Con­sumers re­ceive new pri­vacy rights

Law pro­vides con­trol over per­sonal data com­pa­nies

Marin Independent Journal - - FRONT PAGE - By John Wool­folk Bay Area News Group

Start­ing New Year’s Day, Cal­i­for­ni­ans creeped out by the trove of per­sonal data com­pa­nies col­lect on their on­line shop­ping, search­ing and so­cial me­dia habits will get sweep­ing new pri­vacy rights that will let them opt out of hav­ing their in­for­ma­tion sold or shared and let them de­mand that it be deleted.

“This is re­ally a wa­ter­shed mo­ment for con­sumers,” said Scott W. Pink, a Menlo Park lawyer who ad­vises com­pa­nies on cy­ber­se­cu­rity and pri­vacy. “It’s the first law in the United States out­side spe­cial­ized in­dus­tries like health care that pro­vides con­sumers some de­gree of con­trol and ac­cess over data col­lected on them.”

The Cal­i­for­nia Con­sumer Pri­vacy

Act ap­proved in June 2018 was in­spired by pub­lic out­rage over data breaches at ma­jor com­pa­nies such as Face­book, Ya­hoo and Equifax that ex­posed con­sumers to po­ten­tial fraud and mis­use of their per­sonal in­for­ma­tion, and by the European Union’s Gen­eral Data Pro­tec­tion Reg­u­la­tion.

The new law re­quires that busi

nesses dis­close their data gath­er­ing and shar­ing prac­tices and al­lows con­sumers to opt out of it and to de­mand that busi­nesses delete col­lected in­for­ma­tion on them. It pro­hibits com­pa­nies from pe­nal­iz­ing con­sumers with higher rates or fewer ser­vices for ex­er­cis­ing their pri­vacy rights and from sell­ing in­for­ma­tion about chil­dren un­der age 16 with­out their ex­plicit con­sent.

But ques­tions con­tinue to swirl as com­pa­nies scram­ble to com­ply. The state at­tor­ney gen­eral is still fi­nal­iz­ing pro­posed reg­u­la­tions in­tended to guide con­sumers and busi­nesses in or­der to meet a July dead­line when en­force­ment is ex­pected to be­gin.

And both con­sumer and busi­ness ad­vo­cates con­tinue to spar over whether the new pri­vacy pro­vi­sions go too far or not far enough, with pro­posed state and fed­eral sub­sti­tutes in the works.

Jes­sica Mel­u­gin, a pol­icy an­a­lyst at the Com­pet­i­tive En­ter­prise In­sti­tute, a free mar­ket think tank in Wash­ing­ton, D.C., said Europe’s pri­vacy reg­u­la­tions,

which took ef­fect a month be­fore the Leg­is­la­ture ap­proved Cal­i­for­nia’s law, al­ready are re­veal­ing un­in­tended con­se­quences.

“We have Europe to look to to see how this has gone, and it’s not par­tic­u­larly en­cour­ag­ing,” said Mel­u­gin, cit­ing reports that large com­pa­nies that col­lect data have in­creased mar­ket share. “The big play­ers have got­ten big­ger since that reg­u­la­tion went into ef­fect, sim­ply be­cause the big­ger firms can bet­ter af­ford to com­ply with these reg­u­la­tions. It’s go­ing to do more to so­lid­ify the big­ger play­ers. You can al­ready see it — ev­ery pri­vacy lawyer and com­pli­ance spe­cial­ist is be­ing gain­fully em­ployed.”

Alas­tair Mac­tag­gart, the San Fran­cisco real es­tate de­vel­oper and pri­vacy ad­vo­cate whose pro­posed bal­lot mea­sure spurred the Cal­i­for­nia Leg­is­la­ture to pass the law, is so frus­trated over in­dus­try lob­by­ing ef­forts to weaken it that he’s seek­ing a new mea­sure for the Novem­ber 2020 bal­lot.

“Some of the world’s largest com­pa­nies have ac­tively and ex­plic­itly pri­or­i­tized weak­en­ing the CCPA,” Mac­tag­gart said in an­nounc­ing his new pro­posed ini­tia­tive in Septem­ber.

