Study of California Consumer Privacy Act [CCPA] and current state of Consumer Protection Act in India

Introduction

The conscience of the legal fraternity is developing towards actualizing the right to privacy as a mainstream inherent and fundamental right. Citizens across the world have concerted efforts in securing their privacy and demanding data protection regimes for the same.

In the age of the internet, the concerns regarding privacy have grown substantively. The evidence of private information or personal choices being sold to social media platforms is available pervasively and is experienced on a daily basis.

This is not limited to the advertisements we witness but are also fundamental in shaping political opinions, hence benefitting political parties.[1] Hence, what we witness presently is the shaping of our lives by subconsciously absorbing material presented to us subtly. However, the material provided to us is not presented out of the blue, but is systematically collected, often without our consent. This presentation of data based on our choices affects retail behavior, but more importantly, divorces an individual from their right over their personal information.

This article focuses on the privacy rights of consumers, by analyzing the landmark California Consumer Privacy Act, 2018. The author has juxtaposed this legislation to the legal framework for consumer privacy in India and has also outlined the international temperament to consumer privacy. 

California Consumer Privacy Act- an Overview

In wake of the growing awareness regarding data protection, and weaving it in the legal fabric of nations worldwide, the California Consumer Privacy Act, 2018 (hereinafter, CCPA), has emerged as an avant-garde legislation. The CCPA is dubbed as one of the first legislations taking cognizance of the right to privacy of citizens, and enforcing this inherent right through statutory powers.^[2]

CCPA materialized into an act after the due efforts and sponsorship of the collective Californians for Consumer Privacy. This collective had sponsored the California Consumer Privacy Act (CCPA) Ballot referendum, which was signed by 629,000 Californians, which made it possible for the Act to be qualified for the November 2018 ballot.^[3] After the qualification, the California State Legislature passed the “ground-breaking consumer privacy legislation” on June 28, 2018, signed by the Governor of the state, Jerry Brown. The Act came into effect on January 1, 2020, giving more than 40 million Californians the strongest privacy rights in the United States of America.

Alastair Mactaggart, the Board Chair and Founder of Californians for Consumer Privacy, played a key role in the enforcement of the legislation. Mactaggart personally believes in the protection of privacy rights of children over the internet, and also advocates against the sale of personal information to companies one has not even heard of.^[4] His values and beliefs were reflected in the proposal he had presented at the November 2018 ballot, in which he had stated:

What this new law comes down to is giving consumers the right to take back control over their information from thousands of giant corporations. This is about power: the more a company knows about you, the more power it has to shape your daily life. That power is exercised on the spectrum ranging from the benign, such as showing you a shoe ad, to the consequential, like selecting your job, your housing, or helping to shape what candidate you support in an election.^[5]

Mactaggart’s proposal was based on shifting the power dynamics in the market and giving consumers the right over their private information. Moreover, he stated that consumers have the “right to take control back over their information”, which essentially means that he recognized the fact that citizens inherently have rights over their information, which are being lost to corporate giants without their consent or knowledge. The proposal also talks about breaking the vicious cycle of companies getting control over one’s private lives, by first acquiring information about what one likes, and then providing information about what one should like. The proposal recognized the control companies have over our information affects us so gravely psychologically, that it influences subtle choices in shopping to major life decisions in choosing careers and housing.

The scope of the Act is limited to ‘businesses’ which it defines as:

A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners that collects consumers’ personal information or on the behalf of which that information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California.^[6]

In addition to this, any of the three conditions of (1) having gross annual revenues in excess of $25 million, (2) buying, receiving or selling the personal information of 50,000 or more consumers, households, or devices, or (3) deriving 50% or more of annual revenues from selling consumers’ personal information, has to be fulfilled to be brought under the purview of the Act and having obligations as laid in it.

CCPA grants citizens of California the right to request a business collecting personal information to disclose what all has been collected holistically and in pieces for the business’ personal use.^[7] This request has to be accepted free of charge, and businesses have to provide the asked information via mail or electronically.^[8] The Act gives a certain relaxation to businesses by limiting the consumers’ right to request information from a particular business to twice in a 12 month period.^[9]

The Act also attaches great importance to any business obtaining the consent of the consumer before acquiring their personal information, and strictly laying out the kind of information they shall be collecting; CCPA forbids businesses from collecting information ancillary to what the businesses convey to the consumers, hence placing consent at a central position.^[10]

CCPA has applied the much-debated right to be forgotten by giving consumers the right to have their private information deleted.^[11] This right is limited in exceptional circumstances like completion of transactions, statistical research, etc.^[12] The right to deletion of personal information gives consumers protection from third parties using their information without their consent. CCPA gives additional protection to consumers from third parties by giving them the right to demand information on the possible third parties that could have access to their information,^[13] and by forbidding any third parties from selling information sold to them by businesses without the consent of the consumer.^[14] These rights are state of the art steps towards securing private information of consumers from misuse by third parties.

