Europeans have enjoyed better privacy regulations than Americans since the General Data Protection Regulation (GDPR) went into effect in May 2018. That started to change on January 1, however, because the California Consumer Privacy Act (CCPA) officially went into effect on the first day of the new roaring '20s.
California passed the CCPA in June 2018. Much like the GDPR, these new regulations are meant to give Californians more control over their personal data, as opposed to the current model of allowing tech companies to largely govern themselves. The full text of the bill can be found here; these are the main protections it affords:
- A consumer shall have the right to request that a business that collects a consumer’s personal information disclose to that consumer the categories and specific pieces of personal information the business has collected.
- A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.
- A consumer shall have the right to request that a business that collects personal information about the consumer disclose to the consumer the following:
- (1) The categories of personal information it has collected about that consumer.
- (2) The categories of sources from which the personal information is collected.
- (3) The business or commercial purpose for collecting or selling personal information.
- (4) The categories of third parties with whom the business shares personal information.
- (5) The specific pieces of personal information it has collected about that consumer.
- A consumer shall have the right to request that a business that sells the consumer’s personal information, or that discloses it for a business purpose, disclose to that consumer:
- (1) The categories of personal information that the business collected about the consumer.
- (2) The categories of personal information that the business sold about the consumer and the categories of third parties to whom the personal information was sold, by category or categories of personal information for each third party to whom the personal information was sold.
- (3) The categories of personal information that the business disclosed about the consumer for a business purpose.
- A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information. This right may be referred to as the right to opt out.
There's more to it, but those are some of the most important sections. They greatly expand the control people have over their data and make it clear how companies are expected to behave going forward. It's not perfect--we doubt any privacy-related bill could be--but at least now some Americans have more agency over their info.
The CCPA is technically restricted to Californian. But some organizations, such as Microsoft and Mozilla, have already committed to applying the CCPA's restrictions to everyone else in the U.S. too.
Not all companies are keen on the CCPA, though. Facebook, Google and others reportedly lobbied against the bill last year. The group wanted to have a say in federal privacy regulations--which have yet to arrive--but they reportedly said they wouldn't cooperate with those efforts unless the CCPA was nullified first.