As of January 1, Americans are finally protected by a comprehensive online privacy law—at least, the nearly 40 million Americans living in California are. But as with Europe’s General Data Protection Regulation (GDPR) from 2018, at least some aspects of the California Consumer Privacy Act (CCPA) could extend beyond the state.
“California’s law serves as a catalyst for the rest of the United States to be thinking deeply about privacy,” says Julie Brill, a former member of the Federal Trade Commission and now Microsoft’s chief privacy officer.
Some companies, including Microsoft, have pledged to offer all the new privacy right for users throughout the country. And some proposed state and national legislation resembles the California law. Implementing the CCPA gives companies a jump on rules that may be coming for the rest of the country soon.
“Microsoft recognizes that California’s law will be a catalyst for the development of robust privacy laws in other states as well as Washington, D.C.,” says Brill, who recently testified at a U.S. Senate hearing on proposed federal legislation.
Here’s everything you need to know about the law, whether you live in California or elswhere.
How does the law affect everyone?
Under the CCPA, Californians are entitled to know the categories of information collected and even see the specific bits of info a company has on them, such as their email or postal address. The disclosure of categories, at least, could extend to all users, not just Californians, since it’s hard for a company to know where a user is coming from.
Facebook tells Fast Company that complying with Europe’s GDPR, which it implemented globally, already put it in good shape for the CCPA. For instance, it already allows anyone to see what they have shared with the site, as well as additional data Facebook has collected on them, such as their search history and the kinds of ads Facebook thinks they will like.
In addition, Facebook has long allowed anyone to download a copy of the data they’ve shared—another right included in the CCPA. Likewise, for years Google has offered the ability to download data from an ever-growing list of its products (now over 50), such as Gmail, Maps, and YouTube. “If you put it into the Google system you should be able to get it back out again,” the company’s chief internet evangelist Vint Cerf told me once.
In many ways, the CCPA will strengthen the rights and features that at least some companies have already been applying, either on their own initiative or due to Europe’s GDPR.
CCPA also allows Californians to sue companies for data breaches. To the extent that lawsuits, or the threat of lawsuits, causes companies to improve how they handle data, all of their users will likely benefit.
What extra rights do Californians get?
The CCPA establishes some stronger rights for Californians than most companies are likely to have granted on their own.
For instance, California consumers can order companies to not “sell” their data to other companies—which is defined broadly to mean any kind of data sharing, whether it’s for money or not. California consumers can also order any company that has collected their data, and anyone the company has shared that data with, to delete it from their records.
They can’t opt out of future data collection, though. After seeing the kinds of information a company collects, it’s up to the consumer to decide if they are okay with the practice. If not, the only way to guarantee a company won’t collect their data in the future is to not use the company’s products or services.
One important point to keep in mind: It’s up to California consumers to actively assert these new rights. Hayley Tsukayama, a legislative activist for the Electronic Frontier Foundation, points out that the CCPA provides “opt out” rights. Companies don’t have to ask permission to sell user data. They only have to stop selling it if a user explicitly tells them to.
What kind of data is covered?
The CCPA defines personal data extremely broadly as anything that “is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Some examples include: name, postal address, IP address, email address, social security number, driver’s license number, browsing history, search history, and geolocation data. The law also addresses emerging technology by including biometric data, such as DNA or images of the eyes, fingerprints, hand, and face.
But there’s a catch: “Publicly available” information that federal, state, or local governments collect and publish is not protected. This includes property records, court filings, voter registrations, and birth, marriage, and death records. About 200 data broker firms in the U.S.—companies like BeenVerified, Intelius, SearchPeopleFree, and Spokeo—aggregate and sell this information and will keep doing so. And personal information doesn’t include anonymized user information—which is often the raw material for training machine learning AI models.
How do I see what data companies have on me?
The law requires that companies give Californians the option, for free, to see what categories of information they collect, what they use it for, and what kinds of companies they share it with. Companies need to tell consumers about this right at or before the point they would start collecting information—say, on a signup page for an online account, or a download page for an app. Companies also have to disclose any information they have already collected or shared—although only from the previous 12 months.
To see the specific information a company has collected, like actual phone numbers or addresses, a person will have to somehow prove they are who they say they are. It might just require signing in with their user account—if they have one—as is already the case with Facebook and Google. For a company you don’t have an account with, such as an online advertising network, the process could be more complicated. “There’s just a ton of questions on the process for how you go about verifying a consumer [identity],” Nisenbaum says. California consumers may have to submit a request on a web form, by email, or possibly a toll-free phone line.
The option to delete user data will likely be in the same part of the website where you request to view the data. For services like Facebook that are fundamentally based on sharing data, the only way to delete data they hold may be to delete your entire account.
How do I stop companies from selling my data?
