Forty million Californians – and many more outside the state served by companies hit by a new law – will soon have sweeping digital-privacy rights stronger than any seen before in the U.S., posing a significant challenge to Big Tech and the data economy it helped create.
So long as state residents don’t mind shouldering much of the burden of exercising those rights, that is.
The law applies to companies that collect collects, shares, or sells California consumers’ personal data. Because it applies to any company that meets a threshold for interacting with state residents, the California law might end up serving as a de facto national standard. Early signs of compliance have already started cropping up in the form of “Don’t sell my personal information” links at the bottom of many corporate websites.
Come Wednesday, roughly one in 10 Americans will gain the power to review their personal information collected by large companies around the world, from purchase histories and location tracking to compiled “profiles” that slot people into categories such as religion, ethnicity and sexual orientation. Starting Jan. 1, they can also force these companies – including banks, retailers and, of course, tech companies – to stop selling that information or even to delete it in bulk.
The law defines data sales so broadly that it covers almost any information sharing that provides a benefit to business, including data transfers between corporate affiliates and with third party “data brokers” –middlemen who trade in personal information.
“If we do this right in California,” said California attorney general Xavier Becerra, the state will “put the capital P back into privacy for all Americans.”
California’s law is the biggest U.S. effort yet to confront “ surveillance capitalism,” the business of profiting from the data that most Americans give up – often unknowingly – for access to free and often ad-supported services. The law is for anyone ever weirded out when an ad popped up for the product they were just searching on, or who wondered just how much privacy they were giving up by signing into the briefly popular face-changing tool FaceApp.
People are largely on their own in figuring out how to make use of their new rights. To make the law effective, they’ll need to take the initiative to opt out of data sales, request their own information, and file for damages in the case of data breaches.
Those who do make that effort, but find that companies reject their requests or offer only halting and incomplete responses, have no immediate legal recourse. The CCPA defers enforcement action to the state attorney general, who won’t be empowered to act until six months after the law takes effect.
When the state does take action, though, it can fine businesses up to $7,500 for each violation of the law – charges that could quickly add up depending on how many people are affected.
The coming year will provide the first evidence of how much protection the CCPA actually offers.
Among other limitations, the law doesn’t really stop companies from collecting personal information or limit how they store it. If you ask a company to delete your data, it can start collecting it again next time you do business with it.
Mary Stone Ross, incoming associate director of the Electronic Privacy Information Center and co-author of the original ballot initiative, worries that CCPA might just unleash a firehose of data on consumers.
“A business could actually drown a consumer in information so the important pieces are lost,” she says.o that.
The law’s biggest impact, in fact, may lie in how it requires companies to track what data they have, where they keep it, and how to get it to people when requested, says Jen King, director of consumer privacy at Stanford Law School’s Center for Internet and Society. That effort alone, which can be substantial, might cause corporations to reconsider how much data they decide to hold onto.
That may lead to some unintended consequences and even corporate attempts to discourage people from using the law. The job-search site Indeed.com, for instance, now explains that when anyone opts out of data sales under CCPA, it will also ask them to delete their associated accounts and all personal information.