What you need to know about the CCPA

One huge change coming in 2020 is a new data privacy law called the California Consumer Protection Act, or CCPA. And its effects will be felt far beyond the Golden State.

The CCPA is basically California’s equivalent to the EU’s General Data Protection Regulation, or GDPR. The law, which was signed by Gov. Jerry Brown last year, grants California residents new privacy rights and consumer protections. It goes into effect at the stroke of midnight on Jan. 1, 2020. And, even if you aren’t a resident of California, it could affect you.

What is the CCPA going to do? 

Residents of California will have the right to know what personal data is being collected about them and the right to request that this information be deleted. They will also have the right to know the details of how their data is being used, who the data is sold to or shared with, and they can request that their data not be sold to third parties. In addition, Californians will have the right to request access to their personal data.

In fact, you may have already come across the results of the CCPA in the form of privacy policy update notifications from websites as they prepare for the changes.

“We’ve already seen some differences,” said R. Paul Singh, CMO of Okera, a data security company that works with companies to make sure they are GDPR and CCPA compliant. “Websites already ask you to agree to give permissions to specific things or say [to the company] ‘I don’t want to give you permission to any [of my data].'”

“That is happening and it’s going to happen more,” he continued. 

For the most part, the average California user won’t notice the difference on a daily basis. However, behind the scenes, the law completely changes how companies will treat your data.

If you conduct business with California residents, then the CCPA may affect you too. You don’t even need a physical presence in the state. 

Does your business make more than $25 million in annual gross revenue? Does more than 50 percent of your revenue come from the sale of California residents’ data? Or does it process the personal data of more than 50,000 California residents? If any of those apply to your business, you must be CCPA compliant or face fines.

While the CCPA is a California law and only covers residents of the state, consumers throughout the rest of the United States will likely benefit. 

“I think businesses most likely will just say, ‘Do I really want to worry about one state versus the other?'” says Singh, who believes we’ll see a similar dynamic as we did with GDPR. Most businesses, he believes, won’t want to deal with the hassle and increased overhead of applying one data privacy system to California and one to the rest of the country.

In 2018 when the GDPR came into effect across the EU, some global companies decided it would be easier to roll out new privacy policies everywhere, instead of just in the European Union. 

For example, Pinterest has a form specifically for EU residents to request their data under GDPR. But any user, anywhere in the world, can fill out that form and the company will provide them with their personal data, Pinterest confirmed to Mashable. 

Facebook last year that the company wasn’t going to extend all the EU protections to the rest of its global users. However, the social network did end up voluntarily rolling out many of its GDPR-mandated privacy changes to users around the world.

Not all companies will deal with the CCPA this way, though. 

The popular video app TikTok, for example, says in its privacy policy that it will provide personal data information specifically to California residents who reach out to the company. TikTok’s policy notably only refers to Californians as being entitled to this data.

Facebook seems to be doing the bare minimum to abide by CCPA, at least for now. BuzzFeed reporter Ryan Mac shared how the social network is already making it difficult for users to take advantage of the law’s consumer protections.

Though the GDPR doesn’t technically apply to the U.S., it served as an inspiration for the CCPA. Now, the CCPA is serving as the inspiration to similar consumer privacy protection laws across the country.

“California is a lab where we test a lot of things and then we take it to a few more states and then it becomes national,” Singh said. “New York is going to pass its own law and, last time I checked, about 19 other states we’re doing all these different versions of the same law.”

As for a federal law akin to GDPR, Democrats have introduced similar legislation before. The most recent bill, the Consumer Online Privacy Rights Act (COPRA), was introduced in the Senate just last month. A U.S. federal law would make things much easier for both businesses and consumers by instating one set of data privacy rules for the entire country. However, these bills haven’t gone anywhere due to the partisan political climate.

“As a user, I’d prefer that there was a federal law,” said Singh. “But, unfortunately, I don’t think that’s how our democracy works.”