What You Need To Know About California's Sweeping New Data Privacy Law

The California Consumer Privacy Act is attempting to rewrite the rules of the internet.

One of the country’s most groundbreaking privacy laws in decades will go into effect in California on Wednesday, the first day of 2020.

Though the sweeping legislation technically only applies in California, it’s already setting off waves across the rest of the U.S. as tech giants are forced to change how they handle customer data in the nation’s most populous state.

Here’s what you need to know about the California Consumer Privacy Act:

The Basics Of The Law

The CCPA will reshape how companies collect, use and share the information they gather about their customers in California.

Under the law, companies will be required to tell customers what information they’re collecting about them, either before or during the collection, and to give users an overview of the types of businesses they share that data with. If a customer asks to see a list of those third parties, the company must provide it. Also upon a customer’s request, the company must reveal the types of personal data it has on the customer.

California customers will be able to revoke a company’s rights to share any of their personal information with third parties. And the company won’t be allowed to penalize them by charging them more for services or by offering perks to those who don’t opt out of data-sharing.

What Companies Are Covered And When

Though it goes into effect on Jan. 1, California won’t start to enforce the law until July.

It will apply to companies doing business in California that collect and sell consumers’ data and personal information. The law covers enterprises that have annual revenue of at least $25 million or possess the data of more than 50,000 users or earn more than half their annual revenue from selling their consumers’ information.

Map apps, like Google's iconic version, can gather information about your location.
Map apps, like Google's iconic version, can gather information about your location.
Andrei Stanescu via Getty Images

That includes Facebook, Amazon, Google, Apple and essentially any other major company you give your personal information to.

Those who fall under the law must put a button that reads “Do Not Sell My Personal Information” on their website’s homepage. If a person clicks on it, the company will be barred from sending that person’s data to third parties.

Why It’s A Big Deal

The data-sharing practices outlined in the CCPA have been wildly unregulated in the U.S., where there is no comprehensive federal data privacy law.

When the new statute goes into effect, Californians will regain some control over the vast array of personal data companies keep on them: names, aliases, race, gender, addresses, Social Security numbers, driver’s license and passport numbers, property records, and educational and professional histories.

But the personal information companies gather and sell goes deeper than that. Customers end up revealing ― perhaps unwittingly ― their geolocation, internet browsing history, purchasing tendencies, religious and political beliefs, and health biometrics.

It’s unlikely that this kind of legislation will be limited to California. Lawmakers in nearly 20 other states are currently considering privacy legislation, with many of the proposals modeled directly on the CCPA. Washington state legislators proposed a bill in 2019 that was in some ways even tougher than the CCPA. While it was sidelined this year, it may be introduced again in 2020.

What Companies Do With Your Data

The Cambridge Analytica scandal ― in which that firm used a loophole in Facebook’s interface to sell the data of anyone who used a quiz app and that of all their friends to President Donald Trump’s 2016 campaign ― put the data-selling industry in the spotlight, but it’s far from the only incident.

Facebook CEO Mark Zuckerberg contends that his company doesn't sell user data and that it should be exempt from the new law.
Facebook CEO Mark Zuckerberg contends that his company doesn't sell user data and that it should be exempt from the new law.
Anadolu Agency via Getty Images

Essentially anyone who uses a smartphone app that tracks their location ― a map or weather app, for example ― can be tracked by a third party that buys their data. In an experiment reported last week, The New York Times easily followed the locations of military officials with security clearances, law enforcement officers and high-powered lawyers.

More commonly, a retailer that buys your data, likely though a data-selling agency, can use your location to send you ads on social media when you’re near their storefront. In 2016, Rewire News found that conservative groups had purchased location data from Copley Advertising to track when women had entered abortion clinics so they could send them anti-abortion ads.

Data collection is big business for insurance companies too. As ProPublica reported last year, they use your internet history ― buying plus-size clothing, posting about a stressful divorce or spending time in a high-crime area ― to determine whether to raise your rates.

And these examples are just the tip of the iceberg.

Expect Legal Battles

Data-selling is an enormous source of revenue for many companies ― especially those like Facebook that draw consumers in by offering their signature service for free ― so it’s no surprise that some aren’t eager to comply with the CCPA.

Facebook founder and CEO Mark Zuckerberg has already made a confusing, roundabout argument that what his company does with users’ data doesn’t constitute “selling” and that it should be exempt from the CCPA, The Wall Street Journal reported earlier this month.

Other companies are going in the opposite direction. Last month, Microsoft vowed to apply the CCPA’s rules to all of its users in the U.S., not just those in California. The possibility that other companies will decide it’s easier to offer new privacy options to all their customers is another reason this is a big deal.