Another creative right under the CCPA is the right to opt-out, which is defined as “the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information.”[15] This right instills the right to control the dissemination of information at the heart of data protection. The right to opt-out makes the consumer an active member of a business’s activities regarding using the former’s information. Hence, this shift in control over personal information uplifts the status of the consumer from the former state of passivity.

CCPA also safeguards consumers’ rights by means of protecting them from discrimination because they chose to demand protection of their privacy under this act.^[16] This minimizes the apprehension and fear that may linger in consumers’ minds while exercising their rights. Hence, it breaks the long-existing barriers in approaching corporate giants and also dilutes their control over the information of consumers, of which they are no longer the rightful owners.

CCPA has emerged as a positive example of data protection legislation, that shifts the power dynamic drastically, empowering the consumer, and bolstering consumer protection. The Act has garnered widespread support and appreciation in the era of growing awareness on the right to privacy.

Consumer Privacy in India

In India, the rights of the consumer are laid out in the Consumer Protection Act, 2019 (hereinafter, COPRA), which has recently been implemented after the former act of 1986 was repealed. However, while the new act has given the consumers added protection against malpractices by e-commerce platforms,[17] like its predecessor, it fails to provide the consumers, the right over their information explicitly. Therefore, to understand the landscape and scope of consumer privacy in India, it is imperative to shift our focus to other legislation as well.

COPRA defines a consumer as anybody who buys any goods or hires or avails any service for a non-commercial purpose.^[18] In availing services and buying goods, consumers divulge huge amounts of personal information, which can be used by the service providers without the consent or knowledge of the consumers. For example, in availing medical services, sensitive information about patients is received, or while ordinary shopping, the choice of consumers is exposed, which acts as fodder for advertisement agencies. With the life of citizens shifting to the virtual grounds of the internet, the sale of consumer information has become even more rapid and has created major avenues for the advertisement industry, which has capitalized on a newfound power in controlling the psyche of consumers.

Because there is not legislation that solely protects the privacy of consumers, company policies alone protect it. This gives companies a greater hand in the protection of consumer privacy, and it becomes inevitable that companies would protect their interests first. Hence, companies view consumer privacy in terms of economic value and balance the fundamental right to privacy and with economic growth.^[19]

Consumer privacy can be achieved by various means in India. one of the most immediate tools that consumers have in asserting their right to privacy is by raising complaints of unfair trade practices. The COPRA allows such complaints, and defines an unfair trade practice as “a trade practice which, for the purpose of promoting the sale, use or supply of any goods or for the provision of any service, adopts any unfair method or unfair or deceptive practice”.^[20] While the practices defined under this section do not explicitly include data protection, careful litigation could make use of this section to enforce consumer privacy. Moreover, presently, an urgent need to bring the unlawful sale of consumer information to increase a company’s reach, under the purview of unfair practices, is being felt.

Statutory protection of consumers’ privacy can be enforced under the Contract Act, 1872 if the consumer signs a contract on the use of their information. The rights of consumers can then be enforced in civil litigation, but only upon breach of contract. 

Consumers can also have their personal, sensitive information protected under Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011.^[21] These Rules have become more important because of the use of the internet in selling and buying information of consumers. The rules call for the formulation of privacy policies by corporates or people working on behalf of them and guides them to disclose these policies for the consumers’ perusal.^[22] Moreover, the Rules also reflect the importance of obtaining the consent of consumers in using their information^[23] and is vocal against the unethical use of information.^[24]

Further, as elucidated above, the privacy of consumers can be protected by companies by formulating their own privacy policies. However, it is a voluntary act, which might force certain consumers to assent to use of their information in order to avail certain specific kinds of services.

Consumer privacy can also be secured through codes of conduct and ethics. This is largely practiced in services like the medical industry. A step towards securing information of patients was the proposal of the Digital Information Security in Healthcare Act.[25] This act would improve the present state of consumer rights to a great extent and would be a huge achievement in the formalization of the right to privacy recognized in the Puttaswamy judgment.^[26]

From the above discussion, it becomes evident that the right to privacy of consumers is not codified in one law, and has to be enforced using a collection of rights available under different legislations and rules. One can assert confidentiality breaches through tortuous and contractual liabilities, but consumer privacy has to be recognized as an independent area under consumer protection, for the right to privacy to be actualized.

An International Take on Consumer Privacy

Having examined the Californian and Indian takes on consumer privacy, one must also turn to other international jurisdictions, and the rules and guidelines adopted by them. The Organisation for Economic Co-Operation and Development drafted guidelines in 1980 to streamline fair information practices.^[27] The Guidelines’ were drafted on eight pivotal principles:

1. Collection limitation principle- there should be limits on the collection of information and this information should be collected by lawful and fair means.
2. Data quality principle- the data collected should be relevant to the purposes it was collected for.
3. Purpose specification principle- the purpose for which data is collected should be told at the time of collection, or subsequent use.
4. Use limitation principle- personal data should not be disclosed or used for purposes other than specified at the time of collection unless the consent to do it is sought by the person or done by the authority of law.
5. Security safeguards principle- personal information has to be given security against unauthorized use, disclosure, etc.
6. Openness principle- the developments around the use of data should be disclosed in public policies.
7. Individual participation principles- an individual has the right to know whether their information is available to a controller, the right to have communicated to them that their information is available, right to be given reasons if their request to obtain information on their data is refused and the right to challenge data against them.
8. Accountability principle- the controller or agency that has data on individuals shall be accountable for such information.

