California Consumer Privacy Act – Part One

The Essentials

The California Consumer Privacy Act (CCPA) was signed into law on June 28, 2018. It became effective on January 1, 2020, but enforcement just began in July 2020.

The California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over the personal information that businesses collect about them. This landmark law secures new privacy rights for California consumers, including:

  • The right to know about the personal information a business collects about them and how it is used and shared;
  • The right to delete personal information collected from them (with some exceptions);
  • The right to opt-out of the sale of their personal information; and
  • The right to non-discrimination for exercising their CCPA rights. 

From: https://oag.ca.gov/privacy/ccpa

Vendor Compliance – Our Project

The California Consumer Privacy Act has added a new level of protection for California consumers – including library users — but it’s still young.  As part of the Electronic Resources privacy audit for my library, I started testing the compliance of our vendors with the CCPA at the beginning of 2020.  For the purpose of this project, I’m starting with a series of questions that I am applying to each vendor:

  1. Does the vendor have a public, easily accessed Privacy Policy?
  2. Does the policy have a section addressing CCPA, including describing the rights of California Residents?
  3. Does the policy include at least one method of contacting the vendor with inquiries about their data?
  4. Does the vendor allow for data requests/data deletions?
  5. Is it easy to request/get a report of the data the vendor holds/delete data?
  6. Does the vendor follow through and send the data?

Next Steps

If the answer to any of these six questions is “no”, my next step will be to determine why.  

The intention of this experiment is twofold.  First, I would like to get an idea of how well our vendors are adapting to and complying with changing privacy laws.  Second, I would like to eventually use my findings to advise library users on how to control their data and how best to protect their privacy.

In the Next Post in this Series

In my next post, I’ll examine the law in more detail and how it relates to public library users.  I’ll also discuss some of the questions that are already coming to me in the early stages of this project.  What happens when a vendor is not in compliance?  What kinds of conversations should we have with the vendors with whom we contract? What exactly does this act mean for the library in the future?  

AuthorStacy Tomaszewski

Stacy Tomaszewski is the Electronic Resources Librarian at The Alameda County Library (CA).