The California Consumer Privacy Act (CCPA) went into effect on the first day of 2020, a year after the law was passed and signed. There will still be a six-month grace period before any tech companies can be punished for violating the regulations in the law giving businesses time to adapt to the law and correct any mistakes. However, It will likely be years before the implications of this law can be completely understood and utilized by businesses and regulators.
The CCPA is a state-level law that dictates how businesses can collect user data and what they can do with it. Although the law is only enforceable in California, some companies, like Microsoft (NASDAQ: MSFT), will be adopting the changes nationwide. People in California as well as a portion of the rest of the country will be receiving notifications from their internet programs letting them know about the new regulations and allowing them to decide whether or not they will allow their data to be gathered and sold.
How the law will be enacted is something of a mystery because it is the first of its kind (in the U.S.) and because different businesses gather and use data in different ways. Put simply, the law will require companies to notify users if they intend to monetize their data and provide a clear path to opting out of that monetization.
In more detail, businesses must disclose to users what data they are gathering and why. They also must disclose any third parties that they share user data with. If officially requested by the consumer, companies must delete said consumer's data. Companies also can't retaliate against users who request that their data not be collected by raising prices or the level of service. However, companies can offer "financial incentives" to users who allow their data to be collected.If any businesses violate the law, California authorities can impose fines of thousands of dollars per violation.
As the attorney general of California, Xavier Becerra put it, "Businesses will have to treat that information more like it's information that belongs, is owned by and controlled by the consumer rather than data that, because it's in possession of the company, belongs to the company."
Tech companies are understandably nervous about the new regulations. Many internet-reliant companies came out against the CCPA during its process of becoming law. They have complained about the fact that this is a state law rather than a federal one and have said that, while some regulation is needed, this regulation is not. They are right, in part. A federal law would be easier for companies to comply with, but waiting for regulation on a federal level is merely a stall tactic. Instead of waiting through the lengthy process of establishing a federal law, California went with what they had to protect their own citizens.
There is a lot of uncertainty surrounding the implications and implementation of the CCPA. For instance, some companies may sell data as an integral part of their service, like Indeed, a job search engine. Indeed charges businesses for access to a database of resumes and potential-employees' data. So far it seems as though most companies will attempt to give their customers options about their data gathering, but some businesses, like Indeed specifically, will ask users to delete their account if they opt out of the data gathering and monetization. This issue is so complex that companies are avoiding talking about it. One Trust, a privacy management software service, has been working with over 4,000 different companies to prepare them for the CCPA. Kabir Barday, chief executive of One Trust, explained part of the reason why the path moving forward is so unclear: "Companies have different interpretations, and depending on which lawyer they are using, they're going to get different advice... I'll call it a religious war."