Despite the steady parade of hacks, scandals, and outright corporate incompetence that peppered the last decade, the United States still doesn’t have anything close to a meaningful privacy law, thanks in part to corporate lobbying and revolving door regulators.
That changed Wednesday with the arrival of the California Consumer Privacy Act (CCPA), a new state law that took effect at the start of the new year. The CCPA will force companies to disclose what data is collected and who it’s being sold to, while providing consumers the ability to opt out of having their data sold to third party data brokers and dubious middlemen.
While the CCPA is not a federal law, many companies—like Microsoft—say they’ll be adjusting their privacy practices country wide in order to streamline compliance.
What will change for you under the CCPA?
Until now, corporations have been allowed to collect vast troves of personal consumer data, while tap-dancing around what’s precisely being collected and who it’s sold to. Penalties for violating consumer trust and privacy are often either non-existent, or—as the FTC’s Equifax settlement made clear last year—surreal in their meaninglessness.
Under the CCPA that’s all (theoretically) supposed to change.
Under the law, companies will need to advertise a conspicuous “do not sell my personal information" opt out option on their websites and in physical stores, making it easy for users to stop the sale of location, biometric, or other data with a few clicks. Companies must also provide access to any data that’s been collected within 45 days upon user request.
There’s a few caveats: companies can still sell your data if it’s “anonymized,” even though numerous studies have shown this data isn’t all that anonymous. And while you can ask a company like Google to stop selling your data, this won’t stop the data collection itself.
Your experience will vary depending on the company you’re dealing with. Twitter, for example, has created a new privacy center with a clear link to user privacy settings. Microsoft says users will be able to opt out of data sales via its privacy dashboard. Companies like Home Depot have also updated their websites to simplify the process.
Under the law, companies can’t discriminate against users who opt out of data collection, though groups like the Electronic Frontier Foundation say the CCPA needs expanding to stop companies from making privacy a luxury option (AT&T, for example, has charged its broadband customers hundreds of extra dollars per year for opting out of behavioral ads).
Who does the CCPA apply to?
Not everybody will have to comply with the law. The CCPA only applies to companies that earn more than $25 million in gross annual revenue, collect personal data on more than 50,000 users, or make more than 50 percent of their revenue selling user data.
It’s also worth highlighting that while the bill technically took effect on January 1, California’s Attorney General has stated enforcement isn’t likely to begin until sometime this summer, giving lawmakers some additional time to work out some early kinks, clarify murky language, or water down existing requirements upon lobbyist request. Already we're seeing that some companies aren't complying with the law.
Groups like the Electronic Frontier Foundation say they spent the better part of 2019 trying to keep lobbyists from numerous industries from weakening the bill, since empowered, informed consumers will inevitably opt out of data sales, costing companies billions.
“The Internet Association ran misleading ads on social media promoting amendments to weaken CCPA, and spent $176,000 to lobby the California Legislature in just the second quarter of 2019,” the EFF said. “The Internet Association is made up of dozens of the biggest companies that harvest and monetize personal information, including Facebook and Google.”
Said companies routinely highlight a California AG report that found compliance will cost industry around $55 billion—ignoring the trillions that have been made by hoovering up and selling consumer data to any nitwit with a nickel with little real oversight.
Will the CCPA actually be enforced?
One big hurdle for the CCPA: laws are only helpful if they’re actually enforced. The European Union’s General Data Protection Regulation (GDPR), generally considered the template for California’s weaker legislation, has been criticized as relatively toothless in practice given that there have been few serious efforts to hold companies accountable under the new law.
Under the CCPA, companies will need to pay $2,500 for each violation or $7,500 for each intentional violation. But there’s obvious questions as to whether California’s AG can effectively enforce the law at this scale, as well as concerns that a “cure provision” in the law could let companies off the hook if they make minor, theatrical efforts to resolve complaints.
Companies like Facebook are already laying the groundwork to try and tap dance around many of the law’s new requirements, while making its own opt out process as murky as possible.
Even if enforcement is a challenge and the CCPA needs work, the law is at least forcing corporations to simplify your ability to opt out of data sales, while launching a more serious conversation about what a real US privacy law should look like.
The CCPA is best viewed as a shaky first step toward corporate accountability after decades of apathy and corruption. The bill is sure to change—for better and for worse—and is just one part of a tooth and nail battle to bring something vaguely resembling accountability to companies that spent decades treating consumer privacy as a distant afterthought.