The California Consumer Privacy Act, or CCPA, goes into effect Jan. 1 and will give citizens of the Golden State the power to access the personal information that companies collect about them and stop it from being sold to third parties. (If companies do sell the data, users will not be able to sue). And if a company fails to implement reasonable security practices, and a consumer's data is breached, they’ll be allowed to sue those companies.
It is the first consumer privacy act in the country.
The scope of the law is not necessarily limited to businesses based in California: It will apply to any business that earns more than $25 million in gross revenue, that collects data on more than 50,000 people or makes at least half of its annual revenue from selling users’ personal information, according to the National Law Review. Companies that don't fix violations within 30 days of being notified can be fined up to $7,500 for each violation.
Although the tech industry tried to seriously dilute the law — organizations like the Internet Association and the California Chamber of Commerce backed a number of bills that would have weakened the CCPA’s reach — the state legislature passed it with minor changes in June 2018.
Since then, a group of 51 CEOs, including Amazon’s Jeff Bezos, Goldman Sachs’ David Solomon and IBM’s Ginni Rometty, have called on Congress to pass an overarching federal law protecting users’ data. The industry group the Internet Association, which extensively lobbied against the CCPA, has also pushed for a federal privacy law.
However, proponents of the California bill argue that it’s a way for the industry to push for a weaker statute, nullifying some of the more stringent aspects of the CCPA.
“Don’t let this post-Cambridge Analytica ‘mea culpa’ fool you into believing these companies have consumers’ best interests in mind,” the American Civil Liberties Union’s Neema Singh Guliani wrote last year shortly after the bill was signed into law. “This seeming willingness to subject themselves to federal regulation is, in fact, an effort to enlist the Trump administration and Congress in companies’ efforts to weaken state-level consumer privacy protections,” she wrote.