Leading up to New Year’s Day, a small but significant feature began popping up on websites. That button, link or pop-up reading “Do Not Sell My Personal Information” will become a standard notice online thanks to a sweeping new data protection law co-authored by Assemblyman Ed Chau (D-Monterey Park) and state Sen. Robert Hertzberg (D-Van Nuys) in a rush to defeat a stricter citizen-led ballot initiative.
The California Consumer Privacy Act or CCPA, which the American Bar Association calls “the most comprehensive privacy legislation in the United States,” basically empowers consumers to access the information companies collect on the internet and, if they so choose, demand that it be deleted or forbid it from being sold to third parties. And because it would require much more work to create a unique infrastructure just for Californians, it effectively applies to everyone.
“California is leading the charge on data protection, though how long it will stay that way is a matter of conjecture,” San Jose State political science professor Lawrence Quill says.
The closest comparison to the CCPA, he says, is the European Union’s General Data Protection Regulation passed in 2018. “Both pieces of legislation are ground-breaking,” Quill says. “The biggest difference, however, is over the ‘right to be forgotten.’ In the EU, individuals can demand that personal information is removed from the web. No such provision appears in the CCPA.”
On the other hand, the California law requires companies to display a hard-to-miss pop-up or button alerting consumers to their rights. The European Union’s process is decidedly less intuitive, he says.
The brainchild of real estate developer and privacy activist Alastair Mactaggart, the CCPA was signed into law by former Gov. Jerry Brown in June 2018. The CCPA allows consumers to learn what information businesses are collecting about them, their devices and their children. This includes what categories of personal information they are selling and to whom they are being sold.
The new law covers an immense laundry list of personal data, ranging from name, email, property records, online shopping activities, education and employment histories. It also lets consumers opt out of the collection. In addition, the businesses are not allowed under the law to discriminate against consumers who opt out of the collection. It prohibits businesses from selling the personal information of people under 16.
The law only applies to companies with an annual gross revenue of $25 million; those that buy or sell the personal information of 50,000 or more consumers; and those that get 50 percent or more of their income from selling consumers’ personal information.
Companies must include a “do not sell my data” link that must appear prominently at the bottom of the web page. Those that do not implement adequate security practices may be sued if their customers’ personal information is stolen via a data breach. They could also face fines by the California Attorney General of $2,500 to $7,500 per violation.
Businesses operating in California, at least, have a few months to figure out the details about how exactly to comply with the new law, since the AG is still hammering out the rules and isn’t expected to start enforcement until this summer.
Amid widespread anxiety among businesses trafficking in consumer data comes a wave of startups, lawyers and consultants ready to cash in on the $55 billion companies are expected to spend on compliance. Bart Willemsen, an analyst at Gartner who consults clients on regulatory compliance, told the LA Times that about 200 companies have emerged this past year with products to help businesses abide by the new privacy rules.
The CCPA’s mandates will require companies to keep better track of what data they keep and where it’s stored. Building the tools to do that can be costly and complex, which has created a nascent cottage industry populated by companies such as Securiti, San Francisco’s Terra True, Texas-based Osano and DataFleets From Palo Alto.
Yet some companies seem poised to test the limits of the new law.
Google and Facebook say they’re exempt from CCPA because they don’t share consumer data with ad-buyers. Other firms may take a wait-and-see approach to get a feel for how the CCPA gets enforced—although the California AG has indicated that limited resources mean it will only go so far.
Despite uncertainty surrounding compliance, the CCPA marks a watershed moment for the US. At this point, Quill says, it’s only a matter of time before the rest of the nation follows California’s lead.
“New York and Illinois have developed similar proposals,” he notes. “With the former, New Yorkers will be able to sue companies directly over privacy violations. In time, other states are likely to follow suit, and further down the road, there will probably be a federal law concerning data protection to ease issues over compliance.”
All other issues aside, Quill says it’s in the tech industry's best interest to embrace the new standards. “The costs of compliance are minimal considering their revenue streams,” he says, “and it’s good PR for the companies and the whole sector, for that matter, as digital privacy has become a hot-button issue given the data breaches and ongoing concerns over deep fakes.”
To avoid grappling with a patchwork of similar laws state by state, companies will likely end up pushing for a federal statute. “Just how business friendly that (horribly complex) piece of legislation will be will depend upon their friends in Congress,” Quill remarks.
While the CCPA is certainly a landmark piece of legislation, it’s no panacea.
“Few pieces of legislation are,” Quill says. “But this is a step in the right direction.”
Nick Veronin and Jennifer Wadsworth contributed to this story.