Explainer: The California Consumer Privacy Act and how it affects you

October 7, 2019

On Jan. 1, 2020, the California Consumer Privacy Act (CCPA) will take affect in the Golden State, but its reach will go much further than you might expect. Signed into law by Gov. Jerry Brown on June 28, 2018, the CCPA is a groundbreaking piece of legislation that will forever change how each of us use technology products and how U.S. companies use our consumer and business data. Regardless of your political views on privacy and data issues, this California law will likely become the de facto law of the land because most technology companies like Twitter, Facebook, Google, and Apple are headquartered there. Thus, they must adhere to California law as they offer services to the rest of the nation as well as the larger international community.

What is the CCPA?

CCPA is a piece of legislation that was designed to give technology users enhanced privacy rights and consumer protections surrounding the use of personal data. CCPA will essentially allow you to see what personal data a company has collected on you, how it is being used, and allow you to delete that data or stop the company from selling it to third parties. The legislation was introduced on Jan. 3, 2018, in the California legislature by Rep. Ed Chau and State Sen. Robert Hertzberg. It was passed by both houses of the California legislature and signed into law on June 28, 2018, by Gov. Brown to amend Part 4 of Division 3 of the California Civil Code, which is a set of statutes that governs obligations of those who reside in California. Prior to the CCPA being signed into law, there was a strong effort among many California residents for some form of privacy regulation. The passage of the CCPA headed off a ballot initiative that would have gone before the voters during the midterm elections in November 2018, led by privacy advocate and real estate developer, Alastair Mactaggart.

The current law has come under intense scrutiny by privacy advocates and others. Privacy advocates argue that the bill does not go far enough in establishing personal data privacy rights for individuals and corporations as other laws such as the GDPR, while others argue that it will do irreparable damage to businesses and their ability to sell their services. Opponents argue that the sheer cost of implementation outweighs the potential benefits to consumers, who have already given consent for the capturing of data.

The CCPA has six major components. It gives users the ability to: 1) know what data has been collected on them; 2) know if this data has been sold and to whom; 3) say no to the sale of this data; 4) access this personal data; 5) request the deletion of this data; and 6) not be discriminated against for exercising these rights.

What does this mean?

The U.S. does not currently have any federal privacy regulations pertaining to the collection, use, and sale of personal data as broad as CCPA. While many federal statutes regulate the collection and consent of data on minors, the U.S. has historically sought to let the market decide these tools as opposed to the more regulatory frameworks found in the European Union and other countries. The EU enacted the General Data Protection Regulation (GDPR) on May 25, 2018, which has already affected many U.S. companies doing business in the EU. 

You likely have seen various aspects of the GDPR implemented as you browse the web and use technological services. In conjunction with the GDPR, many sites implemented detailed privacy policies, sought to reaffirm personal consent for the use of tracking data on the internet in terms of cookies, and publicized their privacy policies on their websites and through email correspondence. This all was to ensure that these companies and organizations complied with the GDPR rules even though they reside in the U.S. because of the global use of the internet and these services. Many companies expanded these privacy tools to the wider public as they complied with the GDPR, such as described in Microsoft president Brad Smith’s new book, Tools and Weapons: The Promise and the Peril of the Digital Age.

U.S. retailers are estimated to spend almost $100 million to provide these services to consumers because this level of data access requires rethinking and rebuilding their services and systems to comply with the law. The stakes for noncompliance are high, as consumers and the California attorney general can now bring lawsuits for data breaches and regulatory action including potential fines. After the first year of new regulations under the GDPR in the EU, the European Data Protection Board reported that €55,955,871 ($61,227,564.00 US) in fines were levied against companies for not complying with the GDPR, including a single fine of €50,000,000 against Google.

Since the CCPA was passed in the California legislature, there has been a concerted effort among many in the privacy and technology sectors pushing for a federal privacy law. Some advocate for a federal version of the CCPA giving all U.S. consumers the same level of protection and transparency, while others have pushed for a more neutral privacy regulation that is less taxing on companies while providing more limited consumer-level access to data. In September 2019, more than 50 CEOs have urged the U.S. Congress to pass a federal privacy law.

Why does this matter?

Each day countless pieces of data are collected about us from the online services we use. Every bit of data is captured by technology companies and used to strengthen their systems and products. The things we share have also become a powerful resource for companies to leverage as they provide predictive products to marketers and other companies. We often trade some level of privacy to have access to these tools and services because they provide immense benefits to our everyday lives.

This data can include personal information such as name, email, race, sex, gender identity, and various other data points which are used to market services and products. Essentially anything put online can be stored, analyzed, and sold by the companies whose products we use. But recently many have called into question the ethical bounds of marketing and even what data is being captured on our children and the effects on their privacy.

