The California Consumer Privacy Act (CCPA) essentially requires companies to disclose what data is sold to who. This consumer privacy law forces them to let users opt out of having their information sold to third party buyers.
Although this doesn’t stop the data collection itself, users can choose to prevent firms to stop information selling. These include biometrics, locations, and other data.
Internet experts claim the CCPA is unnecessary, because the country instead needs a federal law for regulation. While it would protect more people with less paperwork, its launch would be time consuming on its own.
California currently acts as a testing dummy for the American version of the General Data Protection Regulation. The process could prove difficult, but not impossible, with less strict guidelines.
The CCPA only applies to companies that meet a set of qualifications, like those that have gross annual revenues at more than $25 million. Companies that collect data from more than 50,000 users, or make more than 50% of their revenue selling user data, are also included.
Morgan Lewis’ Reece Hirsch said the diversely interpreted consumer privacy act required a closer look to their practices. Service provider agreements are different from subcontractor or vendor agreements, which need to carefully spell out how they share information.
By January 1, companies should have been advertising obvious “do not sell my information” option in their websites.
Many companies complied to the CCPA since the state passed it last 2018. There’s a directory of how users can request to improve their privacy settings.
Microsoft said it plans to implement the privacy law in their websites for all its customers.
Industry Giants’ Denial
Companies like Facebook refused to comply with the consumer privacy law, claiming their definition doesn’t apply.
This definition included the sharing of personal information, said Mary Stone Ross, co-author of the CCPA.
Facebook hasn’t responded since Ross’ comment last December.
Pharmacy giant CVS is also under a lawsuit for a 2017 data breach revealing the HIV status of more than 6,000 people. As of January 2, the company doesn’t have a “do not sell my data” button it in its homepage.
CVS sells people’s data with advertisers and social media companies, but presents the same argument as Facebook.
Despite the law put in place, enforcement for the CCPA won’t happen until July 1. There’s still a lack of resources to hold companies accountable, according to California Attorney General Xavier Becerra.
Becerra had anticipated people interpreting the law to benefit themselves.
IBM is currently facing a lawsuit from Los Angeles over collection of location data on almost 45 million people. Their company The Weather Channel admitted that they “may have” sold information within the CCPA’s definition.
Ross said that even without any names attached to the data, they’re still considered as personal data under the CCPA.