California’s Privacy Law Is In Effect. Now What?
Fittingly for the start to a new decade, California decided to go big with its 2020 New Year’s resolution. Today, the California Consumer Privacy Act goes into effect. Passed unanimously in June 2018, it’s the first law in the US to set up a comprehensive set of rules around consumer data, akin to the European Union’s General Data Protection Regulation, or GDPR. Industry and privacy advocates have been fighting over the fine print ever since.
Now the law is officially on the books in the biggest state in the union and the world’s fifth-largest economy. For the average internet user in California, life will not be radically different. But as the mechanisms of the law get finalized, and depending on how it’s enforced, its impact could go a long way to determining whether the 2020s become the decade when the US started taking privacy seriously.
The CCPA applies to any company that operates in California and either makes at least $25 million in annual revenue, gathers data on more than 50,000 users, or makes more than half its money off of user data. For California residents, it creates a handful of new rights over their data. The most significant categories are what Alastair Mactaggart, the California real estate magnate behind the ballot initiative that led to the law being passed, calls “the right to know” and “the right to say no.” That means users will, as of today, be able to see what data companies have gathered about them, have that data deleted, and opt out of those companies selling it to third parties from now on.
It’s important to remember that we’re not just talking about the Googles and Facebooks of the world, but any big company that does a lot of business online—which is to say, any big company. One such corporation is Condé Nast, WIRED’s parent company. So if you’re reading this from a California IP address, you should have seen a pop-up banner with a big button reading “Do Not Sell My Personal Information.” What happens if you click it? Well, WIRED doesn’t exactly “sell” your data right now—no one is giving us cash (or withholding military aid, for that matter) in exchange for dirt on our readers. But, like just about every site on the internet, we track your behavior—what articles you read, for how long, etc.—on WIRED.com using cookies. We use that data internally for research and site improvements, but the information can also go to a third-party vendor, like Google AdSense, which combines it with similar data from other sites to create user profiles that advertisers can target. The infamous shoe ad that follows you across the internet long after you close out your Zappos tab? That’s how it works—and advertisers pay extra for the privilege of this personalized ad targeting. If you ask WIRED.com to stop “selling” your data, you won’t get those types of ads from us anymore, and your browsing history on our site won’t factor into the types of ads you see elsewhere.
Many companies already had to implement processes allowing European users to delete their data or opt out of tracking thanks to GDPR, which laid some groundwork for the CCPA. Some platforms, including Facebook, have built tools allowing users to exercise the rights that the CCPA now guarantees to California residents.
Final regulations that clarify and define the parameters of the law haven’t been released, but California attorney general Xavier Becerra is expected to issue them sometime in the next six months. The state won’t start enforcing the law until July 1. It’s an open question whether enforcement will be robust enough for the law to really make an impact.
The law grants Californians the right to sue companies for failing to take reasonable precautions to prevent data breaches. But apart from that, making sure companies comply with the CCPA is the sole province of the attorney general’s office, which has indicated that it will only have the bandwidth to bring a handful of cases each year.
“The California attorney general has said, ‘We only have resources to bring a few cases a year,’” said Justin Brookman, director of privacy and tech policy at Consumer Reports. “So maybe companies are saying, ‘The odds of getting sued are pretty slim.’”
Mactaggart, however, said he expects businesses to fall in line.
“I come from one of the most heavily regulated industries in the country: real estate development,” he said. “I’ve literally never even come close to sitting in any meeting where I’ve heard anyone say something like, “It’s the law, but we’re not going to get caught, so let’s just do it anyway.” He argued that even if cases are rare, the threat of crippling fines—$2,500 per user per piece of data, which could easily scale to the tens of billions for a company that flouts the law—should be an effective deterrent.
Still, Mactaggart granted that some violations of the law might be hard to detect in the first place, let alone police.
“It’s easy to see on the page if they’re tracking,” he said. “The harder part is, how do I know they deleted it, or how do I know they didn’t sell it?”
In part to solve the potential enforcement problem, Mactaggart is working to get another initiative on the ballot this November that would beef up the existing law. “Right now, the regulation is in the hands of the attorney general, who has stated, and I don’t blame him, ‘We’re cops, not regulators,’” he said. The initiative would create an independent agency focused just on the privacy law, with the power to audit companies for compliance. It would also restrict the legislature from watering down the law in the future—a serious concern given the amount of industry lobbying that has already taken place.
Meanwhile, the California law puts pressure on Congress to act at the national level, as the business community howls at the prospect of complying with a patchwork of state requirements. (States like Nevada and Vermont have their own privacy statutes; lawmakers in other states, like New York, have tried to introduce bills that are even more ambitious than California’s, although with less success so far.) The Senate is considering a number of bills, but so far Democrats and Republicans are far apart on two key issues: whether to grant ordinary Americans the right to sue for violations (Democrats generally think yes, Republicans no), and whether the federal law should preempt tougher state regulations (Democrats no, Republicans yes). The longer Congress waits to act, the more California—and any state that goes even further—will get to determine the facts on the ground.
“Really, you have to have a short- and long-term CCPA strategy,” said Jennifer Rathburn, a partner at the law firm Foley & Lardner, who advises companies on compliance with the law. “The final regulations come out; you’re going to have ballot initiative 2.0 coming out; and then you’re going to have potentially other state laws. This isn’t a one and done. This is an evolving area that’s pretty new to the US.” She added, “In sum, privacy is here to stay.”
This article was written by Gilad Edelman and originally appeared in Wired.
Take Back Your Day
Learn how the latest technologies can free up your time so you can focus on your business