Oth­ers are urg­ing fed­eral leg­is­la­tion to avoid a patch­work

of state data pri­vacy laws. Rep. Ro Khanna, DFre­mont, in­tro­duced an In­ter­net Bill of Rights in 2018 that has drawn bi­par­ti­san in­ter­est.

Con­sumers al­ready had some pri­vacy rights un­der fed­eral and state law be­fore the Cal­i­for­nia Con­sumer Pri­vacy Act.

The fed­eral Chil­dren’s On­line Pri­vacy Pro­tec­tion Act of 1998 re­quires parental con­sent be­fore col­lect­ing per­sonal in­for­ma­tion on­line from chil­dren age 12 and younger and al­lows them the right to see it and ask that it be deleted. The new Cal­i­for­nia law adds that kids up to age 16 must con­sent to the sale of their on­line data.

A state law, the Cal­i­for­nia On­line Pri­vacy Pro­tec­tion Act, al­ready re­quired com­pa­nies to post a pri­vacy pol­icy on­line ex­plain­ing what in­for­ma­tion they gather on con­sumers, how it might be shared and any process for re­view­ing it or mak­ing changes. The new law re­quires com­pa­nies to dis­close in­for­ma­tion col­lected upon re­quest, free of charge, up to twice in a 12-month pe­riod. Com­pa­nies also must dis­close the types of in­for­ma­tion, what kind of re­cip­i­ents it is shared with, and the busi­ness rea­son for col­lect­ing


In prepa­ra­tion for the new law, Face­book, for ex­am­ple, now tells Cal­i­for­nia cus­tomers that in­for­ma­tion it col­lects may in­clude “in­ter­net or other elec­tronic net­work ac­tiv­ity in­for­ma­tion, in­clud­ing con­tent you view or en­gage with,” and “photos and face im­agery that can be used to cre­ate face-recog­ni­tion tem­plates if you or oth­ers choose to pro­vide it and you have the set­ting turned on.”

Face­book, stung by 2018 rev­e­la­tions that mil­lions of its cus­tomers had their per­sonal data har­vested from their pro­files by a Bri­tish po­lit­i­cal con­sult­ing firm with­out their con­sent, now of­fers Cal­i­for­ni­ans a “click here” link “to ex­er­cise your ‘right to know’ or your ‘right to re­quest dele­tion.’ ”

The new law ap­plies to com­pa­nies op­er­at­ing in Cal­i­for­nia with gross rev­enues over $25 mil­lion that col­lect per­sonal in­for­ma­tion from 50,000 or more con­sumers a year or gen­er­ate at least half their rev­enue from sell­ing such in­for­ma­tion. Crit­ics ar­gue that may in­clude a lot of com­pa­nies that might not seem like the law’s prime targets, such as a pizze­ria or gro­cery.

The law leaves it to the at­tor­ney gen­eral to en­force

most pro­vi­sions, though in­di­vid­ual con­sumers could sue com­pa­nies for data breaches. Com­pa­nies could be fined up to $7,500 for each vi­o­la­tion.

Fol­low­ing the act’s ap­proval in 2018, in­dus­try ad­vo­cates suc­ceeded in de­feat­ing bills that would have re­quired con­sumers to “opt in” be­fore com­pa­nies could use their per­sonal data and would have al­lowed con­sumers to sue com­pa­nies over a broader range of vi­o­la­tions.

Mac­tag­gart had said he was in­spired to pro­pose the pri­vacy law af­ter a friend who worked at a tech­nol­ogy com­pany told him he’d be ter­ri­fied if he knew how much in­for­ma­tion was gath­ered on him. His pro­posed 2020 ini­tia­tive would in­crease penal­ties for vi­o­lat­ing chil­dren’s pri­vacy. It also would cre­ate a new pri­vacy en­force­ment agency and bol­ster pro­tec­tions for sen­si­tive fi­nan­cial, health, lo­ca­tion and race data.

But Pink said that while the Leg­is­la­ture made a num­ber of changes to help com­pa­nies com­ply with the new law, “it is clear that it in­tends to keep the main pro­tec­tions in ef­fect” and that the new law “will im­pose sig­nif­i­cant new obli­ga­tions on com­pa­nies do­ing busi­ness in Cal­i­for­nia.”


The pri­vacy act was in­spired by data breaches at com­pa­nies such as Face­book, Ya­hoo and Equifax.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.