Californians will soon gain more rights over whether their personal data is used and sold by technology companies. That’s thanks to a new law going into effect Jan. 1, 2020, called the California Consumer Privacy Act.
The status quo
Ever strolled through Facebook or Instagram and seen an advertisement for that couch you looked up on Google just two minutes earlier?
Targeted advertisements are commonplace on the internet, where human behaviors, preferences and other types of data can be gathered, stored, or potentially sold by tech companies.
Emory Roane, an attorney at the Privacy Rights Clearinghouse in San Diego, said identity theft, data breaches and targeted pricing practices on the internet are among the many concerns residents have brought up.
“I just got a data breach letter, this business has my information. I don’t even know about this business. Now my debit card, and my social security number and my drivers license are out on the internet apparently. What do I do and how did I get here?” Roane said.
Introduction to CCPA
A March ACLU poll showed 90% of voters in the state support more consumer privacy protections from online technology companies. And last year, Californians got just that.
California Gov. Gavin Newsom approved the California Consumer Privacy Act in June last year. The American Bar Association said it is considered to be “the absolute toughest data privacy law in the United States.”
But, the bill was actually a compromise that was swiftly passed so that a tougher piece data privacy legislation that had been proposed would be dropped. As a result, there are now 18 amendments on the bill that are scheduled to be considered by Newsom this month. So, it’s likely there will be changes to the current version.
But even as it is, some privacy experts say the law certainly isn’t lax. According to the ABA, under the current version of the legislation a consumer can request any business making more than $25 million in revenue, that buys or sells personal information of 50,000 or more consumers, or derives 50% or more of its revenue from the sale of consumers personal information.
Consumers can find out how their data is being used, who it’s being sold to, and ask that it be deleted. Non-compliance could result in litigation for businesses.
Roane calls it landmark legislation, especially in terms of steps consumers can take to protect themselves.
“Now rather than saying, freeze your credit, or take some remedial steps to not be low-hanging fruit, we can say why don’t you go to that business, find out what information they have on you, and take that control back,” Roane said.
Businesses scrambling to comply
The legislation has many businesses focusing on getting their data assets in order. But, the legislation, which is still being hammered out by lawmakers, is fairly vague, says Justine Phillips, a San Diego attorney at Sheppard Mullin specializing in data privacy for businesses.
“Until CCPA was here, this was a Wild West type world. You were allowed to amass data that was unregulated data,” Phillips said. “It was really only financial information, health information, and certain types of data that had regulations. And now the definition of personal information under CCPA is really broad,” said Phillips.
Now, businesses will have to figure out what data applies and whether they even fall under the scope of the law, she said. For example, she said a business partner, that’s just providing software support to a larger technology company, could be subject to the CCPA. That’s because they might have access to the data.
And it may not be easy for smaller businesses to comply, she said.
“This is going to be a trickle-down effect, where the priority will be pushed down to organizations that may not have the size to justify a large dedication of resources,” Phillips said.
Phillips said the law also applies to companies outside of California that are receiving data from California residents.
She said San Diego is home to a major tech industry.
“San Diego companies will feel CCPA. If they do not directly have the revenue or amount of consumer data to trigger CCPA, they are probably receiving letters from business partners that do,” Phillips said.
She also said San Diego is home to many groups promoting the business interests of tech companies, as well as groups supporting the privacy interests of consumers.
But, will consumers even use it?
Roane admits consumers might be wary of using this law. That’s because it could mean losing access to some online services that can only work if provided personal data, like social media sites.
“It’s a little early to say consumers won’t be interested in it. Will it be the majority of people? Certainly not,” Roane said.
“But, we know for the many people that don’t use Facebook or have one that Facebook still has lots of information on them," he said. "I personally can’t wait to ask Facebook to delete all my information.”
And, he said consumers can use the legislation to exercise their privacy rights on a broad range of sites, and not just the popular ones. He also says some particularly vulnerable population, subject to targeted practices online, may be eager to pursue their rights under this law.
He mentions Latino populations across California and in San Diego that could be targeted by information soliciting online from immigration services.
“If you’re in a community that has those technologies, you very well may not want to be included in those databases,” Roane said.
Phillips says she also positive that many consumers across California will be using this law.
“I think Californians are active and have a deep and strongly held belief in their rights to privacy,” said Phillips. She said the state was one of the first to enact a constitutional right to privacy in the 1970s.
She also says the law will likely serve as a model for other states that are considering similar online privacy regulations.