CCPA and other forms of future privacy legislation will affect how each of us use technology and even potentially alter our interaction with these companies, for good and bad. With the high costs of operating systems, some companies may choose not to offer certain services or tools to consumers. But it is also possible that privacy legislation will allow us to use technology with greater transparency and openness. Time will tell the exact impact CCPA will have on businesses and consumers, but we must be aware of the contours of it as it goes into effect on January 1, 2020.

Jason Thacker

Jason Thacker serves as senior fellow focusing on Christian ethics, human dignity, public theology, and technology. He also leads the ERLC Research Institute. In addition to his work at the ERLC, he serves as assistant professor of philosophy and ethics at Boyce College in Louisville Kentucky. He is the author … Read More

Article 12: The Future of AI

We affirm that AI will continue to be developed in ways that we cannot currently imagine or understand, including AI that will far surpass many human abilities. God alone has the power to create life, and no future advancements in AI will usurp Him as the Creator of life. The church has a unique role in proclaiming human dignity for all and calling for the humane use of AI in all aspects of society.

We deny that AI will make us more or less human, or that AI will ever obtain a coequal level of worth, dignity, or value to image-bearers. Future advancements in AI will not ultimately fulfill our longings for a perfect world. While we are not able to comprehend or know the future, we do not fear what is to come because we know that God is omniscient and that nothing we create will be able to thwart His redemptive plan for creation or to supplant humanity as His image-bearers.

Genesis 1; Isaiah 42:8; Romans 1:20-21; 5:2; Ephesians 1:4-6; 2 Timothy 1:7-9; Revelation 5:9-10

Article 11: Public Policy

We affirm that the fundamental purposes of government are to protect human beings from harm, punish those who do evil, uphold civil liberties, and to commend those who do good. The public has a role in shaping and crafting policies concerning the use of AI in society, and these decisions should not be left to those who develop these technologies or to governments to set norms.

We deny that AI should be used by governments, corporations, or any entity to infringe upon God-given human rights. AI, even in a highly advanced state, should never be delegated the governing authority that has been granted by an all-sovereign God to human beings alone. 

Romans 13:1-7; Acts 10:35; 1 Peter 2:13-14

Article 10: War

We affirm that the use of AI in warfare should be governed by love of neighbor and the principles of just war. The use of AI may mitigate the loss of human life, provide greater protection of non-combatants, and inform better policymaking. Any lethal action conducted or substantially enabled by AI must employ 5 human oversight or review. All defense-related AI applications, such as underlying data and decision-making processes, must be subject to continual review by legitimate authorities. When these systems are deployed, human agents bear full moral responsibility for any actions taken by the system.

We deny that human agency or moral culpability in war can be delegated to AI. No nation or group has the right to use AI to carry out genocide, terrorism, torture, or other war crimes.

Genesis 4:10; Isaiah 1:16-17; Psalm 37:28; Matthew 5:44; 22:37-39; Romans 13:4

Article 9: Security

We affirm that AI has legitimate applications in policing, intelligence, surveillance, investigation, and other uses supporting the government’s responsibility to respect human rights, to protect and preserve human life, and to pursue justice in a flourishing society.

We deny that AI should be employed for safety and security applications in ways that seek to dehumanize, depersonalize, or harm our fellow human beings. We condemn the use of AI to suppress free expression or other basic human rights granted by God to all human beings.

Romans 13:1-7; 1 Peter 2:13-14

Article 8: Data & Privacy

We affirm that privacy and personal property are intertwined individual rights and choices that should not be violated by governments, corporations, nation-states, and other groups, even in the pursuit of the common good. While God knows all things, it is neither wise nor obligatory to have every detail of one’s life open to society.

We deny the manipulative and coercive uses of data and AI in ways that are inconsistent with the love of God and love of neighbor. Data collection practices should conform to ethical guidelines that uphold the dignity of all people. We further deny that consent, even informed consent, although requisite, is the only necessary ethical standard for the collection, manipulation, or exploitation of personal data—individually or in the aggregate. AI should not be employed in ways that distort truth through the use of generative applications. Data should not be mishandled, misused, or abused for sinful purposes to reinforce bias, strengthen the powerful, or demean the weak.

Exodus 20:15, Psalm 147:5; Isaiah 40:13-14; Matthew 10:16 Galatians 6:2; Hebrews 4:12-13; 1 John 1:7 

Article 7: Work

We affirm that work is part of God’s plan for human beings participating in the cultivation and stewardship of creation. The divine pattern is one of labor and rest in healthy proportion to each other. Our view of work should not be confined to commercial activity; it must also include the many ways that human beings serve each other through their efforts. AI can be used in ways that aid our work or allow us to make fuller use of our gifts. The church has a Spirit-empowered responsibility to help care for those who lose jobs and to encourage individuals, communities, employers, and governments to find ways to invest in the development of human beings and continue making vocational contributions to our lives together.

