By The Washington Post · Geoffrey A. Fowler
And while the law technically covers only California residents, Americans living anywhere can use the CCPA to reset their relationships with more than a dozen major businesses (and counting).
Just know that some companies are going to make you jump through hoops. To help, I'm breaking the CCPA down into bites - and collecting below a growing list of links you can use to take action.
I've been learning how to use the law by filing requests to more than 100 companies. To be covered by the CCPA, companies have to make more than $25 million per year or collect data on more than 50,000 people. They're not incentivized to make it easy: Amazon hid critical links in legal gobbledygook. Marketing data company LiveRamp asked me to submit a selfie holding my own ID, kidnap-victim style. Walmart asked for my astrological sign to confirm my identity. (Really.) And one business left me a voice mail, but the message included no return number . . . or even the name of the company. (Please call back!)
Yet I've also been pleasantly surprised: Some of the biggest businesses, including Netflix, Microsoft, Starbucks and UPS, are extending CCPA rights to all Americans rather than just Californians. That makes some sense: It's additional work for companies to try to confirm where people live. And frankly, it's not a good look for them to claim they care about customer privacy and then discriminate against Americans who don't live in California. Many of these companies tell me they'll participate when Congress passes a federal data privacy law, which they know isn't likely anytime soon.
Privacy advocates have mixed feelings about the CCPA. It's true that it creates too much work for many people - and everyone deserves privacy, even if they're not willing to jump through hoops.
But I'm in the camp that thinks the CCPA is an important step forward. I spent the past year following the secret life of the data on my phone, car and credit cards, often confronting a stone wall from companies. Now we all have the legal authority to demand answers about what's happening with our data. For example, the CCPA has already revealed that Amazon keeps a record of everything you do on a Kindle, from when you start and stop reading to when you highlight a word. (Amazon CEO Jeff Bezos owns The Washington Post, but I review all tech with the same critical eye.)
The CCPA is far from a perfect privacy law, but it's the one America has in 2020. I want to hear what you discover using it. I'm hopeful it will fuel an overdue public conversation about what kind of surveillance is OK - and what crosses the line.
Q: What does the CCPA do?
A: On its own, the CCPA won't do much for your privacy. But if you take some action, it gives you three useful rights:
1) You can ask companies to show you exactly what data they've collected about you.
2) You can instruct companies not to "sell" your data. The word "sell" is in quotes because the law defines that pretty broadly as an exchange of value. (There's a lot of debate about that, though - see below.)
3) You can ask companies to delete your data, unless doing so would create a security threat or interfere with someone else's free speech.
Even better, the law says companies are not allowed to treat you differently or charge you money just for exercising your data rights.
There's also a special restriction for children: If you're under 16, a company needs you to explicitly opt in before they can sell your information.
Q: Is it like the European law?
A: The CCPA is a bit like a European law you may have heard about, called the General Data Protection Regulation. What's different is that the CCPA doesn't require companies to minimize the data they collect in the first place.
Privacy advocates also think the CCPA is sorely missing the ability for consumers to file lawsuits against companies that violate their rights. Only the California attorney general can do that now.
Q: How much work is this?
A: You have to go to each and every company to exercise your CCPA rights. Yes, that could become a never-ending project. But the good news is that many companies have web forms you can fill out like busywork. I submitted about a hundred in less time than it took me to binge the most recent season of "The Crown."
So far there's no tool to help you do this all at once or service that will manage your data for you, though I've heard from several start-ups working on that.
Keep in mind that some online services, including Facebook, say a "delete" request involves totally shutting your account, rather than just pressing a reset button on all the unwelcome surveillance of your life.
Q: What hoops might companies make me jump through?
A: Before you dive into making requests, get organized. You'll need to have access to your usernames, passwords and loyalty card numbers. (If you don't already have a password manager to keep all your important information organized, this is an excellent time to get one.)