These Guidelines reflect how the quest to protect data against unfair use is deep-rooted. Moreover, many of these principles are reflected in CCPA and remain to be leading principles in data protection. These Guidelines were revised in 2013, and the scope of data protection and privacy was increased massively.^[28] 

The European Union also released a data protection directive in 1995 in which a broad regulatory framework, for the protection and use of data, was established.^[29]

One of the most sophisticated data protection regimes is the General Data Protection Regulation, 2018 (hereinafter, GDPR) of the European Union (EU) and European Economic Area (EEA).^[30] The GDPR repealed the aforementioned Directive 95/46/EA. The GDPR lays out regulations on the use of data and also addresses the transfer of personal data in the regions of the EU and EEA. The GDPR is also, like CCPA, based on giving individuals control over their information, and reducing the control of agencies and corporate bodies.

Conclusion

CCPA is undoubtedly a leading legislation that will influence data protection regimes and laws in the future. Moreover, it incorporates principles of privacy and data protection formulated in the past century and has helped in actualizing a long struggle for privacy.

While the CCPA is an achievement in the privacy movement, it is also instrumental in exposing the lack of data regulation in countries worldwide. Such a lack is noticed even in India, where no formal legislation formalizes data protection and privacy of consumers. With such a large market and a growing consumer base, India has to rapidly and actively work towards a consumer privacy scheme, so that individuals can gain control over their own information and lives.

---

^[1] Hunt Allcott and Matthew Gentzkow, Social Media and Fake News in the 2016 Election, 31(2) Journal of Economic Perspectives, 211-36 (2017), https://web.stanford.edu/~gentzkow/research/fakenews.pdf.

^[2] Karishma Mehrotra, Explained: California’s data privacy law, The Indian Express (Jan 7, 2020), https://indianexpress.com/article/explained/explained-californias-data-privacy-law-internet-hacking-6203573/.

^[3] Californians for Consumer Privacy, https://www.caprivacy.org/about-us/.

^[4] Californians for Consumer Privacy, https://www.caprivacy.org/about-us/.

^[5] A Letter from Alastair Mactaggart, Board Chair and Founder of Californians for Consumer Privacy, Californians for Consumer Privacy (Sep 25, 2019), https://www.caprivacy.org/a-letter-from-alastair-mactaggart-board-chair-and-founder-of-californians-for-consumer-privacy/.

^[6]  Cal. Civ. Code § 1798.140(c).

^[7] Cal. Civ. Code § 1798.100 (a).

^[8] Cal. Civ. Code § 1798.100 (d).

^[9] Cal. Civ. Code § 1798.100 (d).

^[10] Cal. Civ. Code § 1798.100 (b).

^[11] Cal. Civ. Code § 1798.105(a).

^[12] Cal. Civ. Code § 1798.105(d).

^[13] Cal. Civ. Code § 1798.110(a)(4).

^[14] Cal. Civ. Code § 1798.115 (d).

^[15] Cal. Civ. Code § 1798.120 (a).

^[16] Cal. Civ. Code § 1798.125 (a)(1).

[17] The Consumer Protection Act, No. 35 of 2019, § 94 (2019).

^[18] Id, § 2(7).

^[19] The Centre for Internet and Society, Consumer Privacy, https://www.mondaq.com/india/healthcare/723960/disha-the-first-step-towards-securing-patient-health-data-in-india.

^[20] The Consumer Protection Act, No. 35 of 2019, § 2(47) (2019).

^[21] Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011.

^[22] Id, r. 4(1).

^[23] Id, r. 5(3).

^[24] Id, r. 5(1). 

^[25] Dr. Milind Antani , Darren Punnen & Anay Shukla, India: DISHA: The First Step Towards Securing Patient Health Data In India, Mondaq (Aug 03, 2018), https://www.mondaq.com/india/healthcare/723960/disha-the-first-step-towards-securing-patient-health-data-in-india.

^[26] Justice K.S.Puttaswamy (Retd) v. Union of India, (2017) 10 SCC 1.

^[27] Organisation for Economic Co-Operation and Development, OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980), https://www.oecd.org/internet/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm.

^[28] Organisation for Economic Co-Operation and Development, OECD Privacy Framework (2013), https://www.oecd.org/sti/ieconomy/oecd_privacy_framework.pdf.

^[29] Directive 95/46/EC of the European Parliament and of the Council (Oct 24, 1995), https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A31995L0046

^[30] Regulation (EU) 2016/679 of the European Parliament and of the Council (Apr 27, 2016), https://eur-lex.europa.eu/eli/reg/2016/679/oj