Its supporters say California's new consumer privacy law dramatically expands your power to control the information tech companies collect about you.
Starting in 2020, you'll be able to ask businesses to delete your personal information and prevent the sale of it. Companies must also disclose the categories of information they collect, as well as the kinds of third parties that buy it. For kids under 16, companies will need to have their consent before their data can be sold.
If there is an unauthorized breach of your non-encrypted personal information, you can sue companies for up to $750. The state's next attorney general will also have the authority to levy additional fines against those companies.
On the surface, it will force tech leaders like Facebook and Google to be more transparent. But despite the hype, many questions remain as to whether it will actually protect consumer privacy.
Examining the law's effectiveness
The California Consumer Privacy Act was heralded as a model for other states to follow.
“The California Legislature made history by passing the most comprehensive privacy law in the country,” said state Sen. Bob Hertzberg, D-Los Angeles, one of the bill's two main authors.
It outlines several items companies must provide to consumers upon request. But besides the required opt-in from minors, there is little detail on how companies should collect information in the first place.
"It looks like it will put some restrictions on the sale of personal information, but there doesn't seem to be anything there limiting the collection of any kind," said Jennifer King, director of consumer privacy at the Center for Internet and Society at the Stanford Law School. "In some ways, we're still in the status quo with a little more power that our data not be sold."
The information the public can obtain is also fairly limited. The law repeatedly references "categories of personal information," suggesting companies could fall well short of providing specific information they have about individual consumers.
For example, if a 25-year-old white woman user "Likes" the Macy's Facebook page and later receives targeted advertising from the company for a new pair of shoes, she would likely find out through an information request that Facebook collects information about her age, race, and pages liked. Facebook might also tell her it shares that information with apparel companies.
In other words, a user would likely receive general demographic variables that Facebook collects rather than specific, individualized details.
While the new privacy law allows consumers to opt out of the sale of personal information, many companies maintain they do not sell users' personal information. Separate statements from Comcast, Google and Facebook made the companies' positions crystal clear.
"Facebook DOES NOT sell data," wrote Will Castleberry, Facebook's vice president of state and local public policy.
According to King, the company's statements are technically correct since they don't disclose specific information from individual users. Even so, King said they are selling access for advertisers to target individuals. Because the companies claim they do not sell personal information, it is unclear how people could opt out of having their information shared with third parties.
Even if companies do sell user information, the law provides them with nine exemptions to avoid complying with a consumer's request to delete their personal information. Some exemptions include completing financial transactions, exercising free speech, using the data exclusively for internal purposes, detecting security incidents, engaging in research and complying with legal obligations.
"I don't think this bill gives you much power to make things stop," King said. "It certainly doesn't give you power to stop the collection."
Nothing in the law prohibits businesses from offering tiered pricing for different levels of goods or services, suggesting they could offer higher pricing for greater privacy. During a debate on the floor, Sen. Hannah Beth-Jackson, D-Santa Barbara, said this was her biggest concern with the bill.
"This path towards a pay-for-privacy is a dangerous and slippery slope," Jackson said. "We cannot go down a road where our inalienable rights come at a price."
How to request information
The process to request information further complicates matters.
First, only California residents are considered "consumers" once the law takes effect at the start of 2020. Assuming the law remains in its current form, people who want to have their personal information deleted must submit a "verifiable request" for information, whereby companies can prove people are who they say they are.
Users must submit requests through a company website or by calling a toll-free number. Within 45 days of receiving a consumer's request, companies must disclose and deliver the required information free of charge through a "readily usable format." The time period for businesses to provide the required information could be extended by an additional 45 days if they provide notice of the extension.
Companies affected by this law must fall into at least one of three categories: (1) Have annual gross revenues of over $25 million; (2) Receive the personal information of at least 50,000 consumers, households, or devices; or (3) Earn at least half of its annual revenues from selling consumers' personal information. Though many companies will meet the $25 million threshold, the law won't apply to smaller businesses.
After complying with two requests from one person within a 12-month period, companies would no longer have to accommodate additional requests within that same time period. One key provision of the privacy law prevents businesses from discriminating against consumers who requested information be disclosed or deleted.
Enforcement, procedural concerns linger
Among the biggest concerns with the bill is the process through which it became law. During a week of behind-the-scenes meetings, a handful of lawmakers rushed to get industry groups and consumer privacy advocates to work out their differences.
Alastair Mactaggart, who spent more than $3 million funding his consumer privacy initiative, wanted tech companies to be held accountable for their data management practices. Tech companies disliked the strong language of the initiative and wanted it to be pulled altogether.
By June 25, the two groups had a compromise. Mactaggart, who worried tech companies could outspend him and shift public opinion before November, agreed to pull the initiative in exchange for the passage of the California Consumer Privacy Act. Lawmakers had three days to read and vote on the bill — hours before an initiative filing deadline.
On the day of the vote, State Sen. Jim Nielsen, R-Gerber, chastised the legislative process.
"Here are just a handful of people negotiating something that the majority of legislators will know nothing about," Nielsen said after a committee hearing. "We are accepting the behind-closed-doors negotiations of various interests."
Assemblyman Evan Low, D-Campbell, said "the initiative process has completely been abused and turned California into a circus."
After the bill passed unanimously, Gov. Jerry Brown signed it into law.
Several industry groups remain frustrated with the process. They are particularly worried that lawyers will take advantage of consumers' right to seek civil damages ranging from $100 to $750.
"It is critical going forward that policymakers work to correct the inevitable, negative policy and compliance ramifications this last-minute deal will create for California’s consumers and businesses alike," said a statement from Robert Callahan, the Internet Association's vice president of state government affairs.
Hertzberg, one of the main authors of the bill who participated in the negotiations between industry groups and consumer privacy advocates, said at a news conference that much of the bill's enforcement power will go to the attorney general. The law authorizes companies to seek the attorney general's opinion on how to comply with the law.
Hertzberg said the next attorney general would become the top privacy law enforcement officer in the country. Xavier Becerra, who is up for re-election this November, was unavailable for comment.
Mactaggart was pleased the bill passed and called it a good first step.
"Everybody is finally waking up to the importance of digital privacy," he said.