California Consumer Privacy Act of 2020: What the new privacy law means to you

Jessica Guynn | USA TODAY

Show Caption Hide Caption Facebook pays $5 billion FTC fine Facebook must pay a record-breaking $5 billion fine as part of a settlement with the FTC and also agreed to measures that limit the power of the CEO.

Every day, Americans are tracked across the internet by a trillion-dollar industry that mines and stockpiles thousands of their data points to target ads at them.

Nearly 8 in 10 people say they’re concerned about what companies do with all that data they quietly cull, according to the Pew Research Center. Yet this massive private surveillance dragnet is largely beyond Americans' control.

Until now. On Wednesday, a landmark law in California will grant consumers the right to see the personal information that companies collect about them and stop them from selling it. The law is the California Consumer Privacy Act or CCPA.

If companies extend these new rights to consumers outside the state, or if other states follow California's lead, the CCPA could effectively become a national law, privacy advocates say.

Myth-busting: Unmask these four privacy untruths to protect yourself online

3 things you can do: to start safeguarding your privacy online

Like stories about the Golden State? Click here to get our In California newsletter in your inbox.

But the law faces challenges. Business trade groups and lobbyists are seeking to revise it with amendments or preempt it with watered-down federal legislation, claiming the regulations are overly broad and could have unintended consequences that harm consumers and small businesses.

Bay Area real estate developer turned privacy activist Alastair Mactaggart, who put up more than $3 million to place privacy protections before California voters in 2018, says he isn't backing down from his fight to give consumers more control over how Silicon Valley tracks them to target advertising. The statewide ballot initiative he funded drew more than 600,000 signatures, leading California lawmakers, tech companies and privacy advocates to hammer out a legislative compromise: the CCPA.

“Whether or not we have everything in this particular law or the next one, it’s a massive beachhead,” Mactaggart says. “Being California, we just have a unique opportunity. As we go, so goes the nation.”

With calls for privacy regulation from Capitol Hill and the presidential campaign trail intensifying, Mactaggart is capitalizing on a growing unease with the tech industry's business tactics post-Cambridge Analytica. He says he’s prepared to spend millions more on a new initiative for the 2020 ballot in California to keep business interests from chipping away at the CCPA. The ballot initiative would also protect sensitive information, like your health and financial records, and your precise location. And it would create a California agency to enforce the regulations.

But Jennifer King, director of consumer privacy at the Stanford Law School's Center for Internet and Society, says the law may not help as many people as supporters hope.

"I’m skeptical that the average person will even know this law exists, let alone know how to take advantage of it. Mostly I imagine that privacy advocates will put it to the test and publicize the results," she says. "One of my concerns is that there is no budget allocated to public education on the issue, so most people are going to learn about it via word of mouth from advocates or friends. And, depending on how hard it is to exercise one’s rights from company to company, and what results you receive in turn, individual experiences may vary a lot."

Want to take more control over your online data? Here’s what you need to know.

What is the California Consumer Privacy Act?

California consumers have already begun to receive email notifications alerting them to changes under CCPA. The law, which takes effect Jan. 1, gives California residents the right to know what data companies collect about them and to opt out of having their data sold. Businesses are also restricted in selling the personal information of children under 16.

Under the law, Californians can sue businesses for certain types of data breaches. For other violations, California Attorney General Xavier Becerra will be able to bring enforcement actions starting in July. The regulations used to enforce the law are still being finalized.

What's the catch?

CCPA may be the nation’s strongest privacy law, but privacy advocates warn it has limitations and the business community says it has drawbacks.

The law still puts the onus on consumers to take steps to protect their data. The problem: Americans trade away their privacy all the time. We click through privacy policies and terms of service without reading them. We buy phones that track us everywhere we go. We use smart speakers that record us in our homes. We take quizzes that give up intimate details about our lives.

Even if people want to assert their privacy rights, many don’t know what those are, and the law will have little impact unless people use it, advocates say. Some 63% of Americans say they understand very little or nothing at all about the laws and regulations that protect the privacy of their data, Pew Research found.

It's not yet clear exactly how the law will apply to major tech companies such as Facebook and Google, which argue they do not sell the information of consumers they track on the internet. "In our case there’s nothing to opt out from," Facebook said in a statement. Becerra is expected to offer more guidance on this issue in 2020.

If a business violates the law, it can be fined $2,500 per violation or $7,500 if the violation is determined to be intentional. But consumers have little recourse on their own except for data breaches. For the most part, they cannot sue companies that violate the law. Only Becerra can enforce the rules when companies don't respond to consumers' requests or delete their data.