We deny that human worth and dignity is reducible to an individual’s economic contributions to society alone. Humanity should not use AI and other technological innovations as a reason to move toward lives of pure leisure even if greater social wealth creates such possibilities.

Genesis 1:27; 2:5; 2:15; Isaiah 65:21-24; Romans 12:6-8; Ephesians 4:11-16

Article 6: Sexuality

We affirm the goodness of God’s design for human sexuality which prescribes the sexual union to be an exclusive relationship between a man and a woman in the lifelong covenant of marriage.

We deny that the pursuit of sexual pleasure is a justification for the development or use of AI, and we condemn the objectification of humans that results from employing AI for sexual purposes. AI should not intrude upon or substitute for the biblical expression of sexuality between a husband and wife according to God’s design for human marriage.

Genesis 1:26-29; 2:18-25; Matthew 5:27-30; 1 Thess 4:3-4

Article 5: Bias

We affirm that, as a tool created by humans, AI will be inherently subject to bias and that these biases must be accounted for, minimized, or removed through continual human oversight and discretion. AI should be designed and used in such ways that treat all human beings as having equal worth and dignity. AI should be utilized as a tool to identify and eliminate bias inherent in human decision-making.

We deny that AI should be designed or used in ways that violate the fundamental principle of human dignity for all people. Neither should AI be used in ways that reinforce or further any ideology or agenda, seeking to subjugate human autonomy under the power of the state.

Micah 6:8; John 13:34; Galatians 3:28-29; 5:13-14; Philippians 2:3-4; Romans 12:10

Article 4: Medicine

We affirm that AI-related advances in medical technologies are expressions of God’s common grace through and for people created in His image and that these advances will increase our capacity to provide enhanced medical diagnostics and therapeutic interventions as we seek to care for all people. These advances should be guided by basic principles of medical ethics, including beneficence, non-maleficence, autonomy, and justice, which are all consistent with the biblical principle of loving our neighbor.

We deny that death and disease—effects of the Fall—can ultimately be eradicated apart from Jesus Christ. Utilitarian applications regarding healthcare distribution should not override the dignity of human life. Fur- 3 thermore, we reject the materialist and consequentialist worldview that understands medical applications of AI as a means of improving, changing, or completing human beings.

Matthew 5:45; John 11:25-26; 1 Corinthians 15:55-57; Galatians 6:2; Philippians 2:4

Article 3: Relationship of AI & Humanity

We affirm the use of AI to inform and aid human reasoning and moral decision-making because it is a tool that excels at processing data and making determinations, which often mimics or exceeds human ability. While AI excels in data-based computation, technology is incapable of possessing the capacity for moral agency or responsibility.

We deny that humans can or should cede our moral accountability or responsibilities to any form of AI that will ever be created. Only humanity will be judged by God on the basis of our actions and that of the tools we create. While technology can be created with a moral use in view, it is not a moral agent. Humans alone bear the responsibility for moral decision making.

Romans 2:6-8; Galatians 5:19-21; 2 Peter 1:5-8; 1 John 2:1

Article 2: AI as Technology

We affirm that the development of AI is a demonstration of the unique creative abilities of human beings. When AI is employed in accordance with God’s moral will, it is an example of man’s obedience to the divine command to steward creation and to honor Him. We believe in innovation for the glory of God, the sake of human flourishing, and the love of neighbor. While we acknowledge the reality of the Fall and its consequences on human nature and human innovation, technology can be used in society to uphold human dignity. As a part of our God-given creative nature, human beings should develop and harness technology in ways that lead to greater flourishing and the alleviation of human suffering.

We deny that the use of AI is morally neutral. It is not worthy of man’s hope, worship, or love. Since the Lord Jesus alone can atone for sin and reconcile humanity to its Creator, technology such as AI cannot fulfill humanity’s ultimate needs. We further deny the goodness and benefit of any application of AI that devalues or degrades the dignity and worth of another human being. 

Genesis 2:25; Exodus 20:3; 31:1-11; Proverbs 16:4; Matthew 22:37-40; Romans 3:23

Article 1: Image of God

We affirm that God created each human being in His image with intrinsic and equal worth, dignity, and moral agency, distinct from all creation, and that humanity’s creativity is intended to reflect God’s creative pattern.

We deny that any part of creation, including any form of technology, should ever be used to usurp or subvert the dominion and stewardship which has been entrusted solely to humanity by God; nor should technology be assigned a level of human identity, worth, dignity, or moral agency.

Genesis 1:26-28; 5:1-2; Isaiah 43:6-7; Jeremiah 1:5; John 13:34; Colossians 1:16; 3:10; Ephesians 4:24