sites you regularly visited were suddenly asking for your permission to use tracking cookies. These notices became known as “cookie banners” or “cookie pop-ups,” and many users found them annoying, and weren’t sure of their purpose. After seeing these pop-ups, you may have heard about Europe’s GDPR and the US State of California’s CCPA. What are these laws for, and how do they affect us? Let’s take a look at what privacy and data tracking limitation legislation like GDPR and CCPA means for users.
Note that this blog post is not legal advice. If you’re unsure about these laws and have questions, consult with a legal professional.
GDPR and CCPA are for Users and Businesses
Businesses and website managers have some changes they need to make to their websites to make them compliant with GDPR and CCPA and potentially avoid violations and fines. But, all business owners and webmasters are also users, and these laws impact all 5.6 billion internet users, all over the world.
In this blog post, we’ll discuss what GDPR, CCPA, and similar laws mean for users. We’ll also take a closer look at why they’re important for our privacy and safety online, not just an annoyance.
In the next blog post in this series, we’ll discuss the implications for businesses, how businesses are adapting around the world, and how business owners can make their websites compliant.
What Are GDPR and CCPA?
First, what are these laws? And what do they entail? Let’s first explore the more robust of these two laws, GDPR. GDPR was enacted first and CCPA has many similarities to it.
What is GDPR?
GDPR stands for General Data Protection Regulation, and it’s legislation developed by and for the European Union concerning how businesses are tracking, storing, and using the personal information of users on the internet. GDPR was passed in 2016 and became effective in 2018. Since then, additional legal cases and updates have helped to clarify the regulations, and show how they’re likely to be used, as well as weaknesses in the laws that still need to be addressed.
GDPR is a long document, with many important details stating how businesses are allowed to track, store, and use the personal data of Europe’s residents. But as a general summary, GDPR requires the following:
Who Does GDPR Apply To?
European residents and every website tracking, processing, using, selling, or storing data of European residents.
GDPR rules apply to any website (and their affiliated businesses or organizations) that tracks, processes, sells, stores, etc. data of residents of the European Union and European Economic Area, which includes most of Europe.
In this blog post, we’ll frequently refer to “websites” and “businesses,” but GDPR applies to any online website, platform, or service, regardless of their money-making or economic status. The only exceptions are websites, services etc. for “personal and household use, national security, and law enforcement.” Small businesses (under 250 employees) are exempt from some aspects of GDPR, but the main points apply to all organizations.
Transparency
TransparencyWebsites must clearly explain what data they are gathering about users, how, the purposes, and how long this data is stored.
Transparency is a key part of GDPR. One of the key intentions of GDPR is to let users know how their data is being used and what sort of data is being collected. Before these regulations, businesses and other organizations had no reason or incentive to disclose what data they were collecting, how they were using it, what third parties they were sharing it with, or any other aspect of their data tracking strategy. With no constraints, these tracking strategies became increasingly predatory and unsafe.
User Consent
Websites can only track data about users with their consent.
Unless the data is essential for legal, security, safety, or contractual reasons, websites can only gather, store, or use data with the user’s explicit, informed consent. This means that the website must, as clearly as possible, explain how they are collecting data, what they are using it for, etc. and they must get the user’s consent before doing any of this. Without the user’s consent, their data cannot be collected or used.
Right to be Forgotten
Users have a right to have their data deleted upon request.
If a user wants their data to be deleted, in part or in full, websites must honor this request and delete the data. They are not allowed to retaliate against or punish the user for this request. That means, the website may not give the user a sub-par experience, levy fines against the user, or take other actions to otherwise incentivize them against data deletion or editing.
Data Minimization
Personal information must only be gathered for the purpose explained, and deleted when it’s no longer needed for that purpose.
In addition to privacy protection and consent, data minimization is an important part of GDPR. Websites may not keep information about users indefinitely. The data collected should be kept for as long as is necessary, and no longer. Furthermore, the data must be collected for a legitimate business purpose, and only for the purpose that was stated to the user.
Security and Breaches
User information must be protected and data breaches must be reported.
Websites must take measures to keep user data safe from bad actors. This means encrypting important information, especially sensitive data like financial information, addresses, identity documents, and more. If a data breach occurs, the organization must inform users and authorities in a timely manner. Hiding or covering up data breaches, especially when they can result in harm to users or the public, is a serious violation.
Authority and Violations
Violations are handled by member states and fines can be levied based on sales.
Each member state has an independent supervisory authority to handle violations and related requests, issues, and needs. For example, Meta’s (Facebook, Instagram, WhatsApp etc.) international headquarters is in Ireland in order to pay a lower tax rate on all international revenue. Ireland’s Data Privacy Commission (DPC) has levied 2.5 billion Euros in fines against Meta for frequent and deliberate GDPR violations. This may seem high, but it’s important to note that violations are limited to 4% of the business’s annual gross sales.
