Fittingly for the start to a new decade, California decided to go big with its 2020 New Year’s resolution. Today, the California Consumer Privacy Act goes into effect. Passed unanimously in June 2018, it’s the first law in the US to set up a comprehensive set of rules around consumer data, akin to the European Union’s General Data Protection Regulation, or GDPR. Industry and privacy advocates have been fighting over the fine print ever since.

Now the law is officially on the books in the biggest state in the union and the world’s fifth-largest economy. For the average internet user in California, life will not be radically different. But as the mechanisms of the law get finalized, and depending on how it’s enforced, its impact could go a long way to determining whether the 2020s become the decade when the US started taking privacy seriously.

New Year, New Rights

The CCPA applies to any company that operates in California and either makes at least $25 million in annual revenue, gathers data on more than 50,000 users, or makes more than half its money off of user data. For California residents, it creates a handful of new rights over their data. The most significant categories are what Alastair Mactaggart, the California real estate magnate behind the ballot initiative that led to the law being passed, calls “the right to know” and “the right to say no.” That means users will, as of today, be able to see what data companies have gathered about them, have that data deleted, and opt out of those companies selling it to third parties from now on.

It’s important to remember that we’re not just talking about the Googles and Facebooks of the world, but any big company that does a lot of business online—which is to say, any big company. One such corporation is Condé Nast, WIRED’s parent company. So if you’re reading this from a California IP address, you should have seen a pop-up banner with a big button reading “Do Not Sell My Personal Information.” What happens if you click it? Well, WIRED doesn’t exactly “sell” your data right now—no one is giving us cash (or withholding military aid, for that matter) in exchange for dirt on our readers. But, like just about every site on the internet, we track your behavior—what articles you read, for how long, etc.—on WIRED.com using cookies. We use that data internally for research and site improvements, but the information can also go to a third-party vendor, like Google AdSense, which combines it with similar data from other sites to create user profiles that advertisers can target. The infamous shoe ad that follows you across the internet long after you close out your Zappos tab? That’s how it works—and advertisers pay extra for the privilege of this personalized ad targeting. If you ask WIRED.com to stop “selling” your data, you won’t get those types of ads from us anymore, and your browsing history on our site won’t factor into the types of ads you see elsewhere.

Many companies already had to implement processes allowing European users to delete their data or opt out of tracking thanks to GDPR, which laid some groundwork for the CCPA. Some platforms, including Facebook, have built tools allowing users to exercise the rights that the CCPA now guarantees to California residents.

Enforcement

Final regulations that clarify and define the parameters of the law haven’t been released, but California attorney general Xavier Becerra is expected to issue them sometime in the next six months. The state won’t start enforcing the law until July 1. It’s an open question whether enforcement will be robust enough for the law to really make an impact.