X

CCPA is here: California's privacy law gives you new rights

Here's everything you need to know about the new law.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
6 min read
gettyimages-1022316920

The California Consumer Privacy Act took effect Jan. 1.

Getty Images

This story is part of a series on the California Consumer Privacy Act. The law went into effect on Jan. 1.

The most sweeping data privacy law in the country kicked in Jan. 1. The CCPA, short for the California Consumer Privacy Act, gives residents of the Golden State the right to learn what data companies collect about them. It also lets Californians ask companies to delete their data and not to sell it.

Companies inside and outside California have been scrambling to become compliant so that they can continue to do business in the country's most populous state.

Nearly two years in the making, CCPA has prompted other states to consider their own privacy laws, some of which have already passed. The law is often compared to the European Union's General Data Protection Regulation, currently the benchmark for online privacy.

Here's what you need to know about CCPA and how it will affect you.

Is this law a big deal?

Yes. Before it went into effect, companies weren't legally required to tell you what data they'd collected and you had little say over what they did with it. Now, if you live in California, you'll be able to ask them to delete it or refrain from selling it.  

Watch this: California's new privacy law: Everything you need to know

What personal data does this cover?

CCPA covers all the stuff you might expect: your name, username, password, phone number and physical address. It also includes information used by companies to track your online behavior, such as IP addresses and device identifiers.

The law also covers information that can be used to characterize you, like race, religion, marital status, sexual orientation and status as a member of the military or veteran. It also covers biometric information like fingerprints or facial recognition data, your browsing history and location information.

Data found in public government documents is excluded, so companies can still learn if you're married, for example. However, they have to collect that data directly from government records, not from other sources such as your social media accounts.

Can I tell Facebook and Google to get rid of my data now? 

Yes. In fact, some major tech companies, including Facebook and Google, already let you delete some or all of their data about you from their systems.

These tools might not do exactly what you'd expect, though. For example, Facebook has begun rolling out a feature that lets users "disconnect" the data it's collected about your web browsing, but doesn't fully delete it. Instead, it disassociates your name and profile from the data, which anonymizes it. Facebook then combines the data with other people's, allowing it to monitor broader trends. 

CCPA still allows companies to use anonymized data. However, the law sets a high bar for separating your identity from the information, with the aim of stopping someone from re-identifying a person from the data.

Facebook has also argued it doesn't need to change much of its practices, because it doesn't sell user data. Because the definition of "sell" is written broadly in the law, privacy advocates have taken issue with this interpretation.

What happens if companies don't follow the law?

Businesses can be fined $2,500 per violation, or $7,500 if the violation is found to be intentional. That could mean big fines if the violations affect large groups of consumers. The California attorney general is in charge of investigating companies suspected of violating the law.

Critics say companies will be able to get away with breaking the law because the attorney general doesn't have the resources to catch every violation. Attorney General Xavier Becerra has said publicly that his office isn't equipped to fully enforce the law. He pushed for an amendment, which failed to pass, that would have let users sue companies directly.

Already, companies' level of compliance with the law appears to vary. Some companies have failed to put in a link that lets users opt out of the sale of their data, and others are arguing they don't "sell" user data under the law, something one of the law's authors says is incorrect.

The law does give Californians the right to sue businesses in one specific instance: if their personal information is lost in a data breach caused by a company's negligence. Legal observers expect this to increase class action lawsuits against companies after they're hit by hackers.

Can I still use free services if I ask them not to collect my data?

Yes. The new law says companies can't turn away users if they opt out of the sale of their data. However, the companies can give you a stripped-down version of their offerings if you go this route.

The point is to prevent companies from charging all users who don't want their data sold. That would leave users who can't afford a subscription in the lurch, forcing them to allow the sale of their data so they can use services we've all come to rely on to communicate and access information.

If companies want to charge users who opt out of the sale of their data, the law says they have to disclose how much a user's data is worth.

I don't live in California. Will this law affect me?

Almost assuredly. While you won't enjoy the right to opt out of the sale of your data or ask companies to delete it, you'll learn more about what companies are collecting about you. The law requires for-profit businesses to describe in their privacy policies the categories of data they collect about users.

What's more, many companies are likely to extend some of these rights to everyone. That way, they won't have to fuss with deciding whether the law applies to you, and they won't risk denying a user their rights under the law by mistake. Microsoft and Mozilla, the maker of the Firefox browser, have already said they're not limiting the new rights to users in California.

Finally, the state of California is often at the forefront of new forms of legislation, including plastic bag bans, animal welfare laws and worker protections. Once California passes a law, other states tend to consider following suit. California is the country's largest market with nearly 40 million residents, and carries a lot of weight.

Already, nine other states are considering similar laws, and Maine and Nevada have already passed narrower versions of privacy legislation. Maine enacted its law in June 2019, requiring internet service providers to get customer consent before they sell browsing histories and other consumer data. In February 2020, the ISPs sued the Pine Tree State, saying the law singles them out from other companies that sell similar data, and infringes on their First Amendment rights.

How is this different from that other big privacy law, the GDPR?

GDPR applies to companies with users in the European Union, and it regulates how companies can collect the same kind of personal information as CCPA does. However, the European law puts some stricter controls on how companies must approach collecting user data.

First, GDPR requires companies to get consent to collect data or to have some other valid reason for collecting user information. Secondly, it requires companies to minimize the data collected. CCPA doesn't require companies to go through these steps to collect personal information, so any limits on data collection will be imposed by individual users who make requests to delete and opt out.

I heard there might be a federal privacy law. Where does that stand?

After the California legislature passed CCPA, several major tech companies told federal lawmakers they would like to see one privacy law that covers the whole country. Legislators have submitted several different bills since then, and the Senate Commerce Committee held a hearing on two competing ones in December.

Several aspects of a federal bill are up for debate, including whether consumers should be able to sue companies directly for violations, and how much authority to give regulators who would enforce the law. 

What's more, there's a chance that a federal law could supersede state privacy laws, which could mean any higher standards created by CCPA would be unenforceable. For the time being, however, it's the law.