You may have heard from a lot of businesses telling you that they’ve updated their privacy policies because of a new law called the California Consumer Privacy Act. But what’s actually changed for you?
EFF has spent the past year defending this law in the California legislature, but we realize that not everyone has been following it as closely as we have. So here are answers to ten frequently asked questions we’ve heard about the CCPA.
What is the California Consumer Privacy Act?
In a nutshell, the California Consumer Privacy Act (or CCPA) grants Californians three basic rights when it comes to their relationship with businesses: the right to know what information companies have about you, the right to delete that information, and the right to tell companies not to sell your information.
What does that actually mean for me?
Practically speaking, this means that, if you ask, a business must tell you the specific pieces of information they have about you, and the categories of companies they’ve disclosed it to and obtained it from. If you ask them to delete the information they have on you, they have to do it, subject to certain exceptions, such as specific security threats or when deletion would interfere with another consumer’s free speech. And if you ask them to stop selling your information, they have to listen. If they don’t comply with these requests, they can be fined by the California Attorney General.
Companies also generally cannot discriminate against you for exercising your rights. They’re not allowed to charge you more money or give you a worse version of their service if you choose a more private option.
How much does the CCPA do for my privacy?
The CCPA is an important first step towards a comprehensive consumer data privacy law. We have little visibility into what information companies collect and how they pass it to other companies, but they use this information in ways that concretely affect our lives. Profiles based on digital surveillance of our lives are used to set insurance rates, make mortgage decisions, or even give companies we don’t know insight into our everyday movements. The CCPA lets us shine much-needed light into that system. And crucially, opting out of the sale of data, or deleting it, gives people some control over how their information is passed to other companies.
The CCPA alone is not going to fix everything that’s wrong with how companies abuse our privacy. But it’s an important start.
What kind of information does this cover? Is it everything from every business?
Companies collect a lot of information about us that isn’t already available to the general public and reveals a lot about us, including where we go, who we associate with, and what our interests are. The CCPA makes sure that everyone can have more control over any information that companies have about them that could be reasonably used to identify them.
But not every business is covered by the law. The CCPA doesn’t apply to smaller companies that aren’t in the business of making money off your personal information. A company isn’t covered if it generates less than $25 million per year in revenue, collects information on less than 50,000 consumers each year, or derives less than 50 percent of its annual revenue from data.
How are companies supposed to be allowing me to make requests?
To comply with the law, companies are required to offer their customers two ways to contact a business to make requests. Businesses have to point to where people can make those requests in their privacy policy or on their website. Once a company receives a request, and verifies it, they have to respond in 45 days—though they can get an extension if they need one. They also can’t charge you for a reasonable request, and generally have to give you the information in a format that your computer could actually read.
What does that look like in practice?
This is where we get to all of those emails. Companies are putting this information in their privacy policies, and sending notice about those changes to you in the form of an email. Companies that do business online should have the information on how to make your request somewhere on their website.
The CCPA applies to companies that do business offline as well as online, if they are collecting personal information. So, if a store or restaurant fits the bill, they’ll have to let you know about it with a physical notice, such as a sign.
When does this law go into effect?
The CCPA is in effect as of January 1. That means that Californians can make requests, and that companies must pay attention to them.
The California’s Attorney General’s office is working on regulations about how companies must comply with the CCPA. It will issue these regulations on July 1, after which it will begin enforcing the law.
Why haven’t you made an automated tool for making requests?
We are pushing for ways to make it easier for consumers to use existing tools, such as Do Not Track headers, that let people communicate their preferences to all online businesses with a single setting. And we’re also advocating for laws that would require companies to come to you to request consent before they start to collect your information.
I don’t live in California. Does this affect me?
The CCPA only applies to consumers who live in California. But some companies, such as Microsoft, are applying the standards set by the CCPA to all of their customers.
We’re also already seeing other states look to California’s progress as a spur to introduce legislation in their own states.
You said CCPA is an important first step. What’s next?
EFF will not stop fighting to strengthen consumer privacy across the country. That includes working with the California Attorney General’s office and legislators to continue defending it, and working to pass strong consumer privacy laws across the country.