Last year, California passed a landmark privacy law that gives consumers more control over their data. The legislation gives residents unprecedented rights to control what information companies collect on them and how it is used.
The California Consumer Privacy Act will go into action 1 January 2020, giving residents of the state a whole new arsenal of tools to protect their data and personal information online – and saddling businesses with a lot more responsibility.
Here is everything you need to know about California’s “groundbreaking” new privacy law.
What is the law?
The California Consumer Privacy Act, passed in 2018, is the “most comprehensive” privacy legislation to be enacted in the United States to date, according to the American Bar Association.
Under the new regulations, California residents will be able to demand companies to disclose what information is collected on them and request a copy of that information.
Companies will be forced to delete consumers’ data upon request and they’ll be prohibited from selling information if the customer instructs them to via a mandatory “do not sell” link on the company’s website.
Consumers will also have the right to “receive equal service and price whether or not they exercise their privacy rights” or in other words, companies won’t be able to treat a user differently because they have requested their data.
When does it go into effect?
The law is effective on 1 January – meaning consumers can submit requests for their data starting on that date. The California attorney general’s office will not take any enforcement action against companies that do not comply until 1 July 2020.
What businesses does it affect?
Businesses will be required to comply with the new regulations if they have an annual gross revenue in excess of $25m, derive 50% or more of their annual revenue from selling consumers’ personal information, or annually buy, receive, sell, or share the personal information of more than 50,000 consumers, households, or devices for commercial purposes.
That means at least 500,000 businesses will be required to comply with the new law, according to the not-for-profit the International Association of Privacy.
Who else does it affect?
Consumers in California will be most directly affected by the new law. However, even people who not live in California may see ripple effects, said Pete Yared, the founder and chief executive officer of data management company InCountry.
“There are similar laws manifesting all over the world so increasingly companies are set up to receive and process these kinds of requests for data,” he said.
I live in California – how can I get my own data?
Consumers can receive a copy of their data by sending “a verifiable consumer request” to a business. The company is then required to comply with the request within 45 days of receipt. In some cases, companies can extend this time period for a maximum of 90 days total.
Consumers may only make a request for information twice a year, and only for a 12-month look-back period.
What happens if a company doesn’t give me my data?
Companies may face fines of $2,500 to $7,500 per violation of the new law, if the violation is deemed intentional. However, the CCPA also grants businesses a 30-day period to address a violation after receipt of a consumer’s request. The law is enforced by the California attorney general.