In less than 24 hours, Californians ringing in 2020 will be entitled to new privacy protections under state law. At midnight on January 1, 2020, the California Consumer Privacy Act (CCPA) goes into effect. And while the act is nowhere as sweeping as Europe’s GDPR, the law is groundbreaking for the U.S., which lacks a comprehensive federal data privacy law.
As Fast Company reported at the time of the law’s passage, in 2018, the CCPA weighed in at 31 pages and more than 10,000 words. But since it was “rushed to a vote,” the law “contains lots of vague, confusing, and maybe contradictory language that will fuel many political and legal fights.”
Even so, some things are already clear: The CCPA will introduce new controls and safeguards over the data of California residents (and perhaps other Americans, too), and companies operating in California are getting a taste of what could be the model for data-privacy laws coming down the pike in other states.
The CCPA provides five major protections
Despite the complexity and size of the CPAA, the new law offers Californians five main protections, explains Vox. Though some of those protections are not quite as comprehensive as they may first appear:
- Companies must tell residents what information is being collected about them. They have the option, however, of doing this either before or as the information is being collected.
- Companies must tell residents what types of third-party companies their data is being shared with. But if you want to know the actual names of those companies, you’ll have to request that information directly from the company.
- Residents can opt out of having their personally identifiable data bought or shared with third parties.
- Companies must reveal the types of personal data they have on a resident. But, again, you’ll have to submit a request.
- Companies can’t penalize residents who opt out of data-sharing by charging them more for products and services. But they can offer incentives to people who opt in.
Amazon and Walmart must follow the law, but smaller companies are exempt
While the law is set to be an administrative headache for many companies, there’s good news for small businesses: the CCPA will not apply to them. As Yahoo reports, small businesses are exempt from the CCPA if they make less than $25 million in gross annual revenues or have personal data on less than 50,000 customers. (The law applies to any company that makes more than 50% of its revenue from selling customer data.) Companies that don’t follow CPAA rules can be punished by a fine of $2,500 per violation. That fine triples if the company is found to willfully violate the CPAA.
Even if you’re not from California, the law matters
To implement the changes required by the CCPA, companies are updating their privacy policies and creating new links and buttons that direct users to opt-out forms. As Slate reports, some companies may find it too onerous roll out these changes only to Californians, which means that Americans living in other states could also benefit from CCPA. Already, Microsoft has pledged to extend the CCPA’s “core rights” to users across the country.
More of this kind of legislation is coming
Maine and Nevada have already passed their own, less restrictive data-privacy laws. Nearly a dozen other states, according to CNET, are considering legislation to regulate how companies collect and use our data. And they’re surely paying close attention to what’s happening in California.