You should expect a lot of contention around the concept of data sales, which is broadly defined as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”
Facebook, for instance, says that it does not “sell” user information and thus is not affected by this part of the law. It sells ads based on a user’s data but doesn’t share the data itself with advertisers, the company says. However, Facebook has shared user data with app developers in the past. “Facebook has said that they don’t sell people’s information, but they certainly provided people’s information to app developers and received a benefit for providing that information,” says Jacob Snow, an attorney at ACLU of Northern California. “And that sounds like a sale to me.”
Facebook also makes tracking code, called a “pixel,” that reports back to Facebook what people do on other websites. If you looked at a sweater on an e-commerce site with the Facebook pixel, you might later see an ad for that sweater on the social network. Facebook claims that it’s only receiving information, and it’s up to the companies that place the pixel on their websites to comply with the rules around sharing data.
Google has been more accommodating by creating a tool for advertisers and website publishers. (Remember, the company is an online advertising network.) If advertisers or publishers receive a “do not sell” order from a California user, they can set the ads running on their sites to not send personal information, such as buying history and browsing history, to Google. This would prevent advertisers from targeting users with personalized ads.
How do I get a copy of my data?
Under the law, Californians can also get a copy of all the data a company has collected. The law says that a digital file with this information must be “in a portable and, to the extent technically feasible, readily useable format that allows the consumer to transmit this information to another entity without hindrance.”
It doesn’t say what that format should be, but work on a method was already underway by some tech companies. The Data Transfer Project has been developing standards for moving data between online networks since 2018. Apple, Facebook, Google, Microsoft, and Twitter are all members.
If I tell a company to stop selling my data, are there any repercussions?
In theory, there should be no cost to Californians if they tell a company to delete or not share their data. The law claims that they have the right “to equal service and price, even if they exercise their privacy rights.”
Then come the exceptions. Companies can charge a different price or offer a different level of service, “if that difference is reasonably related to the value provided to the business by the consumer’s data.”
It’s unclear how this will play out. It seems like double-dipping for a site you already pay for, like a music streaming subscription service or an e-commerce site, to also make money from selling your data. And since Facebook claims it doesn’t sell data, it can’t claim to be losing money by not having the right to sell it. (Although deleting your data would effectively wipe out your account.)
The CCPA does allow a company to offer money or services to entice people into sharing data. One upshot of this: it might force companies to reveal how valuable consumer data is to them. Draft regulations for the law say that a company must make a “good-faith estimate of the value of the consumer’s data,” and use this estimate as the basis for offering either a financial incentive or different price or service.
How is the law enforced?
Enforcement could be the weakest part of the law. Except for data breaches (which we’ll get to in a moment), consumers can’t sue companies on their own for things like not deleting their data or continuing to sell it. “That really will limit how much people can vindicate their rights in court,” Snow says. “And also it’s going to limit the test cases that courts are going to be deciding for questions that might not be clear under the law.”
Californians can bring a complaint to the state’s attorney general, which has been lukewarm about its role as enforcer, saying it has the resources to pursue only a few cases per year. And the AG won’t even start bringing cases before July.
Further weakening enforcement: Companies have 30 days after being notified they are in trouble to fix a violation and avoid prosecution. Tsukayama at EFF calls this a “get out of jail free card” that could discourage the state from doing all the work to prepare a case it ends up having to drop. But Nisenbaum says that just notifying a company it’s in trouble—like in an open letter shared with the press—could be a powerful way to bring pubic pressure.
If a case does go ahead, the financial penalties are small for an individual violation—topping out at $7,500. But if a company’s actions affect all its users, like not providing an easy way to request data deletion, the costs can add up. The CCPA kicks in for companies with at least 50,000 users—which is not terribly big. But a violation affecting each of those users could add up to a devastating $375 million fine.
How do I sue a company for a data breach?
Negligence that leads to a breach of unencrypted data is the one offense Californian consumers can sue over. Awards are capped at $750 per person, unless people can prove that they suffered bigger monetary damages—which Nisenbaum considers unlikely to succeed, based on what he’s seen in other data-breach cases. It’s hard to imagine a law firm wanting to take on an individual case for virtually no money, but the CCPA does allow class-action lawsuits, which might prove lucrative enough.
Once again, companies are allowed 30 days to fix a violation and avoid a lawsuit. But it’s unclear how they would “fix” a data breach. “Once the genie is out of the bottle there, I don’t think you put it back in,” Nisenbaum says.
Will the CCPA really make a difference?
Despite the weak points of enforcement, the CCPA should compel all companies to make at least a passable attempt at complying with the law. In general, companies likely won’t want trouble with the biggest state in the U.S.—which is also the fifth largest economy in the world, and in many cases, the location of their main office.
And companies see the writing on the wall that other state laws, and possibly a federal law, will be coming. So they will have to up their game on privacy sooner or later. “They’re anticipating having to go through this again in 2020 and beyond to keep track of new laws [that will come out],” Nisenbaum says. “The discussion that we’re having with clients is: What do we do to hedge our bets?”
The CCPA also sets a powerful example of the kinds of privacy rights that are possible. With Europeans and now Californians winning new rights, citizens in the rest of the country may start asking why they don’t have such protections, and demand that they do.