California’s groundbreaking privacy law went into effect January 1, 2020.

The California Consumer Privacy Act (CCPA) requires businesses to inform state residents if their data is being monetized as well as to provide them with a clearly stated means of opting out from the collection of their data and/or having it deleted. Businesses not in compliance with CCPA regulations may be fined by the state of California and sued by its residents.

The CCPA requirements only kick in for companies that have collected the personal data of more than 50,000 California residents and/or show more than $25 million in annual revenue. The primary exception to the CCPA are companies subject to California’s Insurance Information and Privacy Protection Act (IIPPA). 

Under the CCPA, companies are allowed to sell “anonymized” user data. This exemption has drawn heavy criticism from privacy advocates due to several studies showing that anonymized data can be re-identified with personally identifiable information relatively easily.

While the protections of the law only applies to California residents, businesses such as Microsoft have implemented its provisions for all customers.

Much like the European Union’s General Data Protection Regulation, many of the details of the implementation of the CCPA have yet to be determined and will most likely require further clarification in court cases. 

“If you thought the GDPR was bumpy, the CCPA is going to be a real roller coaster,” said privacy and cybersecurity legal expert Reece Hirsh in an interview with The Verge.