The California Consumer Privacy Act Went Into Effect This Week
The CCPA is like GDPR for California.
Europeans have enjoyed better privacy regulations than Americans since the General Data Protection Regulation (GDPR) went into effect in May 2018. That started to change on January 1, however, because the California Consumer Privacy Act (CCPA) officially went into effect on the first day of the new roaring '20s.
California passed the CCPA in June 2018. Much like the GDPR, these new regulations are meant to give Californians more control over their personal data, as opposed to the current model of allowing tech companies to largely govern themselves. The full text of the bill can be found here; these are the main protections it affords:
- A consumer shall have the right to request that a business that collects a consumer’s personal information disclose to that consumer the categories and specific pieces of personal information the business has collected.
- A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.
- A consumer shall have the right to request that a business that collects personal information about the consumer disclose to the consumer the following:
- (1) The categories of personal information it has collected about that consumer.
- (2) The categories of sources from which the personal information is collected.
- (3) The business or commercial purpose for collecting or selling personal information.
- (4) The categories of third parties with whom the business shares personal information.
- (5) The specific pieces of personal information it has collected about that consumer.
- A consumer shall have the right to request that a business that sells the consumer’s personal information, or that discloses it for a business purpose, disclose to that consumer:
- (1) The categories of personal information that the business collected about the consumer.
- (2) The categories of personal information that the business sold about the consumer and the categories of third parties to whom the personal information was sold, by category or categories of personal information for each third party to whom the personal information was sold.
- (3) The categories of personal information that the business disclosed about the consumer for a business purpose.
- A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information. This right may be referred to as the right to opt out.
There's more to it, but those are some of the most important sections. They greatly expand the control people have over their data and make it clear how companies are expected to behave going forward. It's not perfect--we doubt any privacy-related bill could be--but at least now some Americans have more agency over their info.
The CCPA is technically restricted to Californian. But some organizations, such as Microsoft and Mozilla, have already committed to applying the CCPA's restrictions to everyone else in the U.S. too.
Not all companies are keen on the CCPA, though. Facebook, Google and others reportedly lobbied against the bill last year. The group wanted to have a say in federal privacy regulations--which have yet to arrive--but they reportedly said they wouldn't cooperate with those efforts unless the CCPA was nullified first.
Stay On the Cutting Edge: Get the Tom's Hardware Newsletter
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.
-
hotaru251 hope it makes it to my state...casue #1 thing is contact google, fb, and MS to opt out of selling my data and collecting it :|Reply -
digitalgriffin admin said:The California Consumer Privacy act went into effect January 1. The CCPA is like GDPR for California
The California Consumer Privacy Act Went Into Effect This Week : Read more
Brilliant piece of legislation. Now companies will bury it in 10,000 lines of legalease so that consumers don't bother to actually read it and click just like EULA's.
/synacism -
digitalgriffin hotaru251 said:hope it makes it to my state...casue #1 thing is contact google, fb, and MS to opt out of selling my data and collecting it :|
It covered nothing about opting out or right to be forgotten. It just informed consent what information and how that information is disseminated and to whom. A lot of companies do this already in EULA's as a CYT (Cover your tail) This just formalizes it.
In otherwords, it's just enough to be effectively inefficient at solving the real problem.
EDIT: My mistake. I went back and reread it. They said you could request data be deleted.
I wonder how that runs in conflict with ISP's being required to collect your web history for a year? -
jp182
That's kind of the problem: someone has to remember that you opted out but the law also says that everything about you has to be wiped.digitalgriffin said:It covered nothing about opting out or right to be forgotten. It just informed consent what information and how that information is disseminated and to whom. A lot of companies do this already in EULA's as a CYT (Cover your tail) This just formalizes it.
In otherwords, it's just enough to be effectively inefficient at solving the real problem.
EDIT: My mistake. I went back and reread it. They said you could request data be deleted.
I wonder how that runs in conflict with ISP's being required to collect your web history for a year? -
hotaru251
i mean just record you stating it and if they happen to "forget" well you have proof for a potential lawsuit.jp182 said:someone has to remember that you opted out -
bit_user
I agree, but it's a step in the right direction.digitalgriffin said:Brilliant piece of legislation. Now companies will bury it in 10,000 lines of legalease so that consumers don't bother to actually read it and click just like EULA's.
Next, what we need are some standard web APIs, so that you can configure your browser to tell sites to delete certain classes of data collected on you. I wouldn't say "delete everything", because you might not actually want that, on certain sites where you have accounts. -
TJ Hooker digitalgriffin said:It covered nothing about opting outArticle said:A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information. This right may be referred to as the right to opt out.