The California Consumer Privacy Act Mandates What, Again, Exactly?

On Jan. 1, the toughest data privacy law in the U.S. goes into effect: the California Consumer Privacy Act.

That's why you're seeing a host of emails pop up in your inbox from various companies announcing updates to their terms of service, particularly their privacy policies. With no similar federal law on the horizon, this one is expected to set the standard nationally for some time.

At the beginning of the year, Californians will be able to find out what personal information a business is collecting about them, their devices and their children, said one of the new law's co-authors, Mary Stone Ross.

"They'll be able to opt out of the sale of their personal information," she added. "If a company fails to implement reasonable security practices and their personal information is breached, they'll be allowed to sue those companies."

Companies can still collect the data: what you buy, where you go and when, all the photos you’ve ever taken, your emails (even the ones you deleted) and more. But companies now must tell you — when you ask — what they’re collecting and delete it at your request.

However, some companies can deny your request if the data is needed to complete a financial transaction or protect against fraud.

Companies can’t legally sell that data if you tell them not to. But if they do anyway, you can't sue.

"It's only for data breaches. So if certain categories of personal information, for example, your Social Security number, are breached, and a business fails to implement reasonable security practices, then you have cause," said Ross.

California’s Attorney General Can Prosecute

The office of Attorney General Xavier Becerra won't begin to enforce the law until July 1, 2020, but he said he considers the law in effect as of Jan. 1, "right after that first kiss and the hugs and the champagne."

But his budget is limited. He said his office is likely to conduct only three enforcement actions a year, though he won’t say against what companies.

"The bigger the company, the bigger the problem," Becerra said. "The bigger the universe that has data that is used in certain ways, that could lead to that violation, the bigger the case will be."

When asked about a particularly sensitive kind of information his office is keen to prioritize protection of, Becerra said: "I think my health information is sensitive. I think my Social Security number is sensitive. I think my dating patterns, especially since I'm married, would be sensitive," Becerra said, jokingly.

More seriously, he added that "aggressive, early, decisive enforcement" is likely to focus on the sale of data involving children. "The last thing you want is for any company to think that we're going to be soft on letting you misuse kids' personal information."

How Tech Giants and Data Brokers are Reacting

Industry groups spent the last year trying to rewrite and soften the law. It’s expected they’ll sue to stop the CCPA's rollout, even as most have taken some steps to comply with it. Many businesses complain there's a lack of clarity on the regulations that Becerra's staff is still crafting.

For businesses, the attorney general’s office has released a Standardized Regulatory Impact Assessment outlining the potential scope of the new law, but businesses want the office to produce sample forms and notices as well.

In the meantime, some companies like Microsoft are adopting the new rules across the nation immediately.

Other companies are taking a different view. While Facebook has made it easy to download your data — as has Twitter and Google — the Menlo Park-based social media giant argues it sells advertisers access to you, so it’s up to the advertisers to let you opt out or not.

"We’re committed to clearly explaining how our products work, including the fact that we do not sell people’s data," the company posted online.

That doesn't pass the smell test for a number of industry watchers, including Chris Hoofnagle, who teaches tech regulation at UC Berkeley.

"Facebook, in particular, appears to be interpreting the law in a very opportunistic way. So that they don’t actually need to do anything to comply with it," he said.

Hoofnagle thinks the biggest tech companies in Silicon Valley are in a financial position to bet it will be awhile before the attorney general’s office comes for them.

The money they could make in the meantime is no joke: Facebook made $55 billion in 2018 providing advertisers access to users.

"Enforcement is the big unknown here. But Facebook will be in trouble if the attorney general picks up the law and uses it," Hoofnagle said.

The law applies to any company that meets any one of three thresholds annually: It has at least $25 million in revenue, makes at least half its money by selling data or gathers information on at least 50,000 consumers. Companies that don’t fix violations within 30 days of being notified can be fined up to $7,500 for each intentional violation.

This means the law will impact data brokers — companies built on collecting and selling information whether or not consumers are aware of it.

Data tracking and selling has become big business for a wide variety of companies, including automakers, retailers, software companies and others you may not realize are serving advertisers.

Many of us have technically agreed to the tracking and sale by clicking "yes" on those impossible-to-read acceptance forms required to use a host of websites and mobile apps.

Think about the last party invitation you received through Evite.

"They're collecting inferences that they glean from the invitation. So they're collecting and selling presence of children in household, your religion, if you're moving or expecting a baby," Mary Ross said. "This is something the CCPA will expose, because now you can read their privacy policy."

Here's an excerpt from Evite's privacy policy:

We may also collect and store personal information about other people that you provide to us when you use our Services, including (without limitation) email address, physical address. So, for example, if you use our Service to send other people a gift, information that may interest them, invitations or correspondence, or other communications through our Services, we may store and use the information you provide to us.

Will the new law make the average California citizen more conscious of data tracking? Data privacy activists like Ross are hoping that even if individuals aren't keen to dig into the fine print, lawyers and journalists will do so in a way that garners public attention.

Other data privacy laws like this one are expected to crop up in other states too, because there is no federal law — despite the introduction of several bills in Washington D.C., like the Online Privacy Act put forward by Silicon Valley congresswomen Anna Eshoo and Zoe Lofgren.

"Industry advocates were worried that other states were going to follow the California and have their own version of the CCPA," said Ross. "It would probably only take one other state to pass their own version ... and then there will be a lot of pressure on Congress to pass federal legislation."