The California Consumer Privacy Act (CCPA) is now in force, as of yesterday. It gives residents of the state the right to know what personal data is being collected about them, as well as to know whether that data is being sold or disclosed, and to whom. Importantly, it also gives them the right to be able to easily opt out of the sale of their personal data, and to request that a business delete any personal information about them.

The new law applies to any business doing business in California that collects consumers personal data, and which either, turns over more than $25m per annum; or buys or sells the personal information of 50,000 or more consumers or households; or earns more than half of its annual revenue from selling consumers personal information.

While that all sounds pretty straightforward, as with GDPR in Europe when that launched in 2018, there is much confusion among businesses about how the new law will apply to them, and how it will be interpreted and applied, with state Attorney General Xavier Becerra suggesting to the San Francisco Chronicle in December that it will be around six months before widespread enforcement of the law starts to happen.

Much depends on how rigid the state is in enforcing the law. Facebook said in a blog post in December: “We’re committed to clearly explaining how our products work, including the fact that we do not sell people’s data”, a statement that many people may find surprising.

Speaking to The Verge on Tuesday, James Steyer, CEO of children’s privacy advocacy organization Common Sense, took issue with Facebook’s stance, arguing that the company’s business model is based on collecting and monetizing its users’ data.
“As has unfortunately become the custom, Facebook is the single biggest outlier,” he said. “Becerra is going to have to focus on holding companies like Facebook to account.”