FAQ

Since we passed CCPA, two things have happened: First, some of the world’s largest companies have actively and explicitly prioritized weakening the law. Second, technological tools have evolved in ways that exploit a consumer’s data with potentially dangerous consequences. We believe using a consumer’s data in these ways is not only immoral, but it also threatens our democracy.

 It is for this reason that we are proposing the CPRA 2020 ballot measure, to strengthen the law and give you the power to take back control of your personal information.

Read the data privacy law comparison

Your life is not their business. Make a donation and help fund out efforts to put CPRA on the ballot in November 2020. Donate here.

To get updates on the campaign, follow us on social media via Twitter and Facebook.

Californians for Consumer Privacy is a nonprofit political committee dedicated to protecting and expanding privacy rights for consumers.

In 2018, Californians for Consumer Privacy sponsored the California Consumer Privacy Act (CCPA) Ballot referendum signed by 629,000 Californians to qualify for the November 2018 ballot. After the initiative qualified, the California State Legislature passed groundbreaking consumer privacy legislation in June 2018, which was signed into law by California Governor Jerry Brown. The CCPA gives nearly 40 million people in California the strongest data privacy rights in the country starting January 2020.

In September 2019,  Alastair Mactaggart, Board Chair and Founder of Californians for Consumer Privacy, filed an initiative to appear on the November 2020 ballot, the California Privacy Rights Act (“CPRA”). We’re currently collecting signatures for CPRA to appear on the ballot and are actively expanding communications across the state of California in anticipation of our campaign through Election Day.

Our organization is made up of hundreds of thousands of supporters, thousands of volunteers and activists, and a leadership group, including:

Alastair Mactaggart, Board Chair and Founder, Californians for Consumer Privacy — Alastair Mactaggart has been building housing in the Bay Area for over 20 years. He believes that all Californians, and people worldwide, should have the fundamental right of data privacy and be able to control their OWN personal information. He believes that it’s not right that companies you’ve never heard of, can buy more information about you (and sell it for a profit), than even your closest friends know. And that you have no control over the process. He advocates for the online privacy of children and believes that parents should have a choice about how their family’s data is sold.

Celine Mactaggart, Board Member and Founder, Californians for Consumer Privacy — Celine is a nonprofit professional whose current work focuses on healthcare, gender equity and women’s empowerment. She has served as a Director of local nonprofits including Girls on the Run Bay Area, the Board of Regents at St. Mary’s College, the George Mark Children’s House, and Cal Performances at UC Berkeley. Celine is the current Chair-Elect of the Board of Women in Leadership and Philanthropy at the University of San Francisco, an Advisory Board member of the Greater Bay Area Make-A-Wish Foundation, and is the founder of a nonprofit dedicated to decreasing the incidences of skin cancer. She is particularly interested in data privacy as it relates to children and women.

Rick Arney, Vice Chair and Board Member, Californians for Consumer Privacy — Rick has worked in the financial industry for over two decades, but some of his fondest work memories come from his time working in the California State Legislature after business school, where he was responsible for analyzing the financial impact of proposed laws.  He believes in a future where consumers have meaningful control over their privacy, identity theft is minimized and children’s profiles and preferences are protected.

‍Robin Swanson, General Consultant and Campaign Manager, Californians for Consumer Privacy — Robin Swanson is the general consultant and campaign manager for Californians for Consumer Privacy. Swanson is a strategist and communications expert with more than 20 years of political experience in Washington, D.C. and Sacramento, California. Swanson specializes in strategic communications and media relations, in addition to regularly providing on-air commentary for both local and national news programs. She is currently a regular political analyst on CNN and CNN International.

Nicolette Velazquez, Press Secretary, Californians for Consumer Privacy — Nicolette Velazquez is the press secretary for Californians for Consumer Privacy.

1. You will have the right to know what information large corporations are collecting about you…and you should. Businesses use your personal information for their own purposes, including targeting you with ads, discriminating against you based on price or service level, and compiling your information into an extensive electronic file on you.  You should be able to know what’s being collected about you.
2. You will have the right to tell a business not to share or sell your personal information…and you should. California law has not kept pace with changing business practices. Businesses not only know where you live and how many children you have, but also how fast you drive, how often you go to the gym, who your partner is, whether they think you’re depressed or about to get divorced, your, sleep habits, health and financial information, current location, web browsing history, to name just a few things.
3. You will have the right to protections against businesses which do not uphold the value of your privacy…and you should. Businesses that collect your sensitive personal information should take basic steps to keep it safe. Right now there are no consequences if they don’t, and this law will introduce some consequences.

