Daily Archives: December 30, 2019

CCPA: Everything you need to know about California’s new Privacy law

The law goes into effect on Jan. 1, 2020.

The most sweeping data-privacy law in the country kicks in Jan. 1. The CCPA, short for the California Consumer Privacy Act, gives residents of the Golden State the right to learn what data companies collect about them. It also lets Californians ask companies to delete their data and not to sell it.

The full impact of these new rights isn’t entirely clear because the regulations used to enforce the law are still being finalized. Still, companies inside and outside California are already scrambling to become compliant so that they can continue to do business in the country’s most populous state.

Nearly two years in the making, CCPA has prompted other states to consider their own privacy laws, some of which have already passed. The law is often compared to the European Union’s General Data Protection Regulation, currently the benchmark for online privacy.

Here’s what you need to know about CCPA and how it will affect you.

Is this law a big deal?

Yes. Before it went into effect, companies weren’t legally required to tell you what data they’d collected and you had little say over what they did with it. Now, if you live in California, you’ll be able to ask them to delete it or refrain from selling it.  

What personal data does this cover?

CCPA covers all the stuff you might expect: your name, username, password, phone number and physical address. It also includes information used by companies to track your online behavior, such as IP addresses and device identifiers.

The law also covers information that can be used to characterize you, like race, religion, marital status, sexual orientation and status as a member of the military or veteran. It also covers biometric information like fingerprints or facial recognition data, your browsing history and location information.

Data found in public government documents is excluded, so companies can still learn if you’re married, for example. However, they have to collect that data directly from government records, not from other sources such as your social media accounts.

Can I tell Facebook and Google to get rid of my data now? 

Yes. In fact, some major tech companies, including Facebook and Google, already let you delete some or all of their data about you from their systems.

These tools might not do exactly what you’d expect, though. For example, Facebook has begun rolling out a feature that lets users “disconnect” the data it’s collected about your web browsing, but doesn’t fully delete it. Instead, it disassociates your name and profile from the data, which anonymizes it. Facebook then combines the data with other people’s, allowing it to monitor broader trends. 

CCPA still allows companies to use anonymized data. However, the law sets a high bar for separating your identity from the information, with the aim of stopping someone from re-identifying a person from the data.

What happens if companies don’t follow the law?

Businesses can be fined $2,500 per violation, or $7,500 if the violation is found to be intentional. That could mean big fines if the violations affect large groups of consumers. The California Attorney General is in charge of investigating companies suspected of violating the law.

Critics say companies will be able to get away with breaking the law because the attorney general doesn’t have the resources to catch every violation. Xavier Becera, the AG, has said publicly that his office isn’t equipped to fully enforce the law. He pushed for the passage of an amendment, which failed to pass, that would have let users sue companies directly.

The law gives Californians the right to sue businesses in one specific instance: if their personal information is lost in a data breach caused by a company’s negligence. Legal observers expect this to increase class action lawsuits against companies after they’re hit by hackers.

The law gives Californians the right to sue businesses in one specific instance: if their personal information is lost in a data breach caused by a company’s negligence. Legal observers expect this to increase class action lawsuits against companies after they’re hit by hackers.

Can I still use free services if I ask them not to collect my data?

Yes. The new law says companies can’t turn away users if they opt out of the sale of their data. However, the companies can give you a stripped-down version of their offerings if you go this route.

The point is to prevent companies from charging all users who don’t want their data sold. That would leave users who can’t afford a subscription in the lurch, forcing them to allow the sale of their data so they can use services we’ve all come to rely on to communicate and access information.

If companies want to charge users who opt out of the sale of their data, the law says they have to disclose how much a user’s data is worth.

I don’t live in California. Will this law affect me?

Almost assuredly. While you won’t enjoy the right to opt out of the sale of your data or ask companies to delete it, you’ll learn more about what companies are collecting about you. The law requires for-profit business to describe in their privacy policies and the categories of data they collect about users.

Many companies are likely to extend some of these rights to everyone. That way, they won’t have to fuss with deciding whether the law applies to you, and they won’t risk denying a user their rights under the law by mistake.

Finally, the state of California is often at the forefront of new forms of legislation, including plastic bag bans, animal welfare laws and worker protections. Once California passes a law, other states tend to consider following suit. California is the country’s largest market with nearly 40 million residents, and carries a lot of weight. Already, nine other states are considering similar laws, and Maine and Nevada have already passed narrower versions of privacy legislation.

How is this different from that other big privacy law, the GDPR?

GDPR applies to companies with users in the European Union, and it regulates how companies can collect the same kind of personal information as CCPA does. However, the European law puts some stricter controls on how companies must approach collecting user data.
First, GDPR requires companies to get consent to collect data or to have some other valid reason for collecting user information. Secondly, it requires companies to minimize the data collected. CCPA doesn’t require companies to go through these steps to collect personal information, so any limits on data collection will be imposed by individual users who make requests to delete and opt out.

I heard there might be a federal privacy law. Where does that stand?

After the California legislature passed CCPA, several major tech companies told federal lawmakers they would like to see one privacy law that covers the whole country. Legislators have submitted several different laws since then, and the Senate Commerce Committee held a hearing on two competing bills in December.

Several aspects of a federal bill are up for debate, including whether consumers should be able to sue companies directly for violations, and how much authority to give regulators who would enforce the law. 

Thank you Laura Hautala for the great breakdown of CCPA.