The California Consumer Privacy Act goes into effect January 1st, and it doesn’t look like anyone, even the state of California itself, is totally ready. Draft regulations for enforcing the law are still being finalized at the state level, and questions about specific aspects of the most sweeping privacy regulation since the European Union’s General Data Protection Regulation (GDPR) are still not clear.
“If you thought the GDPR was bumpy, the CCPA is going to be a real roller coaster,” Reece Hirsch tells The Verge. Hirsch is co-head of Morgan Lewis’ privacy and cybersecurity practice and has been advising clients on how to adapt to the new law. “This is a complex set of new rules, which are still a work in progress.”
The crux of the CCPA is this: if your company buys or sells data on at least 50,000 California residents each year, you have to disclose to those residents what you’re doing with the data, and, they can request you not sell it. Consumers can also request companies bound by the CCPA delete all their personal data. And as The Wall Street Journal reported, websites with third-party tracking are supposed to add a “Do Not Sell My Personal Information” button that if clicked, prohibits the site from sending data about the customer to any third parties, including advertisers.