- California’s new privacy law — the California Consumer Privacy Act (CCPA) — is first-of-its-kind data legislation. As users’ data are increasingly commodified by technology conglomerates, the law — which went into effect on January 1 — gives Californians new controls over how companies use their data.
- These controls include the right to access the data, the right to ask for its deletion, and the right to prevent its sale to third parties. Significantly, because of the global nature of the Internet, these changes will affect users worldwide.
- “What this new law comes down to is giving consumers the right to take back control over their information from thousands of giant corporations.
- This is about power: the more a company knows about you, the more power it has to shape your daily life. That power is exercised on the spectrum ranging from the benign, such as showing you a shoe ad, to the consequential, like selecting your job, your housing, or helping to shape what candidate you support in an election,” Alastair Mactaggart, author of the 2018 ballot initiative that led to CCPA, wrote in the law’s proposal.
What rights does the CCPA give Californian users?
- They have the right to see what personal information businesses collect about them, and the purpose and process of the collection. Personal information refers to any information that can be linked back to the user.
- They can request and view what inferences the businesses make about them, and have the right to see details about their personal information being sold or given to a third party.
- Users can make businesses delete their personal information, and opt out of having their data sold to third parties. The law lays out some exceptions, such as information necessary for completing transactions, providing a service, protecting consumer security, and protecting freedom of speech.
- Users can get a copy of the collected personal information for free. Parents have to give permission to companies before the companies can sell the data of their children under the age of 13 to third parties.
To which companies does the law apply?
- The law only applies to businesses with gross annual revenues of more than $25 million; those that buy, receive or sell the personal information of 50,000 or more consumers in California; or those that derive more than half of their annual revenue from selling consumers’ personal information.
- The law applies to businesses collecting information of Californians; not just to businesses that operate in the state.
- Unintentional noncompliance will lead to fines of $2,500 per violation; intentional noncompliance will attract a penalty of $7,500 per violation.
- Some studies estimate it will cost businesses $55 billion to initially meet the standards, of which $16 billion will be spent over the next decade.
- One study has said that the law protects $12 billion worth of personal information that is used for advertising in California every year.
What has changed in practical terms?
- The law went into effect on January 1, but the California Attorney General has not begun enforcing the act yet. The AG will be allowed to take action six months after the rules are finalised, or on July 1.
- At the very least, companies will need to set up web pages and phone numbers to take requests. Users also may begin to see a new button on websites stating “Do Not Sell My Personal Information”.
- Several large companies have set up new infrastructure to comply. Google launched a Chrome extension to block Google Analytics from collecting data. Facebook has said that the law doesn’t apply to them since they do not “sell” data, and that they already have features that comply with the law (such as a tool that allows users to access and delete their information).
- Bloomberg has reported that a wave of new start-ups are pitching products to companies to help them adhere to the new rules.
How does this affect non-Californians?
- First, even Indian companies that have customers in California would have to comply with the law.
- Second, many firms are finding it easier to make the legal changes for all users rather than trying to distinguish users from California. Microsoft will roll out changes for all Americans, and Mozilla (which owns the Firefox browser) will make changes for all their users. The European Union’s General Data Protection Regulation (GDPR) too, shifted the entire Internet economy, not just that of the EU.
- California is often a trailblazer for legislation, inspiring other states and even countries to adopt similar regulations. In the US itself, there is bipartisan support for several new data privacy bills making their way through Congress now.
What are the criticisms of the Act?
- The Act gives users the right to stop the selling of their data, but not the collection of their data. So while this reins in the data broker system, it does not do much to affect companies like Facebook and Google that make most of their money by collecting the data, not by selling it. Advertisers pay Facebook to target ads to users based off that data; they don’t pay Facebook for the data itself.
- Some say the act places the burden of navigating this complex economy on users. Others argue that many of the provisions are vaguely worded — leaving concepts such as “third-party sharing” or “selling” up to interpretation. Experts told The Verge that compliance challenges will be greater with CCPA than with the GDPR.
How does this act compare with India’s proposed data protection bill?
- Several of these rights are also in India’s Personal Data Protection Bill. These include the right to access a copy of your data, and the right to deletion. India’s bill goes further in some regards, including the right to correction.
- However, India’s bill is more focused on users’ rights over collections, while California’s act is focused more on the third-party sharing and selling of a user’s data.