For all the angst it’s already caused in corporate America, the strongest data privacy law in the nation landed on the West Coast last week with a relative whimper. But the flurry of legal notices that accompanied the California Consumer Privacy Act point to regulatory and political drama ahead this election year.
The landmark California law — which has put Sacramento at the center of the national tech regulatory storm — has now been in effect for one week, giving residents the right to know what information companies collect about them and some measure of control over that data.
But a sampling of major retail, financial services and media websites found that companies are reacting to the Privacy Act in different ways based upon their own interpretations of the complex law and its unresolved regulations.
The patchwork of industry responses to California’s new privacy regime, which won’t be enforced until at least July 1, ensure the law will remain in dispute for many months to come. Adding to the uncertainty, a wealthy privacy champion is preparing a ballot initiative to rewrite the Privacy Act, state Attorney General Xavier Becerra expects legal challenges, and Congress is under intense industry pressure to pass a federal standard that would supersede state laws like California’s.
Perhaps the most visible change California promised to deliver to those tired of being tracked online is easy to miss, even if you are looking.
The law requires companies that sell consumers’ personal information to post a prominent “Do Not Sell My Info” link. But large retailers like Walmart and Lowe’s put their “Do Not Sell” links in the same footnote-like font and location commonly used for privacy policies. And they were nowhere to be found on other websites, such as Whole Foods Market, Albertsons-owned grocery stores, Visa or Bank of America. Those companies assert elsewhere on their sites that they don’t sell consumer data, which would mean they don’t have to include the links.
Likewise, “Do Not Sell” buttons or links do not appear on Google, Facebook, or Amazon’s homepages. Those companies — including two of the biggest players in online advertising and data collection — also contend that’s because they don’t sell consumer information anyway.
“We never sell your personal information,” read a pop-up window last week on Google search.
A “Do Not Sell” link appears at the bottom of the New York Times and Washington Post homepages, at least in California. The Los Angeles Times’ link takes readers to a page with information about their new rights — and a warning. Blocking the sale of one’s information also stops personalized advertising, it says, “an essential source of revenue” that “allows us to consistently deliver the Pulitzer-Prize winning journalism you’ve come to expect from the Los Angeles Times and its affiliates.”
Spotify concedes in its California privacy notice that “it is currently unclear whether the use of certain types of advertising partners would be considered a sale under CCPA.” The company doesn’t offer a “Do Not Sell” link but gives listeners a chance to opt out of tailored advertising.
None of this hedging is a surprise to Jennifer King, director of consumer privacy at Stanford’s Center for Internet and Society. That’s especially true, she said, given that the Privacy Act won’t be enforced until July 1 and regulations are still being finalized.
“There is a six-month window where we’re going to see a lot of wiggling around,” King said. “No one wants to have to admit they’re selling if they can work their way around the regulations.”
As companies, consumers and the attorney general wrestle with the new law this year, here are other things to watch for:
— Cracking down: Only California’s attorney general will have the power to sue companies for most CCPA violations, and not until July 1, after the final regulations are expected to be released. But Becerra might weigh in earlier on the type of data-sharing that constitutes the sale of personal information under the law, and other murky areas. He also has repeatedly warned that the first six months will not be a free period, and that he can retroactively ding companies for early violations. Becerra recently told reporters that he will prioritize mishandling of children’s data. Companies may not sell data about children under 16 without permission from teens or the parents of young children.
— Opt-out outsourcing: The CCPA and its proposed rules allow for services that would help consumers exercise their privacy rights even if they are not inclined to spend their free time hunting down links and filling out forms. Brent Blackaby, who hails from the digital strategy and marketing world, is already beta testing such services for the Bay Area startup he co-founded, Confidently.com. Common Sense Media, a consumer advocacy group, did some of the legwork through its public awareness campaign by posting partially filled-out CCPA request forms for the publishers of three apps popular with kids: Snapchat, Spotify and TikTok. And GitHub has posted a directory of crowd-sourced links to dozens of companies’ CCPA pages.
— Data broker registry: How can you tell a company you’ve never heard of to stop selling your data? By the end of the month, those in the business of buying and selling details about people with whom they have no direct relationship will have to register annually on a new public database managed by the California attorney general. The registry, inspired by a similar one in Vermont, is live — but had no businesses listed — as of early Tuesday. Data brokers that don’t register by Jan. 31 will face fines of $100 per day.
— Already rewriting the rules: Just as the new law finds its footing, Californians might rewrite it. Bay Area developer Alastair Mactaggart, whose previous initiative pursuit led to the CCPA, is leading a new effort to qualify a November ballot proposal that would change the law. The initiative would create a separate agency to enforce the state’s privacy regime; add restrictions on the use of sensitive personal information; and prevent the Legislature from watering down the law, among other revisions. Tech and telecom companies have not taken public positions on the initiative, nor has a coalition of consumer privacy groups. Of course, businesses could just be waiting to see if proponents manage to qualify the initiative, as expected, before spending big to defeat it. Mactaggart said he is getting early reports that “folks are eager to sign” and “no one is saying no.”
This article was originally published at Politico on January 19, 2019. Reprinted with permission.
About the Author: Katy Murphy covers consumer regulations with a focus on data privacy for POLITICO California. Before joining the team, she was a one-woman Capitol bureau for the The Mercury News and East Bay Times and previously covered K-12 and higher education for more than a decade, based in the Bay Area.
A Chicago-area native, she graduated from the University of Notre Dame and had stints in Puerto Rico and Indiana before moving west. She lives with her husband and young daughter and has memorized every episode of Peppa Pig. In her copious spare time, she enjoys reading fiction, taking scenic hikes that aren’t overly strenuous and glamping in the mountains with people who really know how to cook.