The California Consumer Privacy Act kicks in
California’s much-debated privacy law officially took effect on 1 January 2020, a year and a half after it was passed and signed.
The California Consumer Privacy Act (CCPA) is a state-level law that requires, among other things, that companies notify users of the intent to monetise their data and give them a straightforward means of opting out of said monetisation.
California governor Jerry Brown signed the bill into law on June 28, 2018 and the new compliance rules started this year. The CCPA applies to all businesses in California that meet one or more of these criteria:
- Has annual gross revenue in excess of $25 million
- Buys, sells, or shares the personal information of 50,000 or more consumers, households, or devices
- Derives 50% or more of its annual revenue from selling consumers’ PI
The state’s CCPA economic impact report predicts that 75% of California businesses will have to comply with the rules and that the initial investment in compliance will be about $55 billion.
A six-month grace period follows today’s official activation of the CCPA. But starting in June, offenses will be assessed with fines at the scale of thousands of dollars per violation, something that adds up quickly at the scales companies like Google and Facebook work in.
Some of its basic tenets includes:
- Businesses must disclose what information they collect, what business purpose they do so for and any third parties with whom they share that data.
- Businesses will be required to comply with official consumer requests to delete that data.
- Consumers can opt out of their data being sold, and businesses can’t retaliate by changing the price or level of service.
- Businesses can, however, offer “financial incentives” for being allowed to collect data.
- California authorities are empowered to fine companies for violations.
The law is described in considerably more detail here, but the truth is that it will probably take years before its implications for businesses and regulators are completely understood and brought to bear. In the meantime, the industries that will be most immediately and obviously affected are panicking.
The Verge reports that it doesn’t look like anyone, even the state of California itself, is totally ready.
Draft regulations for enforcing the law are still being finalised at the state level, and questions about specific aspects of the most sweeping privacy regulation since the European Union’s General Data Protection Regulation (GDPR) are still not clear.
But the CCPA is likely to be an even greater compliance challenge. It’s the first sweeping legislation in the US to give consumers control over how their personal information is used online and may signal how other states will seek to protect their residents’ privacy, Reece Hirsch co-head of Morgan Lewis’ privacy and cybersecurity practice, tells The Verge.
Tech Crunch reports that a who’s-who of internet-reliant businesses have publicly opposed the CCPA. While they have been careful to avoid saying such regulation is unnecessary, they have said that this regulation is unnecessary and they say what is required is a federal law.
Federal law would protect more people and there would be less paperwork for companies that now must adapt their privacy policies and reporting to CCPA’s requirements. But the call for federal regulation is transparently a stall tactic, and an adequate bill at that level would likely take a year or more of intensive work even at the best of times, let alone during an election year while the president is being impeached.
California wisely went ahead and established protections for its own residents, though as a consequence it will have aroused the ire of many companies based there.
Adapting to the CCPA will be difficult, but as the establishment of GDPR in Europe has shown, it’s far from impossible, and, at any rate, the former’s requirements are considerably less stringent.