The California Consumer Privacy Act (CCPA) aims to protect user data. Does it?

Privacy news
3 mins
An outline of California in a golden padlock.

NOTE: This post was originally published on August 8, 2018

It’s a big bill that’s gotten very little attention.

California lawmakers recently passed what could end up being the single most comprehensive data privacy bill in the U.S. On June 28, Governor Jerry Brown signed a law that aims to completely reform how businesses collect and share user data in California.

The California Consumer Privacy Act of 2018 (CCPA) is the direct result of vocal opposition to the recent privacy scandals around the country, and it’s about to turn the whole data-mining industry on its head.

How the new California privacy law works

Under the CCPA, California residents have more control over their online information and how it’s shared. Similar to how Europe’s General Data Protection Regulation (GDPR) works, the law grants Californians more power over their personal data and the right to be forgotten.

While the law is still open to amendments, some of the biggest protections given to consumers include:

  • The right to know what personal information is being collected, for what purposes, and which third parties said data is being shared with.
  • The ability to “opt out” of data-mining practices if consumers don’t want their information shared. Businesses can’t overcharge or “punish” customers for doing so, but they can still offer incentives to consumers who choose to have their information collected.
  • The option to ask businesses to delete customer data: Businesses will be held to a higher standard of alerting customers and taking appropriate action in the event of a data breach.

You can read the CCPA in its entirety here.

The problem with ‘personal information’

While the changes may sound great on paper, putting them into practice may prove more challenging. One potential flaw in the legislation lies in its broad definition of personal information. The CCPA casts an extremely wide net on which information is covered. At the time of publication, this includes geolocation data, biometric identifiers, browsing history, and more.

Another foreseeable problem lies in how this type of information will be regulated. While the act grants local law enforcement the ability to “punish” businesses that aren’t in compliance, it only applies to California residents. Naturally, this creates a conundrum when it comes to the digital space, where most sites and networks consist of a hodgepodge of users from around the world.

For proof, look no further than Europe’s GDPR, where companies are struggling to keep up with the various, and sometimes counteracting, rules and regulations for multiple countries.

How the CCPA came to be

Unlike some other states, California allows the public to propose ballot measures to change the law by statewide vote. In fact, it was only because of growing unrest and anger from the California populace that the CCPA ever came into existence.

The bill traces back to the California-based real-estate developer Alastair Mactaggart, who single-handedly funded an awareness campaign that emphasized the importance of data privacy.

Mactaggart’s initiative proposed drastic legislation that would have severely limited how businesses saved, shared, and profited off user data. Naturally, Silicon Valley fought tooth and nail to prevent his campaign from gaining traction, but the initiative was so popular that it soon found itself nestled on the ballot for November.

Hot on the heels of numerous privacy scandals (we’re looking at you, Zuckerberg), California lawmakers faced a decision: either endorse the ballot measure or craft a slightly watered-down version of their own.

Perhaps taking a cue from Europe’s recent data laws, the State Legislature had no choice but to draft what would soon become the California Consumer Privacy Act of 2018.

In California we trust?

With the act now signed into law, the most significant questions are whether the rest of the U.S. will soon follow suit and how companies like Facebook and Twitter—or, more important, ISPs like Comcast and Verizon—will comply with the fragmented rules and regulations for different U.S. states.

At a time when user privacy is at an all-time low, and net neutrality is clutching to hold on to any seemingly coherent resemblance to the internet of yore, the CCPA could end up being a massive thorn in many businesses’ sides.

As the law is set to go into effect January 1, 2020, companies have two years to prepare for it; whether they’ll use that time to adapt or to keep fighting its provisions is yet to be seen.

Regardless of how the law ends up taking shape, you can take control over your personal information and flex your right to remain anonymous with ExpressVPN.