California enacted the country’s most sweeping data privacy law a little more than a year ago, giving consumers in the state the power to find out which businesses are collecting personal information about them, to stop that information from being sold and to demand that it be deleted. It was a huge win for consumers, offering them some control for the first time over the revealing personal data they’re giving away — often unknowingly — to companies online and in their communities.
The California Consumer Privacy Act was a compromise with online companies, which were eager to prevent a tougher proposal from going onto the ballot. Still, the deal hasn’t stopped business lobbyists or consumer advocates from coming back to the Legislature this year to try to change the measure before it takes effect Jan. 1.
Arguing that some key provisions are unworkable, industry lobbyists have pushed to allow more types of data to be excluded from the law’s protections and allow more information to be sold. Meanwhile, privacy groups have sought to hold companies accountable for every violation and to give individuals the right to sue companies that run afoul of the law.
Their efforts haven’t yielded any major changes to the law yet, thanks in no small measure to Senate Judiciary Committee Chair Hannah-Beth Jackson (D-Santa Barbara) holding the line on the bills coming through her committee. We all should hope the Legislature keeps it that way.
The act is complex and its effects potentially enormous, but it gives companies room to fix the missteps they will inevitably make, whether by happenstance, ignorance or bad intent. That power to correct violations within 30 days without penalty makes sense while businesses and consumers are adjusting to the new law, even if it may become an impediment to meaningful enforcement down the road. The Legislature can always reconsider the 30-day get-out-of-court-free pass later if the concerns about it prove prescient and bad actors feel free to violate users’ privacy with impunity.
At the same time, lawmakers can count on that 30-day window to protect against the sort of nightmare scenarios that business lobbyists are spinning out. Among other things, they warn that the act would let any member of a household force online companies to turn over the personal data collected on other members of the household, which would be alarming in homes riven by abuse; that businesses would be forced to jump through costly and unnecessary hoops to protect information that can’t reasonably be associated with any individual consumer; and that the law could make it impossible to do the sort of targeted advertising that’s routine across the internet today, as well as cripple popular supermarket rewards programs.
Industry groups are right to push for clarity and workability, but they have not made a persuasive case that the law needs to be amended to avert the dire outcomes they predict. There’s another avenue to address those issues: the state attorney general’s office, which is on the hook to provide guidance and regulations to implement the law. Granted, that guidance isn’t expected to arrive until mid-2020, months after the new law goes into effect. But that delay is a feature, not a bug; only the attorney general has the power to enforce the California Consumer Privacy Act’s provisions on data collection and sale, and that enforcement isn’t likely to start until after the rules come out.
Besides, supporters say the law isn’t intended to produce (and may already protect against) many of the noxious results that its critics are sounding alarms about. The best way to tell where the real problems are — and there will be problems — is to put the measure into effect and see how businesses and consumers respond.
Ideally, California wouldn’t have to write basic data privacy protections into state codes. Just as Europe enacted continent-wide rules in 2016 for the collection of personal information, so should Congress have responded long ago to the endless privacy outrages inflicted by social media companies, data brokers, banks and the like. But Congress showed no real interest in a privacy bill of rights until California adopted its own, and even then it seemed to be responding mainly to tech companies that wanted to preempt the state law with weaker national standards.
So it’s imperative that California’s privacy initiative stay on track, and that consumers seize the chance they will be given in January to find out who is collecting, storing and selling what kinds of personal information about them. Like it or not, the secret currency of commerce is personal data. That’s largely because of the public’s unwitting acquiescence in a system that seemed to deliver valuable services for free. The new California law will let us all find out the price we’ve been paying in terms of our personal information so we can decide whether to keep playing along.