GGU Law Review Blog

The California Consumer Privacy Act: The Illusion of Control?

The California Consumer Privacy Act of 2018 (CCPA) goes into effect on January 1, 2020. On the surface, the purpose of the CCPA is to give consumers “rights” to control how businesses monetize their personal information. However, the extent of those “rights” is somewhat vague in the language of the statute.


Photo by Rohan Makhecha on Unsplash

The CCPA is silent as to how web businesses make money by using the information gathered to target users with specific advertisements. One way they do this is through the use of tracking cookies. Cookies are packets of information containing items like shopping history, number of visits, and number of times a user accesses a particular site. These cookies are stored when users visit internet sites.

Some of these cookies are quickly deleted or avoided by either deleting them at specified times or browsing with privacy settings enabled. However, other types of cookies are not avoidable. One expert has talked about “super cookies” which are not accessible for deletion and live in the nooks and crannies of your browser. The same expert talked about a process called cookie syncing, which allows companies to link the IDs they have created to identify a user’s device. This is done without the user’s knowledge to build a better profile of the user. Finally, he discussed the possibility of using cookies to determine what type of device the user is using or to track the user across multiple devices.

Given these practices, the CCPA’s purpose of stopping businesses from selling a consumer’s personal information is incredibly important. However, further clarification and/or further legislation may be needed to give complete control to consumers when it comes to how businesses monetize their data. The bill gives users some “rights” to determine how their data is stored and defines when a business “sells” that information, and when it does not.


The bill assigns five “rights” to consumers, three of which center around a user’s right to control their data. The first right is the ability to opt-out of the sale of their personal information. The second right is to know how a business is using their personal information. The third right is the ability to request that a business delete all personal information from the business’s database.

The first right gives consumers the right to opt-out of businesses selling their information – but this right is limited. The CCPA allows the consumer to opt-out of the sale of their personal information to a third-party. Unfortunately, the bill appears to allow a business to monetize a consumer’s personal information through a third-party service provider with which the business has a contract. The language of the bill allows a business to disclose a consumer’s personal information for “business purposes pursuant to a written contract” between the business and the service provider.

The second right gives consumers the right to request that a business “disclose to that consumer the categories and specific pieces of personal information the business has collected.” The statute also gives consumers the right to request that the business discloses to them how it is using their personal information. However, these requests are limited to twice in a twelve-month period, which may limit the consumer’s ability to object to the way their information is used or sold.

Finally, the third right gives consumers the right to “request” to have their personal information deleted. Included in this right is a requirement that businesses disclose this ability clearly to their users. The bill directs businesses to immediately delete this information when a request is received and direct any service providers to delete it as well. However, the bill states that businesses “shall not” be required to delete this information for several reasons. Two of these reasons seem to allow them to continue to use this data for advertising to users.

The business does not have to delete a user’s information when they need it for two specific purposes. First, when the information  enables solely internal uses which reasonably align with the expectations of the consumer based on the customer’s relationship with the business. Second, they may otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.

These provisions appear to allow advertising as a legitimate business purpose that is “necessary for the business or service provider to maintain the consumer’s personal information.” This distinction is important because when a business is using a user’s information for a business purpose, it does not appear to be considered “selling” the information under the CCPA.

Photo by NeONBRAND on Unsplash


The CCPA states that a business does not sell personal information when the business uses or shares the personal information with a service provider that is necessary to perform a business purpose, such as marketing or advertising services. The following conditions must be met to qualify as a business purpose. The business has provided notice to the consumer, and the service provider does not further collect, sell, or use the personal information of the customer, except as necessary to perform the business purpose. This language, combined with the definition of a business, appears to allow some businesses to continue to profit from personal information without the customer’s consent.

The statute defines a business purpose as “the use of personal information for the business’s or a service provider’s operational purposes . . . provided that the use of the personal information shall be reasonably necessary and proportionate” and is “compatible with the context in which the personal information was collected.”

The CCPA only applies to businesses that meet the following criteria. First, the business has annual gross revenues above twenty-five million dollars ($25,000,000). Second, the business buys, sells, or shares personal information of fifty thousand or more customers for commercial purposes. Finally, the business derives more than fifty percent of its annual revenues from selling consumers’ personal information. If a business does not meet any of these criteria, the consumers’ “rights” appear to be no longer valid.

One of these business purposes is “providing advertising or marketing services.” This provision is where the use of cookies to track and advertise using personal information can continue. Businesses can use these to collect personal information such as location, type of device, shopping history, among other things. This information allows them to create and present targeted advertising to entice users to click and visit the site for the product in the ad.

This practice is very profitable, and businesses are not considered to be “selling” your information as defined under the CCPA. In 2017, businesses spent over ten billion dollars on this strategy. For every $1 spent, businesses can recoup as much as $2 per click. With these kinds of potential returns, this practice is not going anywhere, and users can do very little to control or stop it.


Photo by Daniel Chen on Unsplash

The CCPA goes into effect on January 1, 2020. The Attorney General has been given until that date to set up measures to ensure compliance, set up a recognizable opt-out logo, and establish regulations necessary to enforce the bill. Until that deadline, it is business as usual.

The vagueness of some of the statute’s language and provisions may make it difficult for the Attorney General to enforce it. The bill defines a business based on several factors First, does that business’s total revenues exceed a certain amount? Second, does the business store, sell, or buy the personal data of 50,000 customers or more? Third, does the sale of information exceed a certain percentage of total sales? A business could potentially split into individual subsidiaries to avoid enforcement. Also, companies may find new ways to classify the storage of data as “business purposes,” allowing them to hold on to a user’s delicious “cookies” and other profitable information.

At this time, it is hard to know whether the CCPA will be a significant first step towards consumer rights concerning how their personal information is stored and used. It may end up as merely a populist measure providing an illusion of control and safety.

1 Comment

  1. I love the COOKIE MONSTER dimension! That was a really poetic way to sum up your argument about the CCPA in a concrete way I won’t forget.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: