The California Consumer Privacy Act (CCPA) expands the rights of Californians over their data. Starting in 2020, Californians have the right to know what personal information is being collected, access it, see with whom their data is being shared, and opt-out of the sale of that data.

You might have heard of this new law in the news or in emails from companies making changes in order to comply with CCPA. It’s a step towards greater privacy, but the devil is in the details.

CCPA is no panacea for the colossal problems caused by data collection, and Mozilla will continue to support stronger consumer protections and build products that respect your privacy.

We are proud to say that Firefox didn’t have to change much to meet CCPA’s protections. We are in the business of staying out of your business. We tell you how with the Firefox Personal Data Promise, which is a guarantee to take less of your data, keep it safe, and have no secrets about what we do with it. It’s your data, after all.

Below you can find more information on how CCPA might impact your rights.



What does CCPA do?

It gives Californians more ownership and control over their personal information. They can request their data and delete it if they want. They can also request that their data not be sold to third parties. Parents now must consent to companies sharing data collected on children under 13. It allows the state to investigate and enforce these rights, as well as allowing Californian consumers to sue.

Just Californians?

Technically yes, but because so many businesses do business in the state, they will likely make changes that impact people everywhere. Many U.S states are considering legislation of their own. Changes we are making in the browser will apply to every Firefox user, not just those in California.

Can you give an example of how it works?

Sure. Say you want to see what Facebook knows about you. You can ask Facebook to hand over your data and you can choose what to do with it. They must comply by law. So must any other company meeting the law’s thresholds.

Which businesses does CCPA affect?

This is a little nerdy, but it’s good info to know. CCPA defines a business as a for-profit entity that collects consumer personal data. Businesses meeting these thresholds must:

earn $25,000,000 or more a year in revenue

annually buy, receive, sell or share personal information of 50,000 or more consumers, households or devices for commercial purposes

derive 50% or more of its annual revenue from selling consumer personal information.

And if they don’t comply?

Citizens will have the ability to sue companies that do not comply. The State of California can also bring these charges, charging a $7,500 fine for per infraction not addressed within 30 days.

How is CCPA different than GDPR?

The European General Data Protection Regulation (GDPR) was a model for CCPA. Many of the biggest companies that took action to comply with GDPR were ready for CCPA. But smaller companies that largely do business in California may not have been ready and will now have to take action. The fines imposed by CCPA are different and could have profound implications for companies not in compliance.

What about children?

Businesses will also be prohibited from selling the personal information of consumers ages 13–16 (unless the teen opts-in). For children under the age of 13, consent for a sale is required from a parent or guardian, effectively enhancing protections of the federal Children’s Online Privacy Protection Act (“COPPA”) that currently governs the collection and processing of children’s data.

Is there more work to do?

There always is. CCPA is a sign of progress, but there is much to be done. We know that personal data is used by companies to improve their products. But they don’t need to include so much of your personal info. Firefox only collects the data that serves you, and we are transparent about what we collect and why. You’ll always know where you stand with us.

Want to learn more?

Listen to IRL with Manoush Zomorodi to learn how privacy laws are created. Gabriela Zanfir-Fortuna gives highlights of Europe’s sweeping GDPR privacy law, and explains how the law netted a huge fine against Spain’s National Football League. Twitter’s Data Protection Officer, Damien Kieran explains how regulation has shaped his new job and is changing how Twitter works with our personal data. Julie Brill at Microsoft says the company wants legislators to go further, and bring a federal privacy law to the U.S. And Manoush chats with Alastair MacTaggart, the California resident whose work led to the passing of the California Consumer Privacy Act.