The California Consumer Privacy Act gives you the right to find out what information businesses are collecting about you, your devices, and your children, and gives you the ability to tell them “Do Not Sell My Information.” If a business collects your personal information, once a year and free of charge they have to tell you what information they have collected on you, your devices and your children. If a business sells your personal information, they have to tell you what categories of personal information they are selling and to whom they sold it.  

From the CCPA Initiative

1798.100. Right to Know What Personal Information is Being Collected. 1798.100. (a) A consumer shall have the right to request that a business that collects personal information about the consumer disclose to the consumer the categories of personal information it has collected about that consumer.

1798.101. Right to Know Whether Personal Information is Sold or Disclosed and to Whom. 1798.101. (a) A consumer shall have the right to request that a business that sells the consumer’s personal information, or that discloses it for a business purpose, disclose to that consumer: (1) the categories of personal information that the business sold about the consumer and the identity of the third parties to whom such personal information was sold, by category or categories of personal information for each third party to whom such personal information was sold; and (2) the categories of personal information that the business disclosed about the consumer for a business purpose and the identity of the persons to whom such personal information was disclosed for a business purpose, by category or categories of personal information for each person to whom such personal information was disclosed for a business purpose.

The California Consumer Privacy Act protects you from being discriminated against if you tell companies to stop selling your personal data. If you tell a business not to share or sell your private information, they can only charge you a fee directly related to the value of the data they would sell. So for example, if you told your phone company not to sell your information, they couldn’t just tack on a $200/month charge on your bill—which would mean no one would ever exercise these rights. They’d have to tell you how much extra they were charging you to opt out of the sale of your information, and it could ONLY be a charge that was not coercive, usurious, unjust or unreasonable, and had to be related directly to the value of the data they would otherwise have been able to sell.

If you don’t want a corporation to sell your information, you can stop them by clicking on a link that says “do not sell my data.”  The corporation can’t hide this in a privacy policy—they have to display it clearly at the bottom of any page where they collect your information. If you tell them not to sell your info, they can’t discriminate against you.  This means they can’t charge you more, deny you access to services, or change the quality of the service you get! 

From the CCPA Initiative

1798.102. Right to Say No to Sale of Personal Information. 1798.102. (a) A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer not to sell the consumer’s personal information. This right may be referred to as the right to opt out. (b) A business that sells consumers’ personal information shall provide notice to consumers, pursuant to subdivision (a) of section 1798.105, that such information may be sold and that consumers have the right to opt out of the sale of their personal information. (c) A business that has received direction from a consumer not to sell the consumer’s personal information shall be prohibited, pursuant to paragraph ( 4) of subdivision (a) of section 1798.105, from selling the consumer’s personal information after its receipt of the consumer’s direction, unless the consumer subsequently provides express authorization for the sale of the consumer’s personal information.

1798.103. Right to Equal Service and Price. 1798.103. A business shall be prohibited from discriminating against a consumer because the consumer requested information pursuant to sections 1798.100 or 1798.101, or because the consumer directed the business not to sell the consumer’s personal information pursuant to section 1798.102, or because the consumer exercised the consumer’s rights to enforce this Act, including but not limited to, by: (a) denying goods or services to the consumer; (b) charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties; ( c) providing a different level or quality of goods or services to the consumer; or ( d) suggesting that the consumer will receive a different price or rate for goods or services, or a different level or quality of goods or services, if the consumer exercises the consumer’s rights under this Act. 

Some businesses actually do subsidize their operations and offerings to consumers by selling information. So, if the law simply said that consumers could opt-out of the sale of their information, with no ability for businesses to charge them a fee, then the law could potentially force some companies out of business. We thought a more balanced approach was to allow businesses to charge more, but only the amount they’d normally earn by selling your information. One of the benefits of this approach is they have to tell the Attorney General how much they’re making—and they have to tell you! We think that businesses will be very reluctant to tell consumers how much money they’re making from selling their information, and we think in practice very few companies will end up charging consumers to opt out of the sale of their own personal information.

If you don’t want a corporation to sell your information, you can stop them by clicking on a link that says “do not sell my data.”  The corporation can’t hide this in a privacy policy—they have to display it clearly at the bottom of any page where they collect your information. If you tell them not to sell your info, they can’t discriminate against you.  This means they can’t charge you more, deny you access to services, or change the quality of the service you get! 

From the CCPA Initiative

1798.102. Right to Say No to Sale of Personal Information. 1798.102. (a) A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer not to sell the consumer’s personal information. This right may be referred to as the right to opt out. (b) A business that sells consumers’ personal information shall provide notice to consumers, pursuant to subdivision (a) of section 1798.105, that such information may be sold and that consumers have the right to opt out of the sale of their personal information. (c) A business that has received direction from a consumer not to sell the consumer’s personal information shall be prohibited, pursuant to paragraph ( 4) of subdivision (a) of section 1798.105, from selling the consumer’s personal information after its receipt of the consumer’s direction, unless the consumer subsequently provides express authorization for the sale of the consumer’s personal information.

