A landmark privacy rights bill took effect Jan. 1, 2020 in California and will have broad implications for U.S. consumers and businesses. The California Consumer Privacy Act (CCPA) mandates strict requirements for companies to notify users about how their user data will be used and monetized along with giving them straightforward tools for opting out.
While the bill officially took effect Jan. 1, it will likely take months before CCPA is enforced. The California attorney general, Xavier Becerra, said the law won’t begin to be enforced until July 1, 2020. It will take that amount of time for regulators to sort out the implications of the new law and how it will be enforced.
The CCPA had the backing of Microsoft and other industry leaders. But not everyone is so enthusiastic about the law. Critics argue a federal privacy law that provides consistent guidelines would be preferred, rather than individual state laws, which will require more investment in compliance on their part.
Specifically, CCPA applies to companies that have at least $25 million in revenue and make half their money selling data or gathers information on at least 50,000 consumers.
More specifically, the CCPA bill requires that companies disclose to California consumers the information they collect, why they collect it and what third parties they share it with. They must also honor consumer requests to have their data deleted. Additionally, the law bans companies from offering a higher tier of service for one user who agrees to divulge more personal information versus a consumer who only agrees to share limited data with a service.
Companies that violate the CCPA, or don’t fix violations within 30 days of being notified, face fines up to $7,500 for each violation. The CCPA was signed into law in June 2018.
The law is designed to thwart incidents similar to the Cambridge Analytica scandal and incidents such as when DNA-based genealogy firm 23andMe gave pharmaceutical company GlaxoSmithKline access to anonymized data from millions of customers.