The California Consumer Privacy Act (CCPA) that took effect earlier this week will not only erect a higher data privacy bar for citizens of the state, but also may put an important policy stake in the ground for Federal lawmakers who are weighing nationwide data privacy legislation.
Among other provisions, the new California law gives citizens of the state the right to know what data companies are collecting about them, and to ask for collected data to be deleted. It also requires companies to disclose their business purpose for data they collect, and any third-party companies they share data with. Additionally, businesses can offer “financial incentives” to individuals for being allowed to collect their data.
CCPA applies to any company that has California-based customers; generates a minimum of $25 million in annual gross revenue; and holds personal information on at least 50,000 people, households, or devices.
Enforcement of the law is subject to a six-month grace period, and companies will continue to work towards compliance before the July 1 deadline hits.
Given the size of the California population – with 39.7 million residents it makes up 12 percent of the total U.S. population – the new state privacy statute is impossible to ignore for big information companies conducting nationwide operations, and is already having the effect of promoting adoption of its provisions on a national basis.
Microsoft, for instance, has already maintained that it will extend its CCPA compliance efforts to all its customers across the U.S.
“As digital technology becomes more and more essential in our day-to-day lives, the lack of action by the United States Congress to pass comprehensive privacy legislation continues to be a serious issue for people who are concerned about how their data is collected, used and shared,” said Julie Brill, Microsoft’s Corporate VP for Global Privacy and Regulatory Affairs and Chief Privacy Officer, in a November 2019 blog post.
Congress has debated data privacy legislation for several years, but has yet to take decisive action.
Among the current crop of Federal data privacy bills is the Data Care Act of 2019 which was introduced on Dec. 2, 2019 by Sen. Brian Schatz, D-Hawaii, and 16 other sponsors. The bill has not yet moved beyond the Senate Committee on Commerce, Science, and Transportation.
The committee held a hearing last month to talk about proposals to protect consumer data privacy, at which Brill applauded states’ efforts to protect data, and echoed Microsoft’s position on privacy protections for consumers at the Federal level. She said companies like Microsoft would be able to deal with the new Federal-level data privacy standards, but that individuals or smaller companies could have a more difficult transition due to a lack of resources or capital.