According to TechCrunch, California’s Consumer Privacy Act (CCPA) is now in effect, allowing state residents to access, delete, and opt-out of the sale of their personal data. The law is the biggest state-level privacy overhaul in a generation, but its enforcement provisions don’t start until July 2020, giving companies a grace period. Most major tech giants are reportedly not ready to comply, and companies have buried the required data request and opt-out portals deep within their privacy policies. In response, a developer named Damian Finol created a running directory at caprivacy.me, which has already gathered over 80 links to these hidden portals in less than a day. The project relies on community contributions and was motivated by Finol’s personal experience with the vital importance of privacy.
The Grace Period Gamble
So the law is live, but the real teeth—the fines and sanctions—won’t come for another six months. That’s not an accident. It’s a feature, not a bug, and it’s probably a relief for every big company from Facebook to your local bank. They lobbied hard against this, and now they’ve essentially been given a half-year head start to figure out how to comply… or how to make compliance as difficult as possible for users. Think about it: if the goal was genuine transparency, wouldn’t the enforcement start date be day one? This delay basically signals that non-compliance is the expected norm right now.
The Hide-and-Seek Portal Problem
Here’s the thing. Companies learned from the GDPR rollout in Europe. They know they have to *technically* provide these tools. But there’s a world of difference between having an opt-out page and having a findable opt-out page. Burying it in a 10,000-word privacy policy that nobody reads is the digital equivalent of hiding the key under the mat… and then putting the mat in a different county. It’s compliance theater. It checks the legal box while practically guaranteeing that the vast majority of people will never use their new rights. That’s not an oversight; it’s a strategy.
A Community Fix And Its Limits
This is where Damian Finol’s caprivacy.me directory comes in. It’s a fantastic, grassroots effort. Relying on community submissions via GitHub pulls is clever. But let’s be skeptical for a second. This is a cat-and-mouse game. Companies can change their URL structures anytime. A link that works today might 404 tomorrow. And the scale is daunting—how many companies does the average person interact with? Dozens? Hundreds? The directory is a great start, but it highlights the core failure: why should a volunteer have to build the map to rights that a multi-billion dollar law is supposed to guarantee?
The Manual Labor of Privacy
Finol’s advice is to “put on a pot of coffee and get started.” That’s telling. In 2020, protecting your basic privacy in California requires the same manual effort as filling out your taxes. You have to go to each site, one by one, find the process (hopefully via his directory), and submit a request. There’s no universal “stop selling my data” button. And that’s by design. The friction is the point. It’s a huge barrier that will stop most people. The law creates a right, but the industry’s implementation ensures it’s a right only for the most persistent, tech-savvy users. For everyone else? Nothing really changes. You can follow Finol’s work on Twitter, but the question remains: when will the law itself make privacy easy?
