On Jan. 1, the toughest data privacy law in the U.S. goes into effect: the California Consumer Privacy Act, or CCPA.
That's why you're seeing a host of emails pop up in your inbox from various companies announcing updates to their terms of service, particularly their privacy policies. With no similar federal law on the horizon, this one is expected to set the standard nationally for some time to come.
So what does it mandate?
"On Jan. 1, 2020, all Californians will be able to find out what personal information a business is collecting about them, their devices and their children," said Mary Stone Ross, one of the new law's co-authors, and a nationally recognized data privacy expert.
According to the law, consumers will be able to opt out of the sale of their personal information. If a company fails to implement reasonable security practices and consumers' personal information is breached, they'll be allowed to sue those companies.
Companies can still collect the data: what you buy; where you go, and when; all the photos you've ever taken; your emails, even the ones you deleted.
But what companies must now do is tell you what they're collecting when you ask, and delete it all if you ask for that. However, some companies can deny your request to delete if the data is required in order to complete a financial transaction or protect against fraud.
What companies can't do anymore, legally, is sell that data if you tell them not to. But if they do anyway, consumers can't sue. The law reserves lawsuits for another all-too-common problem: "It's only for data breaches. So if certain categories of personal information, for example, your Social Security number, are breached, and a business fails to implement reasonable security practices, then you have cause," said Stone Ross.
