Whether or not you live in California, you've likely received something in your inbox about new privacy notices from one of the various companies you've interacted with, such as Lyft, Spotify and Hulu.
That's thanks to the California Consumer Privacy Act, which went into effect on Wednesday, Jan. 1, and deals with how large companies are allowed to collect and use data of California residents. It gives California consumers the ability to request personal data be deleted from a given company, among other protections. The law will make it harder for companies to collect and manage the kind of data about consumers that has powered digital advertising for years.
Businesses are subject to CCPA if they meet the requirements of having gross annual revenues of more than $25 million; buy, receive or sell the personal information of 50,000 or more consumers, households or devices in California; or derive 50% or more annual revenue from selling consumers' personal information. The company doesn't need to be in California but is subject to the law if it collects personal information on that threshold of residents there.
Though the law went into effect Wednesday, it technically isn't being enforced yet. Sarah Lovenheim, special assistant for strategic communications for California Attorney General Xavier Becerra's office, said businesses that meet the thresholds spelled out under CCPA "should be prepared to adhere to the law now." For noncompliance, companies will be required to pay $2,500 per violation if unintentional and $7,500 if intentional.
"While we can't take action until six months after finalizing our rules, or July 1 — whichever comes first — we can consider a business's efforts to comply with the law from January 1, onwards," she wrote in an email to CNBC. The rules are technically subject to change until comments are considered. Businesses and other parties were able to submit comments about the regulations during public hearings, by mail or over email until last month.
And a lot of data is at stake. According to estimates in the Standardized Regulatory Impact Assessment for the law, CCPA will protect more than $12 billion worth of personal information that's used for advertising in California each year.
Unsurprisingly, ad industry groups have pushed back against the law. The Association of National Advertisers, the American Association of Advertising Agencies, the Interactive Advertising Bureau, the American Advertising Federation and the Network Advertising Initiative, some of the most powerful and influential trade groups for the industry, provided written comments last month.
The groups cited concerns about negative consequences proposed regulations could create for consumers and businesses. They said they were concerned the rules' provisions "impose entirely new requirements on businesses that are outside of the scope of CCPA and do not further the purposes of the law."
Let's say you're a Lyft rider who lives in California. According to Lyft's new privacy policies, you can see what type of personal information the company has collected about you, the sources that information came from, the business or commercial purpose for collecting it, the categories of third parties Lyft has shared the personal information with, and the pieces of personal information themselves.
Consumers in California can also ask for that information to be deleted and direct their service providers to do the same. There are exceptions, though, if the information is "necessary for [Lyft] or a third party" to complete a transaction, provide the consumer a good or service, protect a consumer's security and prosecute those responsible for breaching it, protect the free speech rights of you or other users, and other reasons.
Companies such as Peloton, though, say they don't completely understand what CCPA means about the "sale" of personal information.
"California residents have the right to opt out of our disclosures of Personal Information that we have disclosed to third parties for valuable consideration (which may be considered 'sales' under California law even if no money is exchanged)," the company writes in its California privacy notice. "What is covered as a 'sale' under California law is not yet clear, but we currently do not 'sell' your information as we understand it. However, Peloton respects and understands that you may still want to ensure your personal information is not sold." It offers a form for residents in California wishing to exercise their "Do Not Sell" rights.
Similarly, Facebook has said that data transfers about consumers might not fit the law's definition of selling data, The Wall Street Journal reported last month. Facebook has a mechanism for CCPA inquiries, which lets California residents request more information related to their rights under the act for its products. Meanwhile, Google released a Chrome extension to help people block Google Analytics from collecting information and a protocol so sites won't send data to the company if consumers have opted out, which it said was to help advertisers comply with CCPA.
Microsoft and Mozilla, the maker of Firefox web browser, have said they're rolling out their CCPA rights more broadly. Microsoft said in November it would apply CCPA allowances to all U.S. users, and Mozilla said Thursday it would give those privacy rights to all Firefox users.