After months of lobbying, hand-wringing, and debate, the California Consumer Privacy Act (CCPA) finally went into effect Jan. 1.
It grants California residents powerful new privacy protections, some of which could be extended to consumers across the country. However, it will take months for all the regulations to kick in and even longer to see how effectively the law reins in the worst privacy infringements.
The CCPA gives Californians several basic rights: the right to know what personal information is being collected about them, the right to access that data, the right to know who it’s being sold to, and the right to opt out of those sales.
Among other stipulations, the California privacy law also guarantees people the right to delete data that has been collected already.
“The CCPA is certainly historic,” says Justin Brookman, director of privacy and technology policy at Consumer Reports. “It provides new rights around commercial data collection that have never existed before in this country.”
However, Brookman says the CCPA may also have significant shortcomings that regulators need to account for.
“The law was hastily drafted and has potential loopholes that industry has signaled it will use to get around the law’s protections,” Brookman says. “We hope the California attorney general will interpret the law as it was intended, whether in its regulations or in its enforcement. If not, the legislature will need to go back and close up inadvertent vagueness in the law’s protections.”
No matter how the CCPA plays out, it’s big step in U.S. privacy law, and significant changes take effect immediately. So what now? Here’s what the CCPA means for you.
What’s Actually Different?
First, let’s look at what’s changing for California residents.
Some companies, such as Google and Facebook, already provided Californians with options for downloading and deleting their data, but they didn’t have an obligation to do so. Today, thousands of other companies are joining the tech giants by giving Californians more control over their data as a result of the CCPA.
“Before, if you went to a company and said, ‘Give me my data,’ they could make you pay for it, or just tell you to go pound sand,” Brookman says. “Now it’s a legal right.”
Companies that let residents download their data in the past may have to provide more details about what they’ve gathered. That’s because the new law provides a broad definition of “personal information” that must be disclosed if it’s being collected.
If Californians don’t like what they see when they download that data, they now have the right to delete it as well.
Companies also are now required to provide details about the kinds of third parties that California residents’ data is being sold to. Californians might not find a list of all the companies that get copies of their data, but it will be an unprecedented window into a sector of the economy that traffics in personal information.
The most significant change will be the opt-out link that Californians will start seeing at the bottom of web pages. If companies sell their data—which includes any transfer or sharing of information to another business “for monetary or other valuable consideration”—they’re required to provide a conspicuous button that says, “Do Not Sell My Personal Information.”
However, Brookman says it remains to be seen how effective these opt-outs will be. For example, opting out may be an ineffective way to stop the data collection that fuels targeted advertising from some companies, including Google and Facebook, which argue that they don’t share or sell their users’ data in the first place (more on that below).
In the meantime, using an ad blocker is still one of the best ways to stop companies from spying on you.
Is Every Company Included?
The CCPA doesn’t apply to every business. In general, a company is covered only if it has an annual gross revenue of more than $25 million, deals with the personal information of 50,000 or more consumers a year, or generates at least half of its revenue from selling consumers’ personal information.
“A lot of companies will still be looped into it,” Brookman says. “Your small brick-and-mortar stores running an email list with only a couple thousand people on it will be okay. But for online companies, it’s probably going to apply pretty comprehensively.”
The CCPA will cover businesses that you might not think of as data harvesters, like your cell-phone carrier, news websites, and retailers with loyalty programs. You may be surprised to learn who’s doing what with your data.
“Companies can’t mislabel data selling anymore. No more ‘sharing’ data with ‘partners,’ and so on,” says Chris Hoofnagle, an adjunct professor at the University of California, Berkeley, School of Law. “There’s a moment of confrontation here where the industry is being forced to reckon with the idea that when you take data about people and send it to 30 different advertising companies who then give you money, that’s a data sale."
What If You Don't Live in California?
Experts on privacy law expect some companies to extend the protections guaranteed by the CCPA to people in other states, rather than treating customers differently depending on where they live.
That’s what happened in many cases after the passage of the GDPR, Europe’s sweeping privacy law.
But those changes may not come immediately.
In part, that’s for technical reasons. When you think about data, you might imagine automated systems that work with little human intervention. “In reality, it’s going to be much more of a manual process,” says Christine Lyon, a partner at the law firm Morrison & Foerster who works with companies on CCPA compliance.
That’s particularly true for firms that never had to deal with consumer data requests in the past. Until companies get a feel for how much work is involved, Lyon expects most businesses to only commit to honoring requests from Californians.