Summary of GDPR: Privacy, Transparency, Control
In summary, GDPR is intended to protect the privacy of individuals, clearly show how websites are using individuals’ data, and stop websites from using individuals’ data in ways that would violate their privacy or hurt them.
This might seem like an overstatement, especially since all that most users have seen from the regulation is “cookie banners.” And, there is certainly still a long way to go when it comes to protecting our privacy online. However, these rules are a step in the right direction. Later in this blog post, we’ll explain more about why this is important, and why online data protection and control is important in our real, day-to-day lives.
What is CCPA?
Now, what is CCPA? CCPA stands for California Consumer Privacy Act, and it was made to protect California users’ privacy and data on the internet. The CCPA bill was passed in California in 2018, and went into enforcement in 2020. The California Privacy Protection Act (CCPA) was passed later in 2020, and expanded CCPA somewhat. Many of the goals and some of the language of the bill are similar to that of the GDPR. However, there are also some important differences.
It’s also important to note that, as of this writing, about 20 other states have enacted legislation that is very similar to California’s. Likely, more states will follow. Though this section discusses CCPA specifically, keep in mind that other states’ legislation is similar.
Who Does CCPA Apply To?
California residents, and many business websites.
CCPA has more limitations than GDPR. These stipulations are generally intended to avoid undue strain on small or emerging businesses.
CCPA applies only to those that meet at least one of the following:
- Have a gross annual revenue of over $25 million;
- Buy, sell, or share the personal information of 100,000 or more California residents or households; or
- Derive 50% or more of their annual revenue from selling California residents’ personal information.
Transparency
Websites must state what type of information they’re collecting about users, how that information is being used, how it’s shared, whether it’s being sold, and how long it’s kept.
Like GDPR, CCPA also stipulates that websites must state what information they’re gathering about users, how they’re using it, how long they’re keeping it, and how they’re sharing it. CCPA also specifically states that websites must be transparent about whether or not they’re selling users’ information.
Right to Opt-Out
Websites must give users a way to opt-out of data collection.
While GDPR requires user consent before using data tracking, CCPA stipulates that users must be able to opt-out of data tracking if they desire. This is an important difference between the two types of legislation, and a critical part of why many websites in the US have conducted themselves differently compared to their EU counterparts.
The right to opt-out of tracking sounds, on the surface, equally effective to a mechanism requiring user consent before tracking. However, this has not been the case. Many websites have hidden the “opt-out” mechanism in their privacy policies, if they provide it at all. When users try to take advantage of this, it’s unclear whether or not it results in any action from the website.
People Inc., which owns a large section of the most popular websites, had hidden their opt-out options in their privacy policy, like many other websites.
Right to Data Deletion
Websites must delete users’ information if they request it.
Similar to being able to opt-out of data collection, users must also be able to have their data deleted, in whole or in part, if they choose. This is another aspect of CCPA that is very similar to GDPR. However, it has been enforced more effectively in the EU.
Despite 20 states now enacting laws similar to CCPA, these have not yet resulted in a clear path for US residents to have their data deleted. Many residents in states with this type of legislation may not even know they have this right, and therefore have no way to exercise it, especially when data deletion request buttons or mechanisms are hidden in privacy policies.
Data Minimization
User information should not be kept indefinitely. The purposes for which the data was collected is the only purpose it should be used for.
CCPA also works to reduce data collection, but again does so less effectively than GDPR. CCPA also places limits on how long data should be kept. It also states that the purposes of data collection should be limited. However, while GDPR states that data collection must be done for a “legitimate interest”—generally, to render the service the user asks for—CCPA allows more tracking, as long as users are able to opt-out.
Security and Breaches
Websites must protect users’ data against bad actors. If a data breach occurs, websites must report the breach to authorities and users in a timely manner.
This aspect of each law is quite similar. Websites must take care to protect their users’ data, including using encryption, tokenization, or pseudonymization. Websites must also take measures to prevent data breaches. If a data breach occurs, websites must report the breach to authorities and to users in a timely manner.
Authority and Violations
The California Attorney General’s Office, as well as private citizens and their attorneys, can address CCPA violations.
CCPA grants authority to the California attorney’s office to try cases, and address violations. Notably, the law also allows citizens or organizations to address violations and seek damages in court.
The fines and damages are also different under CCPA than GDPR. CCPA states that damages for civil suits for data breaches shall be “not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater.” It also states that administrative and civil penalties shall be “not more than $2,500 for each violation or $7,500 for each intentional violation and violations involving… [persons] under 16 years of age.”
Some have argued that CCPA damages are not capped, and are therefore likely to be more effective than GDPR, which caps damages at “€20 million or up to 4% of the annual worldwide turnover, whichever is higher.” However, this has not been the case in practice.