1798.103. Right to Equal Service and Price. 1798.103. A business shall be prohibited from discriminating against a consumer because the consumer requested information pursuant to sections 1798.100 or 1798.101, or because the consumer directed the business not to sell the consumer’s personal information pursuant to section 1798.102, or because the consumer exercised the consumer’s rights to enforce this Act, including but not limited to, by: (a) denying goods or services to the consumer; (b) charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties; ( c) providing a different level or quality of goods or services to the consumer; or ( d) suggesting that the consumer will receive a different price or rate for goods or services, or a different level or quality of goods or services, if the consumer exercises the consumer’s rights under this Act. 

Under current California law, businesses are required to implement “reasonable security measures” to safeguard Californian’s personal information. Data breach after data breach has shown how unreasonable this state of affairs truly is, and how few businesses actually implement these security measures.

As we have seen with the many breaches of personal information, businesses ignore the current law.  The California Consumer Privacy Act increases fines and penalties for violations of existing law so that you can hold businesses responsible for safeguarding your personal information if the business chooses to collect it.

If your health information, financial information, or biometric information, is mishandled in a negligent manner, consumers will be able to sue for damages without having to show they were actually harmed. This is important, since before CCPA, businesses only had to pay consumers for damages they could actually show, and no one can link the data breach in February, to the identity theft in October, even though everyone knows that’s how identity theft has become such a terrible problem for our society.

From the Initiative

1798.112.  A business that suffers a breach of the security of the system, as defined in subdivision (g) of section 1798.82, involving consumers’ personal information, as defined in subdivision (h) of section 1798.82, shall be deemed to have violated this Act and may be held liable for such violation or violations under sections 1798.108, 1798.109, and 1798.111, if the business has failed to implement and maintain reasonable security procedures and practices, appropriate to the nature of the information, to protect the personal information from unauthorized disclosure.

Section 1798.81.5 is existing California code that requires: A business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.

Under the California Consumer Privacy Act only businesses that earn $50,000,000 a year in revenue, sell 100,000 consumer’s records each year or derive 50% of their annual revenue by selling your personal information must comply. All businesses must comply if they collect or sell Californian’s personal information, whether they are located in California, a different state or even a different country.

From the Initiative

A business is 1798.106 (b): a sole-proprietorship, partnership, limited-liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:

(A) has annual gross revenues in excess of $50,000,000, as adjusted pursuant to paragraph (5) of subdivision (a) of section 1798.115; or

(B) annually sells, alone or in combination, the personal information of 100,000 or more consumers or devices; or 

(C) derives 50 percent or more of its annual revenues from selling consumers’ personal information.

The California Attorney General has provided several updates since the law was enacted and went into effect. You can see all their updates and links to resources on their website here: https://oag.ca.gov/privacy/ccpa

For more information about the CCPA and the rulemaking process, see the following:

• CCPA, as of January 1, 2020
• CCPA Fact Sheet, pdf
• Information about the rulemaking process, pdf
• Tips on Submitting Effective Comments, pdf
• Office of Administrative Law – California Code of Regulations

Alastair & Celine Mactaggart are currently the sole funders of the initiative, and they welcome your support. Please go here to donate.

Europe’s GDPR and California’s Consumer Privacy Law were both enacted in 2018, but CCPA didn’t go into effect until just this January, 2020.

Both give consumers the right to know what information businesses have collected about them, and the right to delete that information, as well as the requirement for businesses to keep that information safe.

CCPA was to some extent modeled on GDPR, with the important difference that CCPA gives consumers the right to stop companies from selling their information; and CCPA requires companies to deal with a third-party that the consumer chooses. In essence, CCPA has created a privacy industry in California, because our vision is that new startups will emerge to offer to protect your privacy, and big tech will be forced to deal with them. So try as they might to make it difficult for you to exercise your rights, you’ll be able to get help just the way you would finding a company to take care of your anti-virus needs, or your cloud storage needs.

CPRA, our new initiative, builds on our previous success. It has important new concepts, many also similar to GDPR, including:
–purpose limitation: companies have to tell you why they’re collecting your information, and then only use it for that purpose
–storage limitation: companies have to tell you how long they’re going to store your information, and not store it longer
–data minimization: companies can only collect the information necessary to do the thing they say they’re doing. No more tracking and selling your location, just to tell you what the weather is
–CPRA includes a new definition of “Sensitive Personal Information,” which includes your SSN, DL, Passport, financial account info, precise geolocation, race, ethnicity, religion, union membership, personal communications, genetic data, biometric or health information, information about sex life or sexual orientation. You’ll be able to tell companies they can’t even USE this information, unless it’s necessary to deliver you a product you’re asking for.

