Marin Independent Journal

Consumers receive new privacy rights

Law provides control over personal data companies

- By John Woolfolk Bay Area News Group

Starting New Year’s Day, California­ns creeped out by the trove of personal data companies collect on their online shopping, searching and social media habits will get sweeping new privacy rights that will let them opt out of having their informatio­n sold or shared and let them demand that it be deleted.

“This is really a watershed moment for consumers,” said Scott W. Pink, a Menlo Park lawyer who advises companies on cybersecur­ity and privacy. “It’s the first law in the United States outside specialize­d industries like health care that provides consumers some degree of control and access over data collected on them.”

The California Consumer Privacy

Act approved in June 2018 was inspired by public outrage over data breaches at major companies such as Facebook, Yahoo and Equifax that exposed consumers to potential fraud and misuse of their personal informatio­n, and by the European Union’s General Data Protection Regulation.

The new law requires that busi

nesses disclose their data gathering and sharing practices and allows consumers to opt out of it and to demand that businesses delete collected informatio­n on them. It prohibits companies from penalizing consumers with higher rates or fewer services for exercising their privacy rights and from selling informatio­n about children under age 16 without their explicit consent.

But questions continue to swirl as companies scramble to comply. The state attorney general is still finalizing proposed regulation­s intended to guide consumers and businesses in order to meet a July deadline when enforcemen­t is expected to begin.

And both consumer and business advocates continue to spar over whether the new privacy provisions go too far or not far enough, with proposed state and federal substitute­s in the works.

Jessica Melugin, a policy analyst at the Competitiv­e Enterprise Institute, a free market think tank in Washington, D.C., said Europe’s privacy regulation­s,

which took effect a month before the Legislatur­e approved California’s law, already are revealing unintended consequenc­es.

“We have Europe to look to to see how this has gone, and it’s not particular­ly encouragin­g,” said Melugin, citing reports that large companies that collect data have increased market share. “The big players have gotten bigger since that regulation went into effect, simply because the bigger firms can better afford to comply with these regulation­s. It’s going to do more to solidify the bigger players. You can already see it — every privacy lawyer and compliance specialist is being gainfully employed.”

Alastair Mactaggart, the San Francisco real estate developer and privacy advocate whose proposed ballot measure spurred the California Legislatur­e to pass the law, is so frustrated over industry lobbying efforts to weaken it that he’s seeking a new measure for the November 2020 ballot.

“Some of the world’s largest companies have actively and explicitly prioritize­d weakening the CCPA,” Mactaggart said in announcing his new proposed initiative in September.

Others are urging federal legislatio­n to avoid a patchwork

of state data privacy laws. Rep. Ro Khanna, DFremont, introduced an Internet Bill of Rights in 2018 that has drawn bipartisan interest.

Consumers already had some privacy rights under federal and state law before the California Consumer Privacy Act.

The federal Children’s Online Privacy Protection Act of 1998 requires parental consent before collecting personal informatio­n online from children age 12 and younger and allows them the right to see it and ask that it be deleted. The new California law adds that kids up to age 16 must consent to the sale of their online data.

A state law, the California Online Privacy Protection Act, already required companies to post a privacy policy online explaining what informatio­n they gather on consumers, how it might be shared and any process for reviewing it or making changes. The new law requires companies to disclose informatio­n collected upon request, free of charge, up to twice in a 12-month period. Companies also must disclose the types of informatio­n, what kind of recipients it is shared with, and the business reason for collecting


In preparatio­n for the new law, Facebook, for example, now tells California customers that informatio­n it collects may include “internet or other electronic network activity informatio­n, including content you view or engage with,” and “photos and face imagery that can be used to create face-recognitio­n templates if you or others choose to provide it and you have the setting turned on.”

Facebook, stung by 2018 revelation­s that millions of its customers had their personal data harvested from their profiles by a British political consulting firm without their consent, now offers California­ns a “click here” link “to exercise your ‘right to know’ or your ‘right to request deletion.’ ”

The new law applies to companies operating in California with gross revenues over $25 million that collect personal informatio­n from 50,000 or more consumers a year or generate at least half their revenue from selling such informatio­n. Critics argue that may include a lot of companies that might not seem like the law’s prime targets, such as a pizzeria or grocery.

The law leaves it to the attorney general to enforce

most provisions, though individual consumers could sue companies for data breaches. Companies could be fined up to $7,500 for each violation.

Following the act’s approval in 2018, industry advocates succeeded in defeating bills that would have required consumers to “opt in” before companies could use their personal data and would have allowed consumers to sue companies over a broader range of violations.

Mactaggart had said he was inspired to propose the privacy law after a friend who worked at a technology company told him he’d be terrified if he knew how much informatio­n was gathered on him. His proposed 2020 initiative would increase penalties for violating children’s privacy. It also would create a new privacy enforcemen­t agency and bolster protection­s for sensitive financial, health, location and race data.

But Pink said that while the Legislatur­e made a number of changes to help companies comply with the new law, “it is clear that it intends to keep the main protection­s in effect” and that the new law “will impose significan­t new obligation­s on companies doing business in California.”

 ?? JENNY KANE — THE ASSOCIATED PRESS FILE ?? The privacy act was inspired by data breaches at companies such as Facebook, Yahoo and Equifax.
JENNY KANE — THE ASSOCIATED PRESS FILE The privacy act was inspired by data breaches at companies such as Facebook, Yahoo and Equifax.

Newspapers in English

Newspapers from United States