After years of legal wrangling, the U.S. finally has a major data privacy law. But it will only apply to California residents, and is far from the kind of protections offered by the European Union’s General Data Protection Regulation, or GDPR.
The law, called the California Consumer Protection Act, or CCPA, went into effect at the stroke of midnight on Jan. 1, and provides a host of new legal obligations for companies that collect, sell, and share consumers’ data, as well as protections for those consumers.
But some privacy advocates say the law doesn’t go far enough in its protections, including one of the people who helped draft the original proposal for California’s new privacy initiative.
CCPA will impact more than just Big Tech
According to the bill, any company that collects, shares or sells the information of more than 50,000 people and generated revenue of more than $25 million in the preceding year, has to comply with the new law.
What’s more, companies impacted by the rules don’t have to be based in California; they simply have to do business in the state.
To be clear, the CCPA doesn’t specifically target the tech industry. While big tech companies ranging from Google to Facebook and Twitter are best known for their use of consumer data and surfing habits to sell ads, CCPA will impact far more than Silicon Valley’s biggest names.
The legislation will also apply to companies that collect consumer information via things like loyalty cards: think Walmart and Home Depot.
“The CCPA always started as a, basically, a private [Freedom of Information Act] request, so that you could go to a business and actually find out, not in legalese, but in plain English, what they are collecting about you,” explained Mary Stone Ross, a cybersecurity expert who helped craft the public initiative that would eventually become CCPA.
What you get from CCPA
If you live in California, CCPA gives you a number of privacy protections. The most obvious is the ability to opt out of having your data collected by companies. You’ll see a pop-up window or some other note asking if you’d like to stop allowing companies to sell your data to third parties.
“The CCPA adds new rights for consumers to access their personal information that’s held by companies, and it gives them a right to opt out of the sale of that information,” explained Jake Snow, technology and civil liberties attorney at the ACLU of Northern California.
“And so consumers on Jan. 1 will have the ability to exercise those rights with respect to the businesses that hold their personal information, and it will be interesting to see whether companies really give consumers the transparency and control rights that they are guaranteed by the CCPA.”
It’s not just about giving consumers the ability to prevent companies from selling their data, though. CCPA will also give California residents the ability to request exactly what kind of information companies have on them and request that it be deleted.
Protections for those around the country
While CCPA is a California-specific law, a number of companies have already come forward and confirmed that they will extend the act’s protections to consumers throughout the country.
“In order to provide a consistent experience to all of our customers, we plan to provide to all of our U.S. customers the data access and data deletion request processes that we provide to California customers under CCPA,” an Amazon (AMZN) spokesperson told Yahoo Finance.
Microsoft (MSFT) chief privacy officer Julie Brill explained in a November blog post that the company will similarly extend privacy protections to U.S. consumers.
“We are strong supporters of California’s new law and the expansion of privacy protections in the United States that it represents,” Brill wrote.
“This is why, in 2018, we were the first company to voluntarily extend the core data privacy rights included in the European Union’s General Data Protection Regulation (GDPR) to customers around the world, not just to those in the E.U. who are covered by the regulation. Similarly, we will extend CCPA’s core rights for people to control their data to all our customers in the U.S.”
Apple (AAPL) and Google (GOOG, GOOGL) have also announced that they will afford consumers outside of California the same rights as those from the Golden State.
“As we did with GDPR, we’ve made our CCPA data controls and tools available to all users globally, not just in California,” Rahul Roy-Chowdhury vice president of product and privacy wrote in a December blog post.
Push back to the new law
While individually, companies say they will comply with CCPA, they are also seeking changes to the regulations behind the law through the Internet Association, a trade association that represents companies including Facebook, Amazon, Microsoft, Twitter, and Google.
In a December letter to the California Department of Justice, the Internet Association lays out its objections to a litany of CCPA rules and obligations, stating that they are burdensome to businesses and could confuse consumers.
“The proposed regulations represent a leap backwards with new disclosure and notice requirements that don’t provide consumers strong protections or controls and harm businesses,” the Internet Association wrote in a December letter to the California Department of Justice.
In a press release, the Internet Association’s director of California government affairs Kevin McKinley said, “The internet industry is one of the most consumer-centric industries in the world, and our members lead the way in giving people meaningful control and the ability to access, correct, delete, and download data they’ve provided to companies.”
What CCPA doesn’t allow
As the ACLU’s Snow sees it, though, CCPA doesn’t go far enough when it comes to providing California consumers with the ability to fight back if a company collects their data against their wishes. Instead of giving individual residents the ability to take action against businesses, California Attorney General Xavier Becerra would move against such firms.
Fines levied against companies in violation of CCPA can reach as high as $7,500 per incident per day if they don’t comply within 30 days of notice that they are breaking the rules.
But Becerra has said that his office will only be able to handle about 3 incidents of CCPA violations each year. Consumers can, however, sue companies for privacy breaches.
According to Ross, the initial idea was for CCPA to provide users with the right to file suit whenever a company violated the terms of the law, but that was stripped out through the legislative process.
“I think that while there are many companies that are really earnestly trying to comply with the CCPA, I think equally there are companies that will say, ‘Oh, I’m going to take my chances,’ ” she said.