But eventually, consumers in other states may find they’re able to make the same data requests as Californians, and some companies may be more inclusive up front. Microsoft, for one, has promised to honor California’s new privacy rights for consumers throughout the United States.
No matter where you live, the California privacy law’s broader effects could be good for your privacy. The new transparency requirements, for instance, could push companies to make changes in their privacy practices and even consider collecting less data in the first place, Lyon says.
“A lot of companies do not want to include that ‘Do Not Sell My Personal Information’ link if they can avoid it and are looking at the types of data sharing they engage in to see if it’s really something they want to keep doing,” she says.
What Should You Do First?
“So many of the rights under the CCPA don’t kick in unless the consumer takes action,” says Maureen Mahoney, a policy analyst at Consumer Reports. However, it isn’t hard to start exercising those rights.
Californians can perform a little experiment to find out whether companies are following the law.
File a data access request to get a copy of your personal information. Then request that your data be deleted. Once you’ve done that, file a second data request and compare the results to see what was actually erased.
The law carves out exceptions to the kinds of data that need to be deleted, such as information needed for security or fraud prevention. But if you think you’ve spotted a company skirting their CCPA responsibilities, let Consumer Reports know. You can also contact the California attorney general’s office. Keep in mind that companies are required to provide you with personal information only twice every 12 months.
The CCPA takes aim squarely at data brokers, the many companies that make their money sponging up data about consumers and providing it to other businesses. The CCPA provides a unique opportunity to find out what information data brokers have collected, and demand that they stop selling your data.
Data brokers are being required to register with the state by the end of January, but for now, a similar registry from Vermont is a good place to start hunting for the names of data brokers that may also be operating in California.
There’s another important tool built into the application you’re using to read this article right now: the “Do Not Track” button in your browser’s settings. For years, it has been an open secret that Do Not Track settings don’t actually do much—websites aren’t required to respect the setting.
But the California attorney general’s draft guidelines suggest that these browser settings could become legally binding, universal opt-outs under the CCPA. They're not effective yet, but they may be powerful privacy shields in the near future.
Opting out of the sale of your personal information is the most proactive step, but initially that may be a bit of an arduous process.
“At this time, consumers still have to opt out one by one with every individual company that’s selling their data,” Mahoney says.
However, the California privacy law lets consumers choose to have a third party exercise privacy rights on their behalf, so soon there may be services that do the work for you.
Will All Companies Comply?
“A minority of companies are torturing the language of the CCPA in order to declare that they are simply not covered by the law at all,” Berkeley’s Hoofnagle says.
Many companies involved with online advertising industry argue they are acting as “service providers,” which are exempt from many of the CCPA’s regulations.
Facebook, for one, says its practices won’t fundamentally change.
The social media giant’s trackers, such as the Facebook Pixel, are spread across websites and enable Facebook to follow consumers all over the web. However, the company says the onus is on those websites to decide whether they’ll stop sending Facebook data when consumers hit the opt-out button.
According to a Facebook spokesperson, there’s nothing for consumers to opt out of directly on the Facebook platform, either, because the company says it doesn’t sell any consumer data.
Google did not respond to Consumer Reports’ requests for comment, but the company’s public statements indicate that it will take a similar position.
“That interpretation is strategic,” Hoofnagle says. “Companies like Facebook can buy time quibbling over the law’s application and, in the process, continue business as usual until a court forces them to do otherwise.”
It will be up to the California attorney general and the courts to determine whether such arguments hold water. The attorney general is set to release guidelines by July 1 that will detail the scope of the law and provide more insight on how the CCPA will be enforced.
There are other open questions, as well. For instance, the CCPA doesn't bar companies from charging consumers extra fees for using their services if they opt out of the sale of their data. On the other hand, some experts predict that companies will be hesitant to penalize consumers for trying to protect their privacy.
In some cases, opting out may limit your use of a service altogether. For example, the job search platform Indeed prompts consumers to delete their accounts if they request that the company stop selling their data. Some privacy experts say such trade-offs should be out of bounds.
“Privacy should be considered a fundamental right, not something that companies can coerce you to bargain away,” Brookman says. “Consumers can’t sell their right to vote or to speak. We should think of privacy the same way.”
Editor's note: An earlier version of the article stated that Consumer Reports supported passage of the CCPA. The organization supported the ballot initiative leading to the law, but not the legislation in its final form.