Here Comes America’s First Privacy Law: What the CCPA Means for Business and Consumers
Friday, Sept. 13, marks the end of California's legislative calendar and, with it, the last opportunity for the tech industry to halt the California Consumer Protection Act (CCPA), a landmark privacy law set to go in effect next year. Despite a major lobbying push by Silicon Valley, the effort has fallen short, which means come the new year, Californians—and all Americans, really—will begin enjoying a broad new set of privacy rights.
On Jan. 1, the landmark data law will into effect, subjecting U.S. businesses to a sea change of privacy regulations. After that date, Americans will be able to demand that companies disclose what personal data they have collected about them, and also ask companies to delete that data. The law will severely impact tech giants like Google and Facebook, as well as retailers like Macy's and Walmart.
The passing of the Sept. 13 deadline also means the end of an era in which the U.S. defied a shift in global privacy norms, and allowed American companies to commodify consumer data. This has contributed to a series of data catastrophes—from the massive Equifax breach to Facebook's Cambridge Analytica scandal—and left many Americans feeling powerless to protect themselves.
In interviews with Fortune, those familiar with the law—including attorneys, activists and industry executives—all predicted the new rules will have significant effects on U.S. business and on privacy norms. There remains, however, considerable confusion over how the law will be enforced, and how much of a burden it will be to U.S. companies. What follows is a plain English explanation of the law, the politics surrounding it, and how it will affect businesses and consumers.
What is CCPA and why is it such a big deal?
The CCPA will allow consumers to force companies to tell them what personal information they have collected. It also lets consumers force companies to delete that data or to forbid them from sharing it with third parties. Meanwhile, companies will have to do more to tell consumers upfront about what data they collect. (Here is a summary of the "five new rights" over your personal data).
This is big because, until now, companies could largely do what they pleased with consumer data. In the event they got hacked (like Equifax or Target) or did something really sneaky with the data (like Facebook and third party marketers), a regulator might step in after the fact to punish the companies. But there was little consumers could do ahead of time. Now, it's a whole new ball game, as Americans will enjoy protections similar to what Europeans get through the privacy law known as GDPR.
In practice, this means consumers will be able to ask anyone from Google to Starbucks to disclose what data they are collecting, simply by using a website or phone number. Those companies will also have to put a “Do Not Sell My Personal Information" button on their websites, and delete the data if a consumer asks them to do so. Finally, business won't be able to refuse services or charge higher prices if a consumer exercises these rights.
Why am I just hearing about the CCPA now?
Even though the data privacy law was signed more than a year ago, many people expected the business lobby—especially Big Tech—to kill or neutralize it before the CCPA goes into effect in January 2020. These people predicted Silicon Valley would persuade Congress to write a federal law that overrode the the CCPA, or at least convince Sacramento legislatures to exempt the tech industry. That hasn't happened.
As Bloomberg reports, the tech industry made a last ditch push to water down the bill this month, but the effort came up short. The deadline for submitting amendments passed last Friday, and the only proposed changes to arrive were minor ones. The bottom line: the CCPA is almost certain to go into effect in January.
Doesn't the CCPA only apply to California?
Technically, yes. It's a state law that applies to companies that do business in California. But since the data privacy law covers out-of-state merchants who sell to Californians—or even display a website in the state—the reality is that companies will comply will the CCPA, rather than step away from the world's fifth largest economy. And rather than create separate systems, lawyers are in consensus that companies will just apply the CCPA nationwide—especially in light of larger societal trends in favor of privacy.
"In effect, it's a national law," says Jeffrey Neuberger, a privacy expert at the law firm Proskauer. "Are companies going to out and use a different standard for customers in California and New York? No."
Does every company have to implement California's data privacy law?
No, the CCPA applies only to large companies or those that make the sale of data a core part of their business. More specifically, there are the three types of businesses that are covered: companies with more than $25 million in gross revenue, businesses with data on more than 50,000 consumers, and firms that make more than 50% of their revenue selling consumer data (ie data brokers).
So what sort of data can consumers request and delete?
These days, companies have so much more than just your name, address, and email. Thanks to apps and websites that track what we buy and where we go, many have assembled detailed profiles that describe exactly who consumers are.
The CCPA has a non-exhaustive list of "personal data" that a company must disclose—and delete upon request. The list includes: biometrics, internet browsing information, products purchased or considered for purchase, geolocation data, academic and employment information and inferences drawn to create a profile about the individual to reflect preferences.
