On Jan. 1, the toughest data privacy law in the U.S. goes into effect: the California Consumer Privacy Act, or CCPA.
That’s why you’re seeing a host of emails pop up in your inbox from various companies announcing updates to their terms of service, particularly their privacy policies. With no similar federal law on the horizon, this one is expected to set the standard nationally for some time to come.
So what does it mandate?
“On Jan. 1, 2020, all Californians will be able to find out what personal information a business is collecting about them, their devices and their children,” said Mary Stone Ross, one of the new law’s co-authors, and a nationally recognized data privacy expert.
According to the law, consumers will be able to opt out of the sale of their personal information. If a company fails to implement reasonable security practices and consumers’ personal information is breached, they’ll be allowed to sue those companies.
Companies can still collect the data: what you buy; where you go, and when; all the photos you’ve ever taken; your emails, even the ones you deleted.
But what companies must now do is tell you what they’re collecting when you ask, and delete it all if you ask for that. However, some companies can deny your request to delete if the data is required in order to complete a financial transaction or protect against fraud.
What companies can’t do anymore, legally, is sell that data if you tell them not to. But if they do anyway, consumers can’t sue. The law reserves lawsuits for another all-too-common problem: “It’s only for data breaches. So if certain categories of personal information, for example, your Social Security number, are breached, and a business fails to implement reasonable security practices, then you have cause,” said Stone Ross.
California’s attorney general
The office of Attorney General Xavier Becerra won’t begin to enforce the law until July 1, 2020, but Becerra said he considers the law in effect as of Jan. 1, 2020, “right after that first kiss, and the hugs, and the champagne.”
However, the attorney general’s budget is limited. He has said his office is likely to conduct only three enforcement actions a year. Against who? He won’t say yet, although Becerra said “the bigger the company, the bigger the problem. The bigger the universe that has data that is used in certain ways, that could lead to that violation, the bigger the case will be.”
There are particularly sensitive kinds of information protection his office is keen to prioritize.
“I think my health information is sensitive. I think my Social Security number is sensitive. I think my dating patterns, especially since I’m married, would be sensitive,” Becerra said jokingly.
Then he added that “aggressive, early, decisive enforcement” is likely to focus on the sale of data involving children. “The last thing you want is for any company to think that we’re going to be soft on letting you misuse kids’ personal information.”
Industry groups spent the last year trying to rewrite and soften the law. It’s expected they’ll sue to stop its rollout in the new year, even as most have taken some steps to comply with the CCPA. Many businesses complain that there’s a lack of clarity on the regulations the attorney general is still in the process of crafting.
Common Sense Media, the privacy advocacy group, has a template “Do not sell my data” request form on its website. But businesses want the attorney general’s office to produce sample forms and notices. The attorney general’s office has released a Standardized Regulatory Impact Assessment that demonstrates the potential scope of the new law.
In the meantime, some companies such as Microsoft are adopting the new rules right away, nationwide.
But while Facebook has made it easy to download your data (as have Twitter and Google), the Menlo Park-based social media giant argues that it sells advertisers access to users, so it’s up to the advertisers to let users opt out or not.
That doesn’t pass the smell test for a number of industry watchers, including Chris Hoofnagle, who teaches technology regulation at the University of California, Berkeley.
“Facebook, in particular, appears to be interpreting the law in a very opportunistic way. So that they don’t actually need to do anything to comply with it,” he said.
Hoofnagle thinks the biggest tech companies in Silicon Valley are in a financial position to bet it’ll be a while before the attorney general’s office comes for them.
Tech companies could earn serious money in the meantime. Facebook alone made $55 billion in 2018 providing advertisers access to users.
“Enforcement is the big unknown here. But Facebook will be in trouble if the attorney general picks up the law and uses it,” Hoofnagle said.
Less talked about but similarly dramatic will be the law’s impact on data brokers, companies built on collecting and selling information whether or not consumers are aware of it.
The law applies to any company that meets any one of three thresholds annually: It has at least $25 million in revenue, makes at least half its money by selling data or gathers information on at least 50,000 consumers. Companies that don’t fix violations within 30 days of being notified can be fined up to $7,500 for each intentional violation.
Data tracking and selling has become big business for a wide variety of companies, including automakers, retailers, software companies and others you don’t necessarily realize are running a side business serving advertisers.
Many consumers have technically agreed to the tracking and sale of their data by clicking “yes” to those difficult-to-understand acceptance forms required to use a host of websites and apps.
Consider the last party invitation you received through Evite.
Data privacy activists such as Stone Ross are hoping that even if individuals aren’t that keen to dig into the fine print, lawyers and journalists will do so in a way that garners public attention.
Other data privacy laws like this are expected to crop up in other states because there is no federal law, despite the introduction of multiple bills in Washington, D.C., such as the Online Privacy Act put forward by Reps. Anna Eshoo and Zoe Lofgren.
“Industry advocates were worried that other states were going to follow California and have their own version of the CCPA,” said Stone Ross. “It would probably only take one other state to pass their own version of the CCPA, and then there will be a lot of pressure on Congress to pass federal legislation.”