Sensitive Personal Information includes precise geolocation, i.e. locating you within a circle more precise than roughly 250 acres. This would mean no more tracking whether you’re in rehab, at a cancer clinic, at the gym (& for how long), at a fast food restaurant (& how often), whether you’re sleeping in a separate part of the house from your partner (and how recently), etc., all with the intention of monetizing that most intimate data that makes your life.

Finally, CPRA will establish a new Privacy Protection Agency, funded with $10M from the State’s General Fund (so that Industry can’t lobby Sacramento to starve it by zeroing out its budget). This funding would equate to roughly the same number of privacy enforcement staff as the Federal Trade Commission has to police the entire country (the FTC has 40 privacy professionals).

CCP supports strong privacy rights for the entire country.

At the same time, we are as skeptical as anyone about the prospects for effective federal legislation that do not include back door concessions and weak protections for consumers. We think that just like the national federal health privacy law (HIPAA) and the national federal financial privacy law (Gramm Leach Bliley), a federal consumer privacy law should allow states to have their own privacy laws that are more protective than the federal law.

Industry complains they can’t possibly survive if there are 50 different state consumer privacy laws. Our response is: there are hospitals and banks in all 50 states, last time we checked. Why would consumer privacy laws be any different? Technology companies will survive just fine, plus all consumer privacy laws aim at more or less the same things: giving consumers access to their data, giving them control over where and how it is transferred, and keeping it safe.

Finally, we worry that if there is a national federal law, it will not protect consumers well, and will be almost impossible to change. The 1986 Electronic Communications Privacy Act—1986!—still is in force, and still allows any law enforcement authority to access all your emails and stored communications, without a warrant. That’s because back in 1986 people thought email would be like regular mail—if you hadn’t downloaded your email and deleted it from the server, you obviously didn’t care about it.

So this egregiously privacy-destructive law is still on the books, today. An effort to amend this provision and require a warrant, has passed out of the US House of Representatives twice, UNANIMOUSLY, in recent years, and both times has stalled in the US Senate.

When was the last time anything passed out of the US House of Representatives unanimously? If this doesn’t show how impossible it is to get things done in Congress, nothing does, and so while we are supportive of a strong federal privacy law, we are absolutely opposed to one that doesn’t let states go further, and enact stronger privacy protection laws.

On the contrary, we think CCPA and CPRA will spur tremendous innovation in areas from security to advertising to creating a whole new privacy industry.

Security: CCPA requires that businesses keep your most important information safe, by instituting reasonable security practices and procedures to protect it, like encrypting your data. If they don’t, you have the right to sue them, and you don’t have to show that your data theft resulted in a financial loss to you. Like a speeding ticket, where the cop doesn’t care about why you’re speeding, if businesses are negligent with your data, and lose it in a breach, they will have to pay you between $100 and $750—huge sums of money when millions of consumers are involved.

[Note that the law doesn’t say ‘any data breach at all,’ just because if a business is doing its best, and the Russian or North Korean government hacks in and gets your data, we don’t think they should be liable. But if they are keeping your credit card and social security numbers sitting around in plain text, and there’s a breach, they should absolutely be liable.]

Advertising: CCPA and CPRA won’t stop internet advertising—that’d be dumb. Advertising pays for the internet. You’ll still see content relevant to what you’re looking at—a car dealership ad when you’re searching for cars, or a travel ad when you’re reading an article about Hawaiian beach vacations. That’s called “contextual” advertising, and it doesn’t hurt your privacy at all—all a business knows is that someone is reading an article or searching for a term.

And that’s the technology that built Google and Facebook into the giants they are.

But CCPA and CPRA will allow you to stop the pervasive tracking, the surveillance as you go from one site to another, while these big data aggregators monitor what you read, how long you pause on this page or that, whether you left work early today or not. That’s called ‘behavioral advertising,’ since it tracks your behavior. That technology is newer, and anathema to the American notion of freedom and transparency (you don’t expect that your music streaming app will actually then sell your location data to hundreds of companies you’ve never heard of; you don’t know what your car company will do with all the contact info in your address book, when you give your car permission to sync with your phone).

Privacy startups: just like you don’t do all your own antivirus programming yourself, and try to figure out how to create antivirus software; or you don’t create your own cloud storage; we think privacy will be another area where you outsource your privacy requirements to businesses created specifically to protect your data. California’s new privacy law allows you to hire third party (i.e. another business) to deal with all the businesses you encounter, to help you safeguard your privacy.

Some of the biggest companies on the planet are set up to monitor and surveil your every move, online and in the real world. You need help, and we are convinced that our law has already helped spur the creation of many companies aimed at protecting your privacy.