How California's New Consumer Privacy Act Affects You

Courtney Linder
Photo credit: Matt Anderson Photography - Getty Images

From Popular Mechanics

On January 1, the California Consumer Privacy Act (CCPA) went into into effect, and it could have big ramifications for any netizen in the United States—even if you don't live in California.

That's because this new privacy act in California means other states will be unable to completely skirt the rules. Similar to the General Data Protection Regulation (GDPR) that went into affect in the European Union in May 2018, CCPA is consumer-focused. That means that as long as you don't own a business that has to spend money to comply with the new law, you should be pretty happy about it. After all, it gives you new rights over your data and how companies may handle it.

That's a pretty good way to start off the new decade.

What Are These New Rights?

Under the new law (which you can read in full here), there are four primary new rights that CCPA gives to consumers and a few others that mostly apply to businesses. These have to do with rights to see what information a business has collected on you and the ability to have that firm delete it upon request.

Only a couple months into the new year and people are already taking advantage of their new rights. David Navetta—vice chair of the cyber, data and privacy practice at Cooley LLP, a law firm based in Palo Alto, California—told Popular Mechanics that his firm is already seeing clients get data requests.

"It’s a novelty right now. Whether that wears off or people will remain active, it’s hard to tell," Navetta says. In Europe, he added, clients that must respond to GDPR are getting hundreds, if not thousands, of data requests. That may or may not be an indicator of what to expect from CCPA moving forward.

"I think privacy-forward people or those who are just curious are going to do it," he said. "I think lawyers will do it to support lawsuits and we’ll probably see consumer groups testing companies."

As for the average person, he expects to see mostly data deletion requests. To participate at all, though, you have to understand your rights. Here are the four rules you need to know about:

1. "The right to know what personal information is collected, used, shared or sold, both as to the categories and specific pieces of personal information."

This means that businesses have to tell you either before or during data collection what information they're gathering from you. CCPA's definition of what counts as "personal information" is more or less what you'd expect: your name, your internet browsing history, pretty much anything that can be traced back to you. Therefore, not all data is created equal and probably should not be regulated as such, according to Ari Levenfeld, chief privacy officer at Quantcast.

"Data falls on a spectrum of sensitivity, ranging from personally identifiable information like names and email addresses, to less sensitive information such as pseudonymous data that is based on probabilistic, indirect identifiers like cookie IDs and IP addresses," he told Recode. "The implications of exploiting or misusing the different types of data are fundamentally different, and therefore the regulations aimed at mitigating privacy risks should reflect those nuances.”

It's too early to tell how the courts will interpret this new law.

2. "The right to delete personal information held by businesses and by extension, a business’s service provider."

This means that you're entitled to know whether any of your personal information, as outlined above, has been sold, and if so, to whom.

A really good example of this is Facebook, which released a new data privacy tool
in January, called "Off-Facebook Activity." It includes information that businesses and organizations outside the Facebook app have collected on you. For instance, you may have bought a pair of shoes from Nike's website three months ago. The retailer shares your activity with Facebook and it's saved to your account. Then, Facebook uses that information to personalize ads for you.

In this case, you are legally allowed the right to ask a company like Facebook to delete all of the data it has about you. To learn how to do that, click here.

3. "The right to opt-out of sale of personal information. Consumers are able to direct a business that sells personal information to stop selling that information. Children under the age of 16 must provide opt in consent, with a parent or guardian consenting for children under 13."

To put it simply, you can tell companies like Amazon to quit selling your browsing history to other companies. This is a big deal since so much of the digital economy is based on the ability to market and advertise a product, Navetta says.

You can see that in the case of Off-Facebook Activity, too. There is an option to opt out of future sale of personal information about your browsing history, which effectively kills Facebook's personalized ads strategy.

4. "The right to non-discrimination in terms of price or service when a consumer exercises a privacy right under CCPA."

This feature means that a company can't take any retaliatory measures toward you if you opt out of them selling your information.

"Essentially, if you’re a consumer and you opt to exercise your right to delete data, the company is not supposed to be able to give you a lesser service because you exercised some of your rights," Navetta says.

So, you can now ask Facebook to stop using information about your browsing history to fill ad space in your timeline.

The desire to avoid being tracked across sites on the internet is apparent due to the popularity of ad-blockers, Navetta adds. "Privacy is about not being bothered in a way."

How To Request Data

Photo credit: Justin Sullivan - Getty Images

This is going to vary by site, but again, each one should notify you of your rights and let you ask for copies of your data, ask to have it deleted, or ask the company to stop selling your data, completely. There will usually be a button or link at the bottom of the page—or possibly under a "privacy" tab—that outlines your rights under CCPA as it pertains to your usage of that website, plus a form to fill out to request your information or some other process to ask for changes or to acquire data.

For Those Outside California...

While the CCPA only holds jurisdiction over the state of California, a whole bunch of companies already have most of the right protocols in place to become CCPA-compliant. Many international companies have already had to make changes to their privacy policies due to Europe's General Data Protection Regulation.


Don't be disgruntled: other states are already taking action to follow California's lead in the data privacy space. CCPA is essentially setting the tone for privacy laws in the 49 other states, Navetta says.

In Nevada, for instance, a new data privacy law is already in place. Nevada Senate Bill 220 Online Privacy Law was enacted in May 2019. The legislation gives consumers the power to opt-out of the resale of their personal information and was directly modeled after CCPA.

The Maine Act to Protect the Privacy of Online Consumer Information was signed into law the following month, preventing the "use, sale, or distribution of a customer’s personal information by internet providers without the express consent of the customer," according to Maine.gov.

According to Navetta, Washington almost signed a state law to give consumers the right to access their data, too. It seems it's only a matter of time before most states have some form of privacy law like CCPA, given that it's a pretty bipartisan issue.

"California is definitely influential," Navetta says.

Is This the Law's Final Version?

Yes and no. CCPA officially went into effect on January 1, 2020, but just a month in, California legislators are already working on an expanded version.

Back in 2019, an advocacy group called Californians for Consumer Privacy, led by Alastair Mactaggart—the mind behind CCPA—submitted a new ballot initiative proposal for a more aggressive version of the privacy law, as it stands. The draft policy is called the California Privacy Rights Act of 2020 (CPRA) and it would give Californians even more control over their personal data.

If Californians for Consumer Privacy round up enough signatures—and 623,000 are required—to get CPRA on the November 2020 ballot, we just may be starting out 2021 with even more consumer privacy protections.

You Might Also Like