California's much-debated privacy law officially takes effect today, a year and a half after it was passed and signed — but it'll be six more months before you see the hammer drop on any scofflaw tech companies that sell your personal data without your permission.
The California Consumer Privacy Act, or CCPA, is a state-level law that requires, among other things, that companies notify users of the intent to monetize their data, and give them a straightforward means of opting out of said monetization.
Here's a top-level summary of some of its basic tenets:
- Businesses must disclose what information they collect, what business purpose they do so for and any third parties with whom they share that data.
- Businesses will be required to comply with official consumer requests to delete that data.
- Consumers can opt out of their data being sold, and businesses can’t retaliate by changing the price or level of service.
- Businesses can, however, offer “financial incentives” for being allowed to collect data.
- California authorities are empowered to fine companies for violations.
The law is described in considerably more detail here, but the truth is that it will probably take years before its implications for businesses and regulators are completely understood and brought to bear. In the meantime, the industries that will be most immediately and obviously affected are panicking.
A who's-who of internet-reliant businesses has publicly opposed the CCPA. While they have been careful to avoid saying such regulation is unnecessary, they have said that this regulation is unnecessary. What we need, they say, is a federal law.
That's true as far as it goes — it would protect more people and there would be less paperwork for companies that now must adapt their privacy policies and reporting to CCPA's requirements. But the call for federal regulation is transparently a stall tactic, and an adequate bill at that level would likely take a year or more of intensive work even at the best of times, let alone during an election year while the president is being impeached.
So California wisely went ahead and established protections for its own residents, though as a consequence it will have aroused the ire of many companies based there.
A six-month grace period follows today's official activation of the CCPA; this is a normal and necessary part of breaking in such a law, when honest mistakes can go unpunished and the inevitable bugs in the system can be squelched.
But starting in June, offenses will be assessed with fines at the scale of thousands of dollars per violation, something that adds up quickly at the scales companies like Google and Facebook work in.
Adapting to the CCPA will be difficult, but as the establishment of GDPR in Europe has shown, it's far from impossible, and, at any rate, the former's requirements are considerably less stringent. Still, if your company isn't already working on getting in compliance, better get started.