What does CCPA compliance mean for businesses?
A big headache mostly. While companies have faced similar obligations to comply with Europe's GDPR law, CCPA compliance will mean updating their U.S. privacy policies and a whole lot of other work—including trying to figure out what data they have on customers in the first place.
"It's going to be expensive, distracting, and time-consuming," says Neuberger. "It will require a re-engineering on how people process data."
In the case of companies like Facebook and Google, which rely on parsing personal data to sell targeted advertising, CCPA compliance could pose a serious threat to their business model, if millions of people demand to see and delete the data they hold. The disclosures could also call attention to the breadth of information tech firms collect, and add more grist to the current political backlash against Silicon Valley. While the tech giants haven't commented on the CCPA directly, they have expressed their displeasure through a trade group.
"The politics around the CCPA unfortunately overwhelmed sensible policy discussions and prevented this historic law from being the best privacy law it could be," Internet Association Director Kevin McKinley tells Fortune.
Smaller companies have compliance concerns of their own. For example, the owner of a minor baseball team in Sacramento with email addresses for 100,000 customers told the Wall Street Journal he is worried about being falsely accused of storing information he doesn't have. Some firms have said they are worried about how to compile disparate customer data in one place, and others fret over crooks using the CCPA disclosure rules to fraudulently obtain personal info about other people. Finally, the CCPA compliance could make it harder for new companies to build businesses.
"If you restrict data flows, it will protect privacy but it will have costs on what startups can enter the market," says Alysa Hutnik, a lawyer who has written extensively about the CCPA for the firm Kelley Drye.
What happens if a company doesn't comply with the CCPA?
That's the million dollar question. While data privacy advocates praise the law's aims, many wonder how it will be enforced. The CCPA calls for penalties of up to $7,500 for intentional violations but relies on the California's Attorney General to enforce this. Meanwhile, individual consumers can sue for $100 to $750 in the event a company is careless and gets hacked. The CCPA also contains, however, a controversial "cure" provision that lets a company off the hook, if they take steps to fix the data violation.
Critics say that, in practice, the California AG doesn't have the resources to police such a wide-ranging law, and that companies will rely on the "cure" provision if they're caught out of compliance. Meanwhile, class action lawyers—who typically take the lead in privacy cases—may be reluctant to bring CCPA cases, in part because of the "cure" rule.
"Our view is that this is a disaster of a law, because it scares the bejesus out of businesses and costs them a ton of money in compliance," says Jay Edelson, who runs one of the country's most prominent privacy class action firms. "But to us it’s totally toothless."
Hutnik of Kelley Drye, however, predicts plaintiffs' lawyers will find creative ways to bring class action lawsuits all the same. She says this could include cases based on false advertising or unfair trade practices.
What everyone does agree on for now is that the enforcement part of the law is confusing, and that it will fall to judges to provide guidance on how it should work in practice.
Will the CCPA actually make a difference for American's data privacy?
Yes. Despite concerns by Edelson and others that the CCPA will be too hard to enforce, thousands of companies are already making changes to their data policies. And come January, consumers will for the first time be able to see just what companies are collecting—and ask them to delete it.
The CCPA is also likely to spur Congress into enacting a federal version of the data privacy law. In the past, privacy advocates feared the tech industry would use a federal law to water down the California version. But today the political mood has changed, says Hutnik, who adds that lawmakers from California—including House Speaker Nancy Pelosi—will block anything that weakens the CCPA.
More broadly, the new law is going to change how companies view data in the first place. In the past, firms adopted a "data is gold" mentality and made an effort to collect as much personal information as possible, but that is now changing, says Hayley Tsukayama, an activist with the Electronic Frontier Foundation.
"My hope is the law will make companies think more carefully about what they collect, and how they retain it," she said.
More must-read stories from Fortune:
—From iPhone 11 to Apple Arcade, everything that was announced at the Apple event
—Google bans ads for unproven medical treatments. Critics ask: What took so long?
—Apple admits breaking Chinese labor laws in the world's largest iPhone factory
—Jingles all the way: Sonic branding is helping voice computing companies get heard
—In breakthrough, company uses quantum physics to protect data over telecom networks
Catch up with Data Sheet, Fortune's daily digest on the business of tech.