California proposed regulations on Thursday to dictate how the state will enforce its tough, new privacy law. The law, known as the California Consumer Privacy Act, gives consumers more control over how companies collect and manage their personal data. It goes into effect on Jan. 1.
The CCPA, seen as establishing the most stringent data privacy protections in the nation, allows people to request that data be deleted and gives them the opportunity to opt out of having their information sold to a third party. The proposed regulations would include specific requirements that businesses must comply with, such as including a "do not sell" link for consumers. Businesses will also be required to treat consumer choices made in privacy settings as valid opt-out requests. Companies that handle personal information for more than 4 million consumers will be subject to additional requirements.
"Americans should not have to give up their privacy to live and thrive in this digital age," California Attorney General Xavier Becerra said at a press conference where he released his agency's draft of the regulations.
California's law is meant to provide protection to California residents in the absence of federal law and to push the nation to offer more consumer protections.
Implementation of the regulations will cost companies between $467 million and $16.5 billion between 2020 and 2030, according to estimates from the attorney general's office. The regulations will also serve to protect more than $12 billion worth of information that's used for advertising each year.
The deadline for submitting comments to the California AG's office regarding the proposed CCPA rules is Dec. 6.
California's privacy law was passed in 2018 in the wake of scandals in which the data privacy practices of Silicon Valley companies like Facebook came to light, angering lawmakers and regulators. Last year, Facebook CEO Mark Zuckerberg faced questioning from US lawmakers as well as the European Parliament after it was discovered that personal information from 87 million Facebook users was leaked to UK political consultancy Cambridge Analytica. Other data privacy scandals have also been exposed, including the realization that wireless carriers had sold customer location information to third parties such as bounty hunters.
"It should not come as a surprise then that California is the state to take on this challenge," Becerra said.
While the European Union has passed laws and adopted regulations to help protect consumers' data privacy, the US has yet to pass its own sweeping federal legislation to protect consumers' personal information.
Tech giants such as Amazon, Facebook and Google now say they would like to see federal privacy legislation, but they want the rules to be written on their terms. These firms have spent millions of dollars over the past year lobbying Congress to pass federal data privacy legislation. Their end game in these efforts is to preempt laws in California and other states to create a nationwide standard that they say would prevent a patchwork of state laws and regulations that they'd be required to comply with. But privacy advocates warn that preempting state laws, such as California's CCPA, could provide less protection for consumers.
Originally published Oct. 10 at 3:10 p.m. PT.
Updated Oct. 11 at 5:31 a.m. PT: Added information about the process for submitting comments.