GDPR has prompted more substantial changes to tracking policies, and the fines for violations are now over EUR 5.6 billion, including EUR 2.5 billion levied against Meta alone in an attempt to hold the conglomerate accountable. In the US, the largest CCPA fine has been $1.5 million against the website Healthline. Estimates suggest that businesses like Meta, for example, make between $50 and $900 per user, per year, off of user data. Facebook alone has over 3 billion users. That amounts to between $150 billion to $2.7 trillion each year. CCPA fines wouldn’t be meaningful in any way to Meta unless they increase substantially. With no meaningful way to enforce the legislation against the biggest data brokers, the act may have no teeth against the most impactful players.
Why Do GDPR and CCPA Matter For Users?
Now that we’ve covered what these laws are and what they do, why do they matter for users? As previously mentioned, we all saw the cookie banners, and we’ve all likely heard how much data is floating around about us online today. Why does it matter? Why should we, as users, care?
What Kind of Data Do Businesses Have About Us?
First, what kind of data does the internet reveal about us? This is perhaps the most important reason for data tracking legislation. There is a lot more information floating around about you than you think. And the uses of this data are more unsettling than most users know.
What kind of data can businesses, governments, and individuals find about us online, without us knowing it? Whether you explicitly provide it or not, data processors online have this information about you. This is only a small bit of the information available about each of us; the full list is well beyond the scope of this blog post.
- Location: your computer is tied to a unique IP address when you browse the internet. Your IP address can reveal your location. Though location data is generally not directly attached to you in databases, experts have repeatedly shown it’s easy to tie back to you using additional data points.
- Health status: your browsing history and other information reveals your conditions, illnesses, disabilities, or pregnancy status. Sometimes, this is known even before you know.
- Income: Your credit score, payment history, buying history, search history, and numerous other data points reveal your approximate income.
- Marital status: Your search history, pages you’ve visited, activity on your IP address, social network and more will reveal your status as single, married, divorced, or even cheating on your spouse.
- Gender: Search history, hobbies, social network, location, buying habits, and more accurately reveal your gender.
- Political affiliation: Targeted political ads based on user data has been a controversial subject for a few years. User data has assisted the spread of misinformation, exploitation, and even genocide.
How Does This Happen?
How do businesses collect this sort of information about us simply through our browsing? Can businesses collect this information even if we don’t provide it? Simply put, yes.
The ways this happens is also outside of the scope of this blog post, but others have explored and explained this more thoroughly. To simplify, consider a metaphor; what if your day-to-day activities were monitored using a collection of small, invisible trackers that followed you around? What if these trackers could see everything you saw and hear everything you said?
These are like tracking cookies, except they see everything you see online and “hear” everything you type. What might these trackers reveal about you? Likely, where you live, what shops you frequent, what you might like to buy, but haven’t yet, how often you see the doctor and what for, whether or not you have kids and what you buy for them, what types of news you read, what types of friends you have, and much more. With all of this data—and statistical probabilities across billions of other users—think of what might also be accurately inferred about you.
This concept may seem chilling, and it illustrates the importance of controlling these tracking mechanisms. Though cookie banners and similar mechanisms may pose a small annoyance when surfing the net, it’s important to control and limit the information being collected about us and used to influence us.
What Is Personal Information Online Used For?
With no restrictions on data tracking online, businesses of all types were free to collect, store, sell, manipulate, and use this data for any purpose. Often, this meant selling our data to advertisers, or using our data to target specific ads at us. Some may find this to be an invasion of privacy, especially when these activities are hidden. Others may find this to be a price to be paid to surf the internet and gain access to knowledge and convenience. However, the ways this data has been used exceeds ad sales.
This long trail of data can and has led to more sinister activities. This data has been used to inadvertently help stalkers find their victims, or help governments persecute protestors and whistleblowers. It has also allowed predatory businesses to exploit users based on income or education, spread misinformation, incite violence, and more.
How Do CCPA and GDPR Help?
Neither CCPA nor GDPR, nor the many other privacy regulations around the world, can completely restore or protect our privacy. However, these are important steps to limit powerful, worldwide conglomerates from collecting and using our personal information.
Without any legislation, there are no limits to using personal information for profit, users have no recourse to stop abuse or misuse of their personal information, and businesses have no incentive to consider users’ privacy or rights. These laws are a step in the right direction, and may open the path towards more robust and effective measures later on. With no intervention, data tracking and misuse will only get more invasive and more harmful.
GDPR and CCPA Protect Privacy and Restrict Tracking
Why should users care about things like cookie banners, or privacy policies? Limiting data tracking, demanding transparency, and demanding that businesses respect the rights of individuals are critical to developing a safer internet, and protecting our rights to privacy.
Uncontrolled data collection violates the basic privacy we all deserve: the right to disclose or not disclose the details of our lives as we see fit. Losing, or not defending, our rights to privacy can quickly mean living under constant, unknown scrutiny; not knowing who or what is looking at which parts of our lives, why, or what they intend to do with that knowledge.