Does this look familiar? “We’ve updated our privacy notice to provide additional transparency on our information practices as well as to comply with the CCPA.”
This holiday season, inboxes have been filled not only with promotional emails but also dozens of privacy notes.
California’s new privacy law — the California Consumer Privacy Act (CCPA) — goes into effect January 1, 2020. That’s why Postmates, Condé Nast, Hulu, and many more businesses have emailed customers over the past few weeks with new terms of service.
What is CCPA?
CCPA regulates how companies collect and store data. The law applies to for-profit companies that generate more than $25 million in annual gross revenue, have more than 50,000 people’s personal data or generate more than 50% of their annual revenue from selling customers’ personal data.
California residents can now demand those companies disclose what data they have collected on them, and the law requires companies delete that data when users ask them to.
Companies must disclose how their customers can contact them to request their data be forgotten. Square, for example, lists an email specifically for privacy issues.
Why now?
Big scandals, including Facebook’s Cambridge Analytica crisis and Equifax’s data breach, have angered legislators. Many lawmakers are looking to rein in some companies’ seemingly unfettered access to people’s data, giving users more power over their personal information.
Facebook, Google, Amazon and other tech platforms are affected by the law. That’s a big deal, because they generate the vast majority of their revenue from targeted advertising. The law does not prevent them from collecting data, but it requires them to be more explicit about what data they’re collecting.
Does it only affect California residents?
Non-California residents cannot request their data be deleted. But they will be able to read through the new terms of service and see what data companies are collecting.
Other states are also mulling similar regulations on data privacy. Lawmakers have considered a federal privacy law. Facebook CEO Mark Zuckerberg has called for a “global framework” for data privacy regulations.
Sounds like GDPR?
Yes and no. General Data Protection Regulation, or GDPR, is a EU law that was implemented May 2018.
Both GDPR and CCPA are privacy laws that address collecting and storing data, but they handle it differently. GDPR requires that people must consent to a company collecting their data. CCPA doesn’t require an opt-in, but it mandates that people have an ability to opt-out from collection.
GDPR also applies to all companies — not just for-profits of a certain size — and it regulates all types of personal data. CCPA applies to personal data that is not available in government records.
How will CCPA affect tech companies
The impact of this law is hard to measure, because it requires consumers to take action.
Initial compliance may cost companies up to $55 billion, collectively, according to an economic impact assessment prepared by an independent research firm for California’s Department of Justice.
If companies purposefully ignore CCPA, California will fine them$7,500 fine per violation. Other rule-breaking carries a maximum fine of $2,500 per violation. California’s Justice Department will begin enforcing the law on July 1. There’s a six months grace period from the law’s implementation to enforcement.