[BreachExchange] CCPA: Everything you need to know about California's new privacy law

Destry Winant destry at riskbasedsecurity.com
Thu Dec 26 10:05:55 EST 2019


The most sweeping data-privacy law in the country kicks in Jan. 1. The
CCPA, short for the California Consumer Privacy Act, gives residents
of the Golden State the right to learn what data companies collect
about them. It also lets Californians ask companies to delete their
data and not to sell it.

The full impact of these new rights isn't entirely clear because the
regulations used to enforce the law are still being finalized. Still,
companies inside and outside California are already scrambling to
become compliant so that they can continue to do business in the
country's most populous state.

Nearly two years in the making, CCPA has prompted other states to
consider their own privacy laws, some of which have already passed.
The law is often compared to the European Union's General Data
Protection Regulation, currently the benchmark for online privacy.

Here's what you need to know about CCPA and how it will affect you.

Is this law a big deal?

Yes. Before it went into effect, companies weren't legally required to
tell you what data they'd collected and you had little say over what
they did with it. Now, if you live in California, you'll be able to
ask them to delete it or refrain from selling it.

What personal data does this cover?

CCPA covers all the stuff you might expect: your name, username,
password, phone number and physical address. It also includes
information used by companies to track your online behavior, such as
IP addresses and device identifiers.

The law also covers information that can be used to characterize you,
like race, religion, marital status, sexual orientation and status as
a member of the military or veteran. It also covers biometric
information like fingerprints or facial recognition data, your
browsing history and location information.

Data found in public government documents is excluded, so companies
can still learn if you're married, for example. However, they have to
collect that data directly from government records, not from other
sources such as your social media accounts.

Can I tell Facebook and Google to get rid of my data now?

Yes. In fact, some major tech companies, including Facebook and
Google, already let you delete some or all of their data about you
from their systems.

These tools might not do exactly what you'd expect, though. For
example, Facebook has begun rolling out a feature that lets users
"disconnect" the data it's collected about your web browsing, but
doesn't fully delete it. Instead, it disassociates your name and
profile from the data, which anonymizes it. Facebook then combines the
data with other people's, allowing it to monitor broader trends.

CCPA still allows companies to use anonymized data. However, the law
sets a high bar for separating your identity from the information,
with the aim of stopping someone from re-identifying a person from the

What happens if companies don't follow the law?

Businesses can be fined $2,500 per violation, or $7,500 if the
violation is found to be intentional. That could mean big fines if the
violations affect large groups of consumers. The California Attorney
General is in charge of investigating companies suspected of violating
the law.

Critics say companies will be able to get away with breaking the law
because the attorney general doesn't have the resources to catch every
violation. Xavier Becera, the AG, has said publicly that his office
isn't equipped to fully enforce the law. He pushed for the passage of
an amendment, which failed to pass, that would have let users sue
companies directly.

The law gives Californians the right to sue businesses in one specific
instance: if their personal information is lost in a data breach
caused by a company's negligence. Legal observers expect this to
increase class action lawsuits against companies after they're hit by

Can I still use free services if I ask them not to collect my data?

Yes. The new law says companies can't turn away users if they opt out
of the sale of their data. However, the companies can give you a
stripped-down version of their offerings if you go this route.

The point is to prevent companies from charging all users who don't
want their data sold. That would leave users who can't afford a
subscription in the lurch, forcing them to allow the sale of their
data so they can use services we've all come to rely on to communicate
and access information.

If companies want to charge users who opt out of the sale of their
data, the law says they have to disclose how much a user's data is

I don't live in California. Will this law affect me?

Almost assuredly. While you won't enjoy the right to opt out of the
sale of your data or ask companies to delete it, you'll learn more
about what companies are collecting about you. The law requires
for-profit business to describe in their privacy policies and the
categories of data they collect about users.

Many companies are likely to extend some of these rights to everyone.
That way, they won't have to fuss with deciding whether the law
applies to you, and they won't risk denying a user their rights under
the law by mistake.

Finally, the state of California is often at the forefront of new
forms of legislation, including plastic bag bans, animal welfare laws
and worker protections. Once California passes a law, other states
tend to consider following suit. California is the country's largest
market with nearly 40 million residents, and carries a lot of weight.
Already, nine other states are considering similar laws, and Maine and
Nevada have already passed narrower versions of privacy legislation.

How is this different from that other big privacy law, the GDPR?

GDPR applies to companies with users in the European Union, and it
regulates how companies can collect the same kind of personal
information as CCPA does. However, the European law puts some stricter
controls on how companies must approach collecting user data.

First, GDPR requires companies to get consent to collect data or to
have some other valid reason for collecting user information.
Secondly, it requires companies to minimize the data collected. CCPA
doesn't require companies to go through these steps to collect
personal information, so any limits on data collection will be imposed
by individual users who make requests to delete and opt out.

I heard there might be a federal privacy law. Where does that stand?

After the California legislature passed CCPA, several major tech
companies told federal lawmakers they would like to see one privacy
law that covers the whole country. Legislators have submitted several
different laws since then, and the Senate Commerce Committee held a
hearing on two competing bills in December.

Several aspects of a federal bill are up for debate, including whether
consumers should be able to sue companies directly for violations, and
how much authority to give regulators who would enforce the law.

What's more, there's a chance that a federal law could supersede state
privacy laws, which could mean any higher standards created by CCPA
would be unenforceable. For the time being, however, it's the law.

More information about the BreachExchange mailing list