Consumers receive new privacy rights
Law provides control over personal data companies
Starting New Year’s Day, Californians creeped out by the trove of personal data companies collect on their online shopping, searching and social media habits will get sweeping new privacy rights that will let them opt out of having their information sold or shared and let them demand that it be deleted.
“This is really a watershed moment for consumers,” said Scott W. Pink, a Menlo Park lawyer who advises companies on cybersecurity and privacy. “It’s the first law in the United States outside specialized industries like health care that provides consumers some degree of control and access over data collected on them.”
The California Consumer Privacy
Act approved in June 2018 was inspired by public outrage over data breaches at major companies such as Facebook, Yahoo and Equifax that exposed consumers to potential fraud and misuse of their personal information, and by the European Union’s General Data Protection Regulation.
The new law requires that busi
nesses disclose their data gathering and sharing practices and allows consumers to opt out of it and to demand that businesses delete collected information on them. It prohibits companies from penalizing consumers with higher rates or fewer services for exercising their privacy rights and from selling information about children under age 16 without their explicit consent.
But questions continue to swirl as companies scramble to comply. The state attorney general is still finalizing proposed regulations intended to guide consumers and businesses in order to meet a July deadline when enforcement is expected to begin.
And both consumer and business advocates continue to spar over whether the new privacy provisions go too far or not far enough, with proposed state and federal substitutes in the works.
Jessica Melugin, a policy analyst at the Competitive Enterprise Institute, a free market think tank in Washington, D.C., said Europe’s privacy regulations,
which took effect a month before the Legislature approved California’s law, already are revealing unintended consequences.
“We have Europe to look to to see how this has gone, and it’s not particularly encouraging,” said Melugin, citing reports that large companies that collect data have increased market share. “The big players have gotten bigger since that regulation went into effect, simply because the bigger firms can better afford to comply with these regulations. It’s going to do more to solidify the bigger players. You can already see it — every privacy lawyer and compliance specialist is being gainfully employed.”
Alastair Mactaggart, the San Francisco real estate developer and privacy advocate whose proposed ballot measure spurred the California Legislature to pass the law, is so frustrated over industry lobbying efforts to weaken it that he’s seeking a new measure for the November 2020 ballot.
“Some of the world’s largest companies have actively and explicitly prioritized weakening the CCPA,” Mactaggart said in announcing his new proposed initiative in September.
Others are urging federal legislation to avoid a patchwork
of state data privacy laws. Rep. Ro Khanna, DFremont, introduced an Internet Bill of Rights in 2018 that has drawn bipartisan interest.
Consumers already had some privacy rights under federal and state law before the California Consumer Privacy Act.
The federal Children’s Online Privacy Protection Act of 1998 requires parental consent before collecting personal information online from children age 12 and younger and allows them the right to see it and ask that it be deleted. The new California law adds that kids up to age 16 must consent to the sale of their online data.
A state law, the California Online Privacy Protection Act, already required companies to post a privacy policy online explaining what information they gather on consumers, how it might be shared and any process for reviewing it or making changes. The new law requires companies to disclose information collected upon request, free of charge, up to twice in a 12-month period. Companies also must disclose the types of information, what kind of recipients it is shared with, and the business reason for collecting
it.
In preparation for the new law, Facebook, for example, now tells California customers that information it collects may include “internet or other electronic network activity information, including content you view or engage with,” and “photos and face imagery that can be used to create face-recognition templates if you or others choose to provide it and you have the setting turned on.”
Facebook, stung by 2018 revelations that millions of its customers had their personal data harvested from their profiles by a British political consulting firm without their consent, now offers Californians a “click here” link “to exercise your ‘right to know’ or your ‘right to request deletion.’ ”
The new law applies to companies operating in California with gross revenues over $25 million that collect personal information from 50,000 or more consumers a year or generate at least half their revenue from selling such information. Critics argue that may include a lot of companies that might not seem like the law’s prime targets, such as a pizzeria or grocery.
The law leaves it to the attorney general to enforce
most provisions, though individual consumers could sue companies for data breaches. Companies could be fined up to $7,500 for each violation.
Following the act’s approval in 2018, industry advocates succeeded in defeating bills that would have required consumers to “opt in” before companies could use their personal data and would have allowed consumers to sue companies over a broader range of violations.
Mactaggart had said he was inspired to propose the privacy law after a friend who worked at a technology company told him he’d be terrified if he knew how much information was gathered on him. His proposed 2020 initiative would increase penalties for violating children’s privacy. It also would create a new privacy enforcement agency and bolster protections for sensitive financial, health, location and race data.
But Pink said that while the Legislature made a number of changes to help companies comply with the new law, “it is clear that it intends to keep the main protections in effect” and that the new law “will impose significant new obligations on companies doing business in California.”