Companies can ask you to prove your identity, and if there are errors or missing information they can reject your request. Scan or photograph your driver's license; many sites required me to upload it, or a version that was redacted. Data firm Wiland even asked me for a notarized letter. (I reminded it that CCPA requests aren't supposed to cost consumers anything, and the company suggested I seek out a free notary at a government office or credit union.)
Some companies will try to shift work onto you. Airbnb and PayPal, among others, make you email them requests, rather than using web forms. Instead of a simple "do not sell" switch, companies including Mastercard make you manage a series of privacy "preferences" (as if anyone's preference would be to have their data sold). To opt out, Best Buy says you have to change your web browser to block all cookies (breaking some sites) and dig into your phone settings to turn off some advertising tracking.
Don't let any of this stop you from demanding your rights. The most common annoyance is firms hiding their CCPA instructions behind many links and impenetrable privacy policies.
Q: Is there any information that isn't covered?
A: Companies don't have to share information that's already public, that they've collected in a job interview or that they've aggregated in ways that don't identify you.
Some companies have come up short in what they actually disclose. For example, in CCPA requests it returned to me, Amazon has yet to share what data it collects in its camera-equipped Amazon Go convenience stores.
And businesses already covered by a few existing privacy laws are exempt - even if those laws don't require transparency like the CCPA. That means banks and doctor's offices generally don't have to abide.
Q: What counts as data 'sale'?
A: This is one of the most-debated questions in tech right now.
The CCPA says selling data is a transfer of information for commercial purposes. That's obvious where one company pays another for, say, your burrito purchase history. But many businesses, particularly ones involved in online advertising, pass along information in other ways, such as tracker cookies and pixels hidden on websites and apps.
Some of the biggest firms, including Facebook, Amazon and Google, contend the "do not sell" request part of the CCPA doesn't apply to them because they don't sell our data. They just make billions off our data by using it to target ads and train artificial intelligence software.
The authors of the CCPA say they intended the term "sale" to reflect the wider data economy. California Attorney General Xavier Becerra hasn't yet published guidelines for how his office will interpret the law, and we might not get firm answers until his office begins enforcing it. That's set to begin July 1.
Q: Once I have my data, what do I do with it?
A: First, keep it secure by storing it only on a computer you control with a password.
Most of the data requests I've received so far have come in formats I can easily read, such as text files or PDFs. But not all: Twitter sent me files in a .js format that requires a data science degree to understand. (The company says it is working to improve that.)
I'm still waiting to hear back on most of my requests; the law gives companies up to 90 days to deliver. But already I learned that WiFi router maker Eero, owned by Amazon, keeps a detailed log of every device that's ever connected to my network. (It's like a creepy visitor guest book.) Fandango not only tallied all the movies I've watched but also concluded I have an affinity for the Muppets. (True.)
When you examine your data, keep an eye out for information you didn't know the company had - or don't think it should. If you don't like what you see, submit a CCPA delete request. Or stop doing business with the company, and be sure to tell it why.
If you think a company is violating your privacy - or violating the CCPA - you can complain to the California attorney general (click here for a direct link).
Also, tell me about what you discover, using this form or sending me an email. Your experience could help inform my future columns and investigations by The Post. But please don't just send me your data download from a company. I don't want to invade your privacy!
Q: OK, let's do it! Where do I click?
A: The list below includes many of the companies where I've submitted CCPA requests. I've separated out the companies that have indicated they'll offer CCPA rights to all Americans.
There are more resources available: A crowdsourced list stored on GitHub, an online resource for coders, has an even longer list of links to company-specific CCPA information pages. Common Sense Media is also building out the website Donotsell.org as a resource for CCPA requests, as is CAPrivacy.org, run by one of the authors of the law. The Electronic Frontier Foundation offers a simple guide on its website, and the Electronic Privacy Information Center has a handy draft form letter to use in cases where companies don't offer web forms.
These companies accept CCPA requests from all Americans:
- - -
These companies accept CCPA requests from California residents: