Starting January 1, California’s Consumer Privacy Act (CCPA), will require all California for-profit businesses to disclose to consumers upon request the specifics of the personal information collected and its sources. Consumers can also require companies to delete personal information, refrain from selling it, and pursue legal action for failure to comply.
As the start date for the law draws near, giants like Google, Amazon, and Facebook, are working to help push through amendments that will make the law easier on businesses.
California is the first government in the US to regulate how businesses retain and use electronic consumer data. The legislation is the first response to the European Union’s GDPR, enacted last year. The General Data Protection Regulation allows the EU the power to fine companies that violate its consumer privacy protections. Google was slapped with a $57 million fine for failing to disclose data collection tactics to consumers, and Facebook is under several investigations from the GDPR governing body.
Personal information protected by CCPA include:
- search and browsing history
- geolocation data
- IP addresses
- email addresses
- purchase records
- records on consumption histories and tendencies
- professional and employment information
- educational information
- audio, visual and thermal information
Fines for non-compliance range from $2,500 (if unintentional) or $7,500 per violation (if intentional) for companies that fail to cure alleged violations within 30 days.
As efforts to pass federal privacy legislation in Congress have languished, states have stepped up their pace. According to the National Law Review, five other states — Hawaii, Maryland, Massachusetts, Mississippi, and New Mexico — have introduced CCPA-like privacy bills as of March 2019. Another three states — New York, North Dakota and Washington — have put forth consumer privacy bills to protect personal data.
A federal bill introduced in the Senate in December, The Data Act of 2018, remains in committee. As proposed, among other protections, the legislation would prevent “online service providers” from using individual identifying data in any way that would benefit the online service provider to the detriment of an end user.