California’s New Privacy Law Matters No Matter Where You Live
With companies across the world economy feeling an unprecedented economic crisis as a result of Covid-19, many recently banded together to ask for the California Consumer Privacy Act (CCPA) to be delayed. The California attorney general was unmoved. In a statement reported in the San Francisco Chronicle, the attorney general’s office seemed to imply that Covid-19 made enforcement of the act more urgent, rather than less so, saying:
We’re committed to enforcing the law starting July 1… We encourage businesses to be particularly mindful of data security in this time of emergency.
How to Find Out What Google and Other Big Tech Companies Know About You
It’s illuminating — and a bit terrifying
2020 has been a wild year for privacy. In January, the New York Times broke their story about Clearview AI, and we learned that the company has been quietly building face-linked profiles on nearly everyone, accessible to law enforcement agencies via a simple search.
Then Covid-19 struck, and concepts like Zoombombing became household terms. We now casually discuss the possibility of temperature checkpoints, contact tracing apps, and other technologies with groundbreaking privacy implications. Privacy — once a relatively obscure focus of technologists and consumer advocates — is now spilling over into the public consciousness.
Protests following the murder of George Floyd have highlighted the importance of privacy, too. Through contracts with companies like Clearview AI, government agencies have the tools to identify protestors by name, using only a protest photo posted to social media. And U.S. Customs and Border Protection (CBP) has reportedly flown Predator surveillance drones over several protests, potentially gathering photos and video of everyone present. Protestors and activists are rightly concerned about how government agencies are using their images and identities.
California’s landmark CCPA passed in 2018 and went into effect on January 1, 2020. It will have a bigger impact on privacy in the United States than perhaps any other legislation passed to date — within California and beyond.
The implications for companies and consumers worldwide are significant. The act could radically reshape privacy both in the United States and beyond. And for anyone in the business of gathering and processing consumer data, compliance is now an absolute necessity.
The CCPA provides a broad set of privacy and data access rights to residents of California. These include the right to see the data that large companies (those with revenues over $25 million or profiles on over 50,000 consumers, and those that meet a few other criteria) have gathered about them, the right to have the data deleted, the right to opt out of the sale of their data, and the right to avoid discrimination based on exercising their other rights.
From a practical standpoint, this means that if you’re a resident of California, you can reach out to nearly any large company and ask what data they’ve gathered about you. They’re required to respond in a timely way, provide all your data to you, and let you delete anything you don’t like.
I’ve already used the CCPA to access my own profile from Clearview AI, which was a terrifying experience. So I’ve seen firsthand the power of the CCPA to grant a remarkable level of access and data control to consumers.
Even if you don’t formally exercise your CCPA rights (or you don’t live in California), it’s likely that the act will impact your online privacy. California is one of the world’s largest markets for technology products and services. Faced with the need for CCPA compliance in order to operate in California, many companies will likely provide the same level of access to everyone, instead of providing it only to residents of the state, radically expanding many consumer’s rights.
This is the motivation behind “Do Not Sell My Data” links which you may have seen on a variety of large websites. It’s also a motivating factor behind moves by companies like Google and Facebook to allow consumers greater access to their data, including the data these companies use to target ads.
The act also has major implications for companies in other states, or even other countries. If a company is based internationally (such as in China), it must comply with CCPA in order to operate in California. That means that the impact of the CCPA is truly global. It’s also likely to be the framework for a federal-level privacy law in the United States, which many expect will be enacted within the next several years (and Big Tech actually supports, since it’s seen as preferable to piecemeal legislation from multiple states).
Unsurprisingly, though, the CCPA will have enormous costs for tech companies and other businesses. According to California’s attorney general, complying with the law will cost companies at least $55 billion.
Failure to comply will likely be even more costly — each violation could cost companies $7,500. As many companies have a user base in the millions, CCPA fines could easily reach the hundreds of millions of dollars, or more. The CCPA also gives consumers additional rights to sue over data breaches, making these breaches even more costly to Big Tech.
And the act isn’t for tech companies only. Major retailers, marketing companies, and anyone else who gathers consumer data will need to comply with the act, or risk massive fines. Tech companies are reasonably well equipped to provide consumers access to their data. Giant legacy retailers and their ilk may be much less equipped to do so.
Why Good Digital Privacy Legislation Is So Hard to Get Right
Clearly, we are in dire need of better legal protections related to our data, but that’s easier said than done
In many ways, the decision to go forward with enforcing the CCPA makes a lot of sense. Covid-19 has rapidly expanded the range of information large companies are gathering about their customers (fever-detecting surveillance cameras, anyone?). Contact tracing and other pandemic practices (and the police powers used to enable them) also have the potential to rapidly erode privacy, and create a market for the data-gathering tools needed to determine where you go, who you interact with, and whether or not you’re sick.
If ever there has been a time when consumers need more tools to protect their own privacy, now is that time.
The California attorney general’s decision is also likely motivated by concerns about momentum, too. The CCPA was passed in 2018, and the process of codifying it into law has been complex and ongoing. An update is already in progress, and privacy advocates have reportedly obtained the signatures (pending verification) needed to place CCPA 2.0 on Californians’ ballots in November, despite the challenges of canvassing during Covid-19.
