Why you’re getting all those “updates to our privacy policy” emails

As you were out celebrating New Years, you may have received notices of updated privacy policies from various companies. That's because California's consumer privacy act finally went into effect. It's yet another example of states taking up the responsibility of protecting people's privacy, but it may take a long time to see any real changes.

Originally signed into law in June 2018, the California Consumer Privacy Act (CCPA) is a landmark privacy legislation establishing new rules for how companies collect and handle data. By doing so, the law aims to not only protect consumers but to give them more transparency. For example, businesses now have to disclose what information they collect and who it gets shared with. Most importantly, consumers can opt out of having their data sold, and businesses aren't allowed to retaliate.

“Knowledge is power, and in the internet age knowledge is derived from data," California's Attorney General Xavier Becerra said in a press release. "Our personal data is what powers today’s data-driven economy and the wealth it generates. It’s time we had control over the use of our personal data. That includes keeping it private."

Although the law is now in effect, that doesn't mean you're going to see immediate changes everywhere. There is a six month grace period for businesses so no action can be taken against them until that passes.

CCPA notably takes after the European Union's General Data Protection Regulation (GDPR), which make up some of the strictest data regulation laws in the world. Under it, tech companies have faced increased scrutiny and penalty, like Google's multiple billion dollar fines for antitrust violations.

Although the CCPA just went into effect itself, it has already inspired other privacy legislation. In March, the Washington State Senate passed a bill giving people the right-to-delete (so you can ask companies to delete data on you) obviously drawing from both the CCPA and GDPR.

Not every business will be subject to the CCPA. As CNBC reported, there are a few requirements to meet, such as grossing annual revenues of more than $25 million and buying, receiving, or selling the information of at least 50,000 consumers. A business doesn't have to be in California to be subject to CCPA, though, as long as it collects information on state residents.

Under the law, the fines right now are nothing major. Companies will be fined $2,500 per violation if unintentional and $7,500 if intentional. Those can add up but remember, Facebook was hit by an a $5 billion fine from the Federal Trade Commission — the biggest fine in its history. But given that Facebook made $22 billion in profits in 2018 alone, it wasn't enough to shake the company.

The CCPA may not be perfect but it's still a big step. Given a lack of federal regulations, tech companies have been able to collect a bunch of information on people. It's easy to blame consumers for sharing their data too easily, but it's not their fault.

Sadly, CCPA being a state-level law means that if you're outside of California, none of these protections apply to you. Even then, it is a good reminder that tech companies aren't entitled to your data just because they exist. Your lawmakers can make legislation to protect you.