California privacy law takes effect

California became the first state in the country to have a comprehensive data privacy law when the California Consumer Privacy Act (CCPA) went into effect this year.

Companies are scrambling to figure out how to handle the law, which is expected to require major firms to disclose the personal information they collect from consumers and what they do with it.

Much about the law, which will not be enforceable until either July 1 or six months after the final rule is released, remains unclear.

California Gov. Gavin Newsom signed the bill into law in June 2018, but California Attorney General Xavier Becerra only just published the first round of draft regulations in early October. His office closed the public comment period on Dec. 6, and the final version of the regulations is due out soon.

The bill is expected to allow Californians to view the information that companies have collected about them, and to opt out of that collection. The law is expected to forbid companies from discriminating against users who opt out of data collection.

While the law is not enforceable for now, California has hinted that companies could be sanctioned retroactively if they disregard the new rules on Jan. 1.

A spokesperson for Becerra told The Hill that qualifying companies “should be prepared to adhere to the law as of January 1,” suggesting that retroactive enforcement may be possible.

“While we can’t take action until six months after finalizing our rules, or July 1 — whichever comes first — we can consider a business’s efforts to comply with the law from January 1, onwards,” the spokesperson said.

The CCPA technically applies to businesses with online traffic in California that have annual revenues over $25 million, collect data on 50,000 consumers or receive 50 percent of their revenue from selling data, according to the draft regulation.