Has the California Consumer Privacy Act (CCPA) Been Effective?

On June 2018, 2018, the California Consumer Privacy Act (CCPA) was signed into law, and the CCPA took effect on January 1, 2020. It has been more than 18 months since compliance with the privacy law became mandatory, so how effective has it been so far?

The main aim of the CCPA was to protect the privacy of California residents and to give them much greater control over their personal data. Californian consumers and residents were given new rights over their personal data and large businesses had to be much more transparent about the personal data they collect and how personal data are used. The law is often referred to as California’s General Data Protection Regulation (GDPR) – the comprehensive privacy law introduced in the European Union on May 25, 2018. The CCPA does not go nearly as far as GDPR, but it is still a significant piece of privacy legislation, which has not yet been equaled in any other U.S. state.

Determining the effectiveness of the CCPA so far is difficult. In the EU, there have been many financial penalties imposed for violations of the provisions of the GDPR, and while the GDPR has been in effect for longer, in 18 months at least one financial penalty for noncompliance would have been expected, but to date there have been none. The California Department of Justice (DOJ) is the enforcer of CCPA compliance, and only the California DOJ has the authority to bring privacy lawsuits against companies in violation of the CCPA. Several warnings have been issued by the California DOJ over potential CCPA violations, but that is it so far for enforcement.

Shortly after the two-year anniversary of the introduction of the CCPA, California Attorney General Rob Bonta issued an enforcement update, but failed to state in the update how many warnings had been issued to companies found to have been in violation of the CCPA. He only said 75% of the companies that had been warned about potential violations had corrected the issues within 30 days. Financial penalties are avoided if corrective action is taken within 30 days of being notified about a violation.

Without figures on warnings, a good assessment of how effective the CCPA can be gained from the number of Californians who have exercised their CCPA rights.  Under CCPA, large businesses such as Google, Apple, Facebook, Amazon, and Microsoft are required to report on CCPA-related activity, specifically the data-privacy requests they have received from Californians.

A recent report in Politico assessed this but found huge discrepancies between the figures reported by the tech firms. For instance, the number of requests received by users of these services to have their personal data released were as follows:

  • Microsoft – 2.95 million requests
  • Apple – 669,030 requests
  • Amazon – 100,960 requests
  • Facebook – 43,677 requests
  • Google – 516 requests

When it comes to deletion requests, the following companies have posted data:

  • Microsoft – 2.8 million requests
  • Apple – 295,000 requests
  • Google – 276 requests

Considering how many people use Google, it is strange that so few requests have been received, especially when compared to the large numbers posted by Microsoft. The figures suggest that there are discrepancies in how data are reported, which makes it difficult to determine exactly what these figures mean. The purpose of reporting is to gauge the effectiveness of the CCPA and to tell how many Californians are exercising their privacy rights, but the figures say very little. Californians may not be aware of their privacy rights, tech firms may not be making it easy for Californians to exercise their CCPA rights, and the reporting criteria may be different at each company.

“If there’s no way to truly understand what these numbers are measuring, then it’s really difficult, just from a research perspective. How do we assess whether this law is working?” said Jennifer King, privacy and data policy fellow at the Stanford Institute for Human-Centered Artificial Intelligence.

Based on the data available, it is difficult to determine how effective the CCPA has been so far in practice, but since the CCPA is still in the maturing stage, it should become clearer over time. It is likely to also be easier to gauge the effectiveness of California’s privacy laws after 2023, when the CCPA will be replaced by the California Privacy Rights Act, which was approved in November 2020. When that law takes effect, more regulations will be introduced to toughen up the privacy laws, enforcement will be more stringent and easier, and greater clarity will be introduced concerning the restrictions related to the sale and sharing of personal data.