CCPA, Explained

On January 1, California instituted the California Consumer Privacy Act (CCPA), a law designed to protect consumer data and enhance privacy rights for state residents. You may have heard about CCPA in national legislative debates over privacy or followed the backlash from tech companies, but what exactly is the new privacy law? And what does it mean for you and your personal data? We’re getting down to the basics to understand the new privacy landscape created by the CCPA.

When did this debate start?

The bill was first introduced in the California legislature in January 2018 and signed into law by Governor Jerry Brown on June 28, 2018. The CCPA was modeled off the General Data Protection Regulation, or GDPR, that was implemented in the European Union in May 2018. Both laws stem from a strengthening call from data-privacy advocates for governments to play a larger role in protecting consumer data. Following privacy-infringement incidents including the Cambridge Analytica scandal, where 87 million Facebook users had their data exposed to the political consulting firm, consumers started speaking up and demanding a focus on how tech companies gather and disseminate data.

What does the law do?

The goals of the law are multi-dimensional. There are five main tenets of the Act as stated in the text of the bill:

  1. The right of Californians to know what personal information is being collected about them.
  2. The right of Californians to know whether their personal information is sold or disclosed and to whom.
  3. The right of Californians to say no to the sale of personal information.
  4. The right of Californians to access their personal information.
  5. The right of Californians to equal service and price, even if they exercise their privacy rights.

In practice, that means Californians have the right to request information about what data has been collected and why, and the right to refuse the sale of their personal data. You will start to see updated privacy policies beginning this year, and opt-out options for selling data will appear on websites. The fifth tenant of the law prohibits discriminating against customers who choose to exercise their CCPA rights to personal data.

Who does the law affect? 

The CCPA applies to businesses operating in California that earn more than $25 million in gross revenue, that collect data on more than 50,000 people, or when sales of consumer data tops 50 percent of their revenue.

Even though the law was passed only in California, it effectively rewrites the behavior of the internet. All national brands meeting one qualification of the CPPA are required to adhere to the new guidelines. Certain companies, including Microsoft, will honor the privacy rights outlined in the CCPA throughout the U.S.

Why the “scramble”?

Some narratives around the CCPA are framing the law as unresolved and leaving too much room for interpretation. One of the debates is surrounding a loophole where companies can vow to de-identify data, or strip personal identifiers, and escape the regulations of the CCPA. The law has yet to be tested in the courts and we can expect the judicial interpretations to clarify the intentions of the Act.

Other critics claim the CCPA places an undue burden on companies. California’s attorney general’s office released a report estimating that businesses across the state will have to spend an extra $55 billion to comply with the new standards, about $55,000 to $2 million for each affected business. Although the focus is on large corporations, small businesses collecting customer email addresses may be subject to enforcement. Enforcement is set to begin on July 1, 2020, allowing firms a six-month grace period to adjust to the new regulations.

What will be the impact?

In many ways, the impact of the law will be determined by the consumers. Since the CCPA places the burden of requesting data onto the individual, the utility will be determined by the users. Unlike the GDPR in Europe, the CCPA requires customers opt-out of allowing firms to sell their data rather than opt-in. 

The CCPA could be the catalyst for a national law on consumer privacy. The U.S. House of Representatives introduced an Online Privacy Act of 2019 in November, with parallel efforts in the Senate. Several states including New York, Washington, and Colorado are engaging with the privacy debate and will likely look to California as a model for new policies. 

The immediate impact is coming back to your work inbox today to find it flooded with privacy policy updates. However, as we look forward to defining the privacy landscape in 2020, expect the CCPA to factor heavily into any future national policy on data privacy.

Katherine Cann manages the EthicalGEO Initiative for the American Geographical Society. As a geographer, she uses geospatial tools to better understand the world around her. As a citizen, she engages with geotech privacy debates. Become a part of the EthicalGEO conversation, follow us @EthicalGEO or email info@ethicalgeo.org.