California's new privacy law puts billions worth of personal data under protection

Key Points
  • The California Consumer Privacy Act went into effect on Wednesday, Jan. 1.
  • The law gives residents of California more control over data collected on them if they take certain steps.
  • Some companies are broadening their CCPA rights beyond just California residents.
California Attorney General, Xavier Becerra.
Mandel Ngan | AFP | Getty Images

Whether or not you live in California, you've likely received something in your inbox about new privacy notices from one of the various companies you've interacted with, such as Lyft, Spotify and Hulu.

That's thanks to the California Consumer Privacy Act, which went into effect on Wednesday, Jan. 1, and deals with how large companies are allowed to collect and use data of California residents. It gives California consumers the ability to request personal data be deleted from a given company, among other protections. The law will make it harder for companies to collect and manage the kind of data about consumers that has powered digital advertising for years.

Businesses are subject to CCPA if they meet the requirements of having gross annual revenues of more than $25 million; buy, receive or sell the personal information of 50,000 or more consumers, households or devices in California; or derive 50% or more annual revenue from selling consumers' personal information. The company doesn't need to be in California but is subject to the law if it collects personal information on that threshold of residents there.

Though the law went into effect Wednesday, it technically isn't being enforced yet. Sarah Lovenheim, special assistant for strategic communications for California Attorney General Xavier Becerra's office, said businesses that meet the thresholds spelled out under CCPA "should be prepared to adhere to the law now." For noncompliance, companies will be required to pay $2,500 per violation if unintentional and $7,500 if intentional.

"While we can't take action until six months after finalizing our rules, or July 1 — whichever comes first — we can consider a business's efforts to comply with the law from January 1, onwards," she wrote in an email to CNBC. The rules are technically subject to change until comments are considered. Businesses and other parties were able to submit comments about the regulations during public hearings, by mail or over email until last month.

And a lot of data is at stake. According to estimates in the Standardized Regulatory Impact Assessment for the law, CCPA will protect more than $12 billion worth of personal information that's used for advertising in California each year.

Unsurprisingly, ad industry groups have pushed back against the law. The Association of National Advertisers, the American Association of Advertising Agencies, the Interactive Advertising Bureau, the American Advertising Federation and the Network Advertising Initiative, some of the most powerful and influential trade groups for the industry, provided written comments last month.

The groups cited concerns about negative consequences proposed regulations could create for consumers and businesses. They said they were concerned the rules' provisions "impose entirely new requirements on businesses that are outside of the scope of CCPA and do not further the purposes of the law."

What this means for consumers

Let's say you're a Lyft rider who lives in California. According to Lyft's new privacy policies, you can see what type of personal information the company has collected about you, the sources that information came from, the business or commercial purpose for collecting it, the categories of third parties Lyft has shared the personal information with, and the pieces of personal information themselves.

Consumers in California can also ask for that information to be deleted and direct their service providers to do the same. There are exceptions, though, if the information is "necessary for [Lyft] or a third party" to complete a transaction, provide the consumer a good or service, protect a consumer's security and prosecute those responsible for breaching it, protect the free speech rights of you or other users, and other reasons.

But even if a consumer isn't in California, the rules will likely make it clearer what kind of data is being collected about them. Peloton's new privacy policy for California, for instance, outlines "what personal information we collect." Those range from age and gender all the way up to mobile carrier and information about their heart rate over the course of a class.

In its main privacy policy, it explains that it may use certain first-party or third-party information or web beacons to deliver ads relevant to a user on its sites or on third-party sites. The company says it doesn't share information it collects from software development kits or other health-related applications with third parties for advertising or marketing purposes.

Companies such as Peloton, though, say they don't completely understand what CCPA means about the "sale" of personal information.

"California residents have the right to opt out of our disclosures of Personal Information that we have disclosed to third parties for valuable consideration (which may be considered 'sales' under California law even if no money is exchanged)," the company writes in its California privacy notice. "What is covered as a 'sale' under California law is not yet clear, but we currently do not 'sell' your information as we understand it. However, Peloton respects and understands that you may still want to ensure your personal information is not sold." It offers a form for residents in California wishing to exercise their "Do Not Sell" rights.

Similarly, Facebook has said that data transfers about consumers might not fit the law's definition of selling data, The Wall Street Journal reported last month. Facebook has a mechanism for CCPA inquiries, which lets California residents request more information related to their rights under the act for its products. Meanwhile, Google released a Chrome extension to help people block Google Analytics from collecting information and a protocol so sites won't send data to the company if consumers have opted out, which it said was to help advertisers comply with CCPA.

Microsoft and Mozilla, the maker of Firefox web browser, have said they're rolling out their CCPA rights more broadly. Microsoft said in November it would apply CCPA allowances to all U.S. users, and Mozilla said Thursday it would give those privacy rights to all Firefox users.

New California privacy law may cost businesses $55 billion
New California privacy law may cost businesses $55 billion