Explainer: The California Consumer Privacy Act and how it affects you

On Jan. 1, 2020, the California Consumer Privacy Act (CCPA) will take affect in the Golden State, but its reach will go much further than you might expect. Signed into law by Gov. Jerry Brown on June 28, 2018, the CCPA is a groundbreaking piece of legislation that will forever change how each of us use technology products and how U.S. companies use our consumer and business data. Regardless of your political views on privacy and data issues, this California law will likely become the de facto law of the land because most technology companies like Twitter, Facebook, Google, and Apple are headquartered there. Thus, they must adhere to California law as they offer services to the rest of the nation as well as the larger international community.

What is the CCPA?

CCPA is a piece of legislation that was designed to give technology users enhanced privacy rights and consumer protections surrounding the use of personal data. CCPA will essentially allow you to see what personal data a company has collected on you, how it is being used, and allow you to delete that data or stop the company from selling it to third parties. The legislation was introduced on Jan. 3, 2018, in the California legislature by Rep. Ed Chau and State Sen. Robert Hertzberg. It was passed by both houses of the California legislature and signed into law on June 28, 2018, by Gov. Brown to amend Part 4 of Division 3 of the California Civil Code, which is a set of statutes that governs obligations of those who reside in California. Prior to the CCPA being signed into law, there was a strong effort among many California residents for some form of privacy regulation. The passage of the CCPA headed off a ballot initiative that would have gone before the voters during the midterm elections in November 2018, led by privacy advocate and real estate developer, Alastair Mactaggart.

The current law has come under intense scrutiny by privacy advocates and others. Privacy advocates argue that the bill does not go far enough in establishing personal data privacy rights for individuals and corporations as other laws such as the GDPR, while others argue that it will do irreparable damage to businesses and their ability to sell their services. Opponents argue that the sheer cost of implementation outweighs the potential benefits to consumers, who have already given consent for the capturing of data.

The CCPA has six major components. It gives users the ability to: 1) know what data has been collected on them; 2) know if this data has been sold and to whom; 3) say no to the sale of this data; 4) access this personal data; 5) request the deletion of this data; and 6) not be discriminated against for exercising these rights.

What does this mean?

The U.S. does not currently have any federal privacy regulations pertaining to the collection, use, and sale of personal data as broad as CCPA. While many federal statutes regulate the collection and consent of data on minors, the U.S. has historically sought to let the market decide these tools as opposed to the more regulatory frameworks found in the European Union and other countries. The EU enacted the General Data Protection Regulation (GDPR) on May 25, 2018, which has already affected many U.S. companies doing business in the EU. 

You likely have seen various aspects of the GDPR implemented as you browse the web and use technological services. In conjunction with the GDPR, many sites implemented detailed privacy policies, sought to reaffirm personal consent for the use of tracking data on the internet in terms of cookies, and publicized their privacy policies on their websites and through email correspondence. This all was to ensure that these companies and organizations complied with the GDPR rules even though they reside in the U.S. because of the global use of the internet and these services. Many companies expanded these privacy tools to the wider public as they complied with the GDPR, such as described in Microsoft president Brad Smith’s new book, Tools and Weapons: The Promise and the Peril of the Digital Age.

U.S. retailers are estimated to spend almost $100 million to provide these services to consumers because this level of data access requires rethinking and rebuilding their services and systems to comply with the law. The stakes for noncompliance are high, as consumers and the California attorney general can now bring lawsuits for data breaches and regulatory action including potential fines. After the first year of new regulations under the GDPR in the EU, the European Data Protection Board reported that €55,955,871 ($61,227,564.00 US) in fines were levied against companies for not complying with the GDPR, including a single fine of €50,000,000 against Google.

Since the CCPA was passed in the California legislature, there has been a concerted effort among many in the privacy and technology sectors pushing for a federal privacy law. Some advocate for a federal version of the CCPA giving all U.S. consumers the same level of protection and transparency, while others have pushed for a more neutral privacy regulation that is less taxing on companies while providing more limited consumer-level access to data. In September 2019, more than 50 CEOs have urged the U.S. Congress to pass a federal privacy law.

Why does this matter?

Each day countless pieces of data are collected about us from the online services we use. Every bit of data is captured by technology companies and used to strengthen their systems and products. The things we share have also become a powerful resource for companies to leverage as they provide predictive products to marketers and other companies. We often trade some level of privacy to have access to these tools and services because they provide immense benefits to our everyday lives.

This data can include personal information such as name, email, race, sex, gender identity, and various other data points which are used to market services and products. Essentially anything put online can be stored, analyzed, and sold by the companies whose products we use. But recently many have called into question the ethical bounds of marketing and even what data is being captured on our children and the effects on their privacy.

CCPA and other forms of future privacy legislation will affect how each of us use technology and even potentially alter our interaction with these companies, for good and bad. With the high costs of operating systems, some companies may choose not to offer certain services or tools to consumers. But it is also possible that privacy legislation will allow us to use technology with greater transparency and openness. Time will tell the exact impact CCPA will have on businesses and consumers, but we must be aware of the contours of it as it goes into effect on January 1, 2020.