Under the law, the onus is on consumers to request that companies disclose or delete their personal data. But more states and the federal government could still jump into the privacy debate.
California’s landmark digital privacy regulations will become the de facto law of the land when they take effect in January, allowing consumers more control over the personal data companies collect about them.
Beginning January 1, consumers will be able to ask for direct access to the information about them that companies keep, and request that the data be deleted. Consumers will also be able to opt out of having their data sold to third parties under the law.
The California Consumer Privacy Act will require large companies doing business in the state that collect personal information for commercial purposes to comply with new privacy and transparency standards, with tech companies, digital advertisers and brick and mortar retailers all falling under the law’s purview.
For years, as companies like Facebook and Google acknowledged how much data they are collecting from users, privacy advocates have called for governments to step in and better protect people’s data and give consumers more control over how the information is used. Since the European Union’s data protection law took effect in 2018, Congress has held numerous hearings on digital privacy, but failed to adopt any similar statute. In the absence of an overarching federal law, the California law signed by former Gov. Jerry Brown last year will end up setting the privacy standards for the entire country as businesses across the United States prepare to comply.
But the debate is still ongoing and digital privacy issues are expected to get renewed attention from both federal and state lawmakers in the new year thanks to the California law. A path forward on federal legislation is unclear, but other state legislatures could also take up the issue in their 2020 sessions to stake a claim to the issue and push what advocates see as a more pro-consumer approach than the one California adopted.
While businesses are rushing to update privacy policies and practices to comply with the law, it places a lot of responsibility on the consumer. To critics, that limits the law’s effectiveness because it requires consumers to figure out all the businesses that have and use their personal data—a difficult, if not impossible, task.
Requesting data from businesses with which you have an online account or rewards program, such as a bank or grocery store, should be fairly straightforward, said Stacey Gray, senior counsel at the Future of Privacy Forum.
“For companies that you don’t have a direct link with, like data brokers or advertisers, it’s going to be a little bit harder,” she said.
While journalists and data researchers may use the law to investigate the type of data companies collect and what they do with it, the CCPA may not be a huge benefit to the average consumer because of the burden it places on them to do most of the legwork, digital privacy experts have said.
“The sheer number of privacy policies, notices, and settings or opt-outs one would have to navigate is far beyond individuals’ cognitive and temporal limitations,” Michelle Richardson, director of the advocacy group Center for Democracy and Technology, told a U.S. Senate committee earlier this year. “It is one thing to ask an individual to manage the privacy settings on their mobile phone; it is another to tell them they must do the same management for each application, social network, and connected device they use.”
An estimated 500,000 U.S. businesses, including Facebook, Amazon and Target, are expected to have to comply with the CCPA. California Attorney General Xavier Becerra told Reuters last week he will not extend the January 1 deadline to comply with the CCPA.
At the same time, lawmakers in New York and Washington state have also signaled they want to pursue their own laws in the coming year. Because a patchwork of state laws could complicate the landscape for businesses, many have advocated for federal legislation that could outline standard practices. Both Democrats and Republicans in the U.S. Senate have also circulated digital privacy bills in attempts to preempt the California law, but it is unclear whether federal lawmakers will move on the bills in the coming year.
Even with just the California law coming online next year, confusion remains regarding how businesses will comply with consumer requests.
“There are ongoing discussions with some of the tech companies about what they are doing to comply with CCPA and we are already seeing certain disagreements,” said Robert Cattanach, a cybersecurity and regulatory compliance lawyer at Dorsey and Whitney law firm.
One part of the CCPA causing frustration requires that consumers have the right to opt-out of having their personal information sold to a third party.
Websites with third-party trackers will have to provide consumers an option on their website to request their personal information is not sold. And some companies like Google’s parent company Alphabet have introduced new tools to comply with the opt-out mandate. For instance, websites and apps using the company’s advertising tools will be able to restrict the use of personalized ads, which can take into account a consumer’s browsing history and other information.
But Facebook said last week that the consumer data it shares does not constitute a sale and that the company does not need to make changes to its web-tracking services to comply with the law.
The California Attorney General’s Office will not begin enforcing the law until July, so businesses still have some time to fine tune their policies. Because of the resources required to comply with the law—particularly the ability to respond to consumers requesting information about the data stored about them—it’s unlikely that many companies will be in compliance on day one, Cattanach said.
The attorney general’s office also lacks the resources to bring charges against every company out of compliance with the law and will instead likely pursue “test cases,” against certain companies when the officials determine they need to make a point, Cattanach said.
The office likely will get complaints. A year after the European Union’s General Data Protection Regulation (GDPR) took effect in May 2018, European authorities had received more than 144,000 privacy complaints and identified 89,000 data breaches.
But if a company falls victim to a data breach, consumers could seek to sue under the law beginning January 1, Gray said.
“Given the inevitable data breaches over the next couple years, we will likely see lawsuits directly under the CCPA,” she said.