How California Is Rewriting The Law On Online Privacy
Our actions online have created a vast trove of information worth billions of dollars. Every time we search, click, shop, watch, send, receive, delete or download, we create a trail of data that companies can use to figure out our tastes and interests. We also hand over information when we use social media or loyalty programs at our favorite stores.
This data has formed the foundation of the internet economy, allowing advertisers to better target the people they want to reach — whether that’s a company that wants to sell you something or a politician who wants your vote.
But many Americans have grown concerned about what else can happen with all this data. Hackers have stolen it from email providers and credit card companies. Facebook was fined $5 billion for mishandling information on millions of people that political consultants exploited to influence the 2016 presidential race. Health apps have been criticized for sharing their users’ most intimate details — including when they have sex or ovulate.
Responding to outcry that technology companies have invaded consumers’ privacy, California became the first state in the nation to pass a law giving people more control of their digital data. The new rules take effect on January 1. This explainer will walk you through what California is — and isn’t — doing to give you options to protect your privacy.
How much information do companies have about us?
Last year, a writer downloaded his data from Google and Facebook and published an article about it in The Guardian. The amount of information the companies had about him was mind blowing:
“They also have every image I’ve ever searched for and saved, every location I’ve ever searched for or clicked on, every news article I’ve ever searched for or read, and every single Google search I’ve made since 2009. And then finally, every YouTube video I’ve ever searched for or viewed, since 2008,” Dylan Curran wrote.
How did California’s new law come about?
It all started with some dinner party chitchat between a San Francisco real estate developer and a Google engineer. The engineer told the developer that Americans would freak out if they knew how much information Google has on them. The developer then spent $3.2 million to put an initiative on the California ballot that would give people more control of their digital data.
Tech companies put up $1 million to fight the ballot measure before deciding they’d rather not wage a public campaign against consumer privacy. The developer, Alastair Mactaggart, agreed to take his measure off the ballot if the Legislature would pass a privacy law.
Lawmakers had caved to pressure from tech companies in 2017 and let a privacy bill stall. But Mactaggart’s initiative forced them to act, and the two sides worked out a compromise that lawmakers passed in 2018. Mactaggart won a nation-leading privacy law. Tech companies won limits on the ability for people to sue over privacy violations. And both sides won the ability to keep lobbying for changes for a year before the law took effect.
Throughout 2019, tech companies lobbied to weaken the bill while privacy advocates lobbied to toughen it by, among other provisions, giving consumers more ability to sue. (Privacy advocates were divided on that detail; Mactaggart did not advocate for more power to sue, but many other groups did.) When lawmakers gaveled down for the year, however, neither side had won any significant changes to the privacy law.
What does the new privacy law do, exactly?
The law gives Californians new rights and businesses new responsibilities. It does not apply to journalistic coverage and nonprofit organizations. Businesses must comply if their revenues exceed $25 million a year, if they get at least half their annual revenue from selling consumers’ personal information, or if they buy or sell personal data of at least 50,000 households a year. That means as many as 500,000 companies are likely to have to follow the law.
How big a change is this?
Depends on your perspective. On one hand, California’s privacy law is the strongest in the United States, giving consumers a new level of control that may become the national standard. Companies are spending an estimated $55 billion to comply, largely on updates to their policies and systems.
On the other hand, the law doesn’t stop companies from collecting personal data — it just gives people more ways to know what’s being collected and ask that their information be deleted. In other words: the impact of the law may rest in how many people exercise their new rights.
The biggest change most Californians likely will see is a flurry of notices that companies have updated their privacy policies. If you click through these emails and read the privacy policies, you may notice a California-specific section, such as this one from Kohl’s. You’ll also see directions on how to request the data the company has about you and how to ask that it be deleted.
Some companies already have tools for you to access your information:
“There are other ways they utilize personal information that secure their market position and still bring them monopoly revenues without having to sell information,” said Dipayan Ghosh, a former Facebook executive who is now co-director of the Digital Platforms & Democracy Project at Harvard.
Instead, these companies aggregate users’ data and sell advertisers access to them based on categories such as age bracket, geographic region, buying habits or hobbies.
Data brokers are different. They scoop up loads of personal information from various sources, combine and organize it, then sell it to advertisers. For example, they sell lists of people:
Data brokers may know:
A review by Fast Company found 121 data brokers operating in the United States, calling it a “bustling economy that operates largely in the shadows, and often with few rules.”
Under California’s privacy act, data brokers will have to add a button to their websites allowing people to opt out of having their information sold. But many people have no clue who these data brokers are, or how to find the websites where they can click on an opt-out button. So California enacted a follow-up law that will create a state registry of data brokers — but it won’t be available until January 2021.
How much is my data worth?
“California’s consumers should… be able to share in the wealth that is created from their data,” Gov. Gavin Newsom said a few weeks after he was inaugurated in 2019.
He directed his staff to come up with a proposal for a “data dividend” for Californians, but has yet to release any details on how it might work. One idea, floated by Facebook co-founder Chris Hughes, would be to structure a data dividend similar to the way Alaska shares the wealth from its oil by sending annual checks of $1,500 to each resident. (Another former Facebooker panned the idea.)
Will I have to pay more if I opt out of having my data sold?
Some privacy advocates are concerned about the provision in California’s law that allows businesses to charge more for their services to people who opt out of having their data sold.
“Privacy is not something that should be available only to rich people. It should be available to everyone,” said ACLU attorney Jacob Snow.
The law says the price differential would have to be commensurate with the value of a customer’s data. Snow cautions this may lead to a two-tiered internet economy — one for Californians who pay with money, another for those who pay with personal data.
But if price differentials like that emerge, they’re unlikely to roll out immediately. That’s because even though the law takes effect in January, the attorney general is still developing rules that will guide how much more businesses can charge.
“There is going to be a little bit of a warm-up period on some of this,” said Internet Association lobbyist Kevin McKinley.
Why are we doing this?
Exposés of government surveillance programs and revelations that social media giants share users’ information have lead many Americans to worry about digital privacy, according to public opinion surveys.
What doesn’t the new law cover?
Saying California’s privacy law doesn’t go far enough, Mactaggart is now back with a new initiative he’s aiming to place on the November 2020 ballot. It would make it harder for the Legislature to change the privacy law and add new protections to make California’s privacy law more similar to Europe’s.
What are other states doing?
In 2018, California and Vermont were the first states to pass data privacy laws (though Vermont’s is narrower, focused only on data brokers). The next year, about half the states introduced legislation on data privacy. Several of the state laws that passed only require further study of how to regulate consumer privacy. Nevada and Maine passed laws similar to California’s, and Illinois passed a law prohibiting genetic testing companies from sharing personal data with health and life insurance companies without written consent from the consumer.
Is there going to be a nationwide policy on data privacy?