California’s New Consumer Privacy Law is Now in Effect

As of January 1, California’s new consumer privacy law, the California Consumer Privacy Act (CCPA) went into effect. However, some aspects of the act are still being finalized, including regulations and specific aspects of enforcement. This is “the most sweeping privacy regulation since the European Union’s General Data Protection Regulation (GDPR).”

CCPA will force companies to adopt new rules. CCPA requires companies that monetize user data, by buying or selling data on at least 50,000 Californians each year, to disclose what information is collected, what the data is used for, and any third parties it is shared with.  They must also allow California residents to request that companies to not sell their data or to delete all of their personal data. Websites that use third-party tracking must add a button for people to click if they do not want their personal data sold; clicking that button will prevent that site from sending that user’s data to third parties. Companies can offer financial incentives for data collection, but they cannot change pricing on consumers that choose to opt-out.

“The broad definition of ‘sale’ is a pain point for a lot of companies because it potentially includes sharing information for online advertising,” Reece Hirsch, co-head of privacy and cybersecurity at Morgan Lewis said. Additionally, “Service provider agreements are another area where companies will have to take a close look at their practices; an agreement with a subcontractor or vendor should carefully spell out how any personal information is used or shared.”

The CCPA is the first US legislation to give users control of their personal data online. While the law is currently in effect, it is not likely to be enforced until July, after a six-month grace period according to California’s Attorney General. After this grace period, companies will be fined for violations. Other states may follow California’s lead, forcing companies to change practices based on states. In November, Microsoft announced that it would honor the core principles of the CCPA nationwide.

“The use of personal information has continued to evolve in ways that many consumers find increasingly offensive, as the drive to track us across all our devices, all the time, continues to be the focus for many businesses,” Alastair Mactaggart, founder of Californians for Consumer Privacy and author of the 2018 ballot initiative that led to CCPA, said.

Opponents of CCPA want federal legislation, instead of state-by-state regulation. The GDPR has shown that large scale regulation is possible after fixing adoption problems. It will take time to work out the bugs and implications for California’s new policy.