“We have a law that effectively makes the California Attorney General the chief privacy officer without the budget to do that,” says Electronic Privacy Information Center associate director Mary Stone Ross, who helped draft the ballot initiative that led to the California law. “It makes me nervous that some businesses are just going to take their chances.”

What if I don't live in California?

In response to the upcoming law, some corporations like Microsoft are extending California's consumer protections to all Americans. Privacy advocates are betting other companies will follow suit. So they are urging consumers across the country to demand that companies delete their data and stop stockpiling it. Many companies are expected to comply with these requests.

“Whether you are in California or not, you should take advantage of this great law,” says Girard Kelly, counsel and director of the privacy program at Common Sense Media, the nonprofit advocacy group that helped draft the legislation. “Know what companies are collecting about you. Know how it’s being used, whether they are selling it, and, if they are selling it, know that you can opt out and say ‘No, I don’t want you to try to make money from my data.’”

How do I exercise my privacy rights?

So, if you stream a lot of music on Spotify, you can send a form to the company directing the company not to sell your data. If your teen uses TikTok, you can send a form on your teen's behalf. A business must comply unless the information is necessary to complete a transaction or protect against fraud.

For instance, Hulu informs Californians that it collects all sorts of information, such as age, gender, IP address and viewing habits and makes inferences about you to recommend more programming.

You can opt out of having your information shared with advertisers including geolocation data and the insights Hulu gleans here. But if you ask Hulu to delete all the information it collects about you, the streaming company warns it will have to cancel and delete your account.

In general there are two steps:

— Fill out forms — one form per person, per company — to request your information, to have your information deleted or to instruct a company not to sell your information. Each form should take five to 10 minutes to complete. You can find USA TODAY's forms here.

— Then file your forms electronically or by mail.

Common Sense Media has free resources for consumers including instructions on how to exercise your rights and the forms you need to request a company delete your personal information.

You can expect to get confirmation of your request to see your information and have your information deleted within 10 days. Businesses are supposed to send a response to that request within 45 days. You can request your personal information from businesses twice a year for free. The information they provide will go back 12 months.

Which businesses have to comply with the law?

It’s not just big tech. Broadly speaking, most companies, no matter where they are based, must comply with the CCPA when serving California customers.

The law exempts some small businesses. It applies only to companies with at least $25 million in revenue, personal information on at least 50,000 people or which generate at least half their money from selling consumers' personal information.

Why do businesses oppose the law?

Business interests complain the regulations are an overreaction to troubling revelations from the tech industry, such as Facebook’s handling of user data, and place unfair burdens on small businesses that are not exempt and could deprive consumers of loyalty and rewards programs.

For example, businesses complain that the new California law broadens the definition of personal information to any information, including a specific device or browser that could be linked directly or indirectly to a consumer or household.

These interests are pushing California lawmakers to water down the law and Congress to pass federal legislation that would preempt it.

California weighs in: State passes nation's toughest online privacy law

Data privacy is top concern: Americans are more concerned with data privacy than job creation, study shows

"There may yet be unintended consequences to small businesses and consumers that can affect access to data, apps, advertising, and software tools," says Shoeb Mohammed, policy advocate for the California Chamber of Commerce.

How did California get a privacy law?

Mactaggart was chatting at a party with a Google engineer who confided that Americans would be horrified by how much Google knew about them.

In 2018, the real estate developer gathered signatures to put a privacy initiative on the California ballot. Tech companies put up $1 million to fight the measure before backing off. Mactaggart agreed to take the measure off the ballot if the California legislature passed a data privacy law, which it did. That is the law that takes effect Wednesday.

Throughout 2019, tech companies worked to weaken the law before it takes effect and privacy advocates worked to strengthen it. So far, there have not been any significant changes.

What's next for privacy in California?

Mactaggart is working on the new ballot initiative. In California, these initiatives bypass the state legislature and the governor to create new laws.

If approved by voters, Mactaggart’s measure would limit the sale of sensitive information such as sexual orientation and race; require that companies only collect as much information as is necessary for business purposes and inform consumers how long they intend to hold onto it; and would impose tougher penalties for violations involving children under age 16.

What are the privacy laws where I live?

Federal privacy legislation is stuck in Congress. No other states have adopted California's privacy regulations, though some states are exploring similar laws. Privacy advocates say if you want these protections in your state, call your representatives.