If the attorney general steps back now, and postpones enforcement until after Covid-19, there’s a real concern that the act would fade away and never truly go into effect.
One of the reasons the GDPR has been so effective is that it’s been rigorously enforced.
One of the reasons the GDPR has been so effective is that it’s been rigorously enforced. Since it went into effect, EU governments have collected almost $500 million in fines for violations of the regulation. I’ve been at plenty of conferences where GDPR was discussed, and I can attest to the genuine fear it provokes in many business leaders.
Failing to enforce the CCPA right off the bat could take away the act’s teeth, removing the incentives for compliance. Many companies would likely point to Covid-19 as a reason to ignore CCPA requests, and the act could lose much of its momentum and impact. Some of these reasons may be legitimate — a company that is running critical web infrastructure with a skeleton crew might have a hard time fielding privacy requests. But others would likely hide behind Covid-19 as an excuse for avoiding requests which are merely inconvenient, but not actually impossible, to fulfill.
At the same time, many businesses (especially those outside the tech sector) are genuinely hurting. CCPA fines (or just the extra operational cost of fielding CCPA requests) could easily push some into insolvency, costing jobs and livelihoods at a time when they’re badly needed. Buno Pati, CEO of data software vendor Infoworks told OneZero that before Covid-19 “most businesses were already struggling with the challenges of getting their arms around their consumer data assets.” Doing so during a pandemic could be beyond their resources and abilities.
Even if the attorney general limits enforcement actions to big tech companies, there are still risks. Again, tech is doing very well at the moment, despite (or in the case of companies like Zoom, because of) Covid-19. Hitting tech companies with massive CCPA fines during the pandemic could turn out to be an eat-your-children approach that comes back to haunt the state economically.
California’s finances, too, are a major concerning factor. As a result of Covid-19, the state is facing a $54 billion budget deficit. CCPA fines against successful tech companies could become a tempting source of much-needed revenue, essentially amounting to a shadow tax on tech. This could have a chilling effect on the American tech sector, just when we need its ingenuity and innovative power the most.
One interesting possibility is that the crisis-tainted launch of the CCPA will change how many big companies think about privacy and data access overall.
As reported in the Chronicle, privacy advocates counter these concerns by pointing out, correctly, that companies have had a long time to prepare for the CCPA’s enforcement. The act has been in the works for years, and was passed in 2018. Companies still face legitimate concerns about the person-power needed to respond to CCPA requests during Covid-19, but it’s true that they’ve had a lot of lead time to prepare for the act’s general frameworks.
Critics say specifics of implementation have often been vague, and many have just now been released. But the attorney general clearly doesn’t see this as a reason to put off enforcement. Companies that already comply with GDPR will likely have a head start, too, as many of the provisions of the laws are similar, and could likely draw on much of the same infrastructure.
One interesting possibility is that the crisis-tainted launch of the CCPA will change how many big companies think about privacy and data access overall. The simplest way to comply with CCPA is likely to give customers access to all their data by default, and allow them to make changes or delete data themselves. Google and Facebook have both taken this approach already, likely in response to GDPR.
Data openness and radically expanded customer control would eliminate much of the administrative time needed to respond to CCPA requests individually. With Covid-19 related pressures on revenue and staffing, companies that previously would have invested the staff time needed for one-off responses may instead take the approach of opening everything to users. This would be a major net benefit for consumers’ privacy.
However, as CCPA’s enforcement rollout proceeds, all parties should tread carefully. The attorney general’s comments suggest that it plans to target companies that are using Covid-19 as cover for major violations of consumer privacy. It will likely take a dim view of companies that roll out overreaching facial recognition or location tracking tools that consumers would never stomach in normal times, and capitalize on the pandemic and protests to sell them widely. Companies in this field should take note.
Facial Recognition Is Law Enforcement’s Newest Weapon Against Protesters
Police in Seattle, Austin, and Dallas, as well as the FBI have asked for images of violence and protests
The attorney general’s office should take care to enforce the law evenly, of course. But they should also take care not to place an undue burden on tech companies or others that are genuinely trying to comply, but have run into challenges due to the pandemic.
This especially includes small companies, like startups, that might fit the data size thresholds of the act (data on 50,000+ consumers) but not its revenue thresholds. These companies would likely be especially strained by overly aggressive enforcement, and especially ill-equipped to implement complex regulatory frameworks during a pandemic.
The attorney general shouldn’t let startups off the hook, necessarily — especially those in fields like contact tracing and location tracking, where major privacy violations could happen easily during Covid-19. But aggressive enforcement against emerging companies could easily stifle innovation.
During a crisis, the world needs privacy watchdogs — perhaps more than ever. But it also needs the flexibility to respond to major challenges in new ways, without the burden of excessive regulation. I hope that as California begins enforcing CCPA, the state can aggressively protect consumers—or give them the tools they need to protect themselves—while leaving our state’s capacity to innovate intact, and our tech sector thriving.