California appears to be following in the European Union’s footsteps with its new privacy law – the most comprehensive U.S. data privacy protection to date.
However, law experts and privacy advocates told WikiTribune that the legislation might not have the intended effect of giving citizens more control over personal data.
You can edit or expand this storyEdit
Eric Goldman, a professor of internet law at the University of Santa Clara, said that despite marketing itself as the toughest data privacy law in the country, “the law [is] a terrible policy produced by a terrible process.”
“And yet California has enacted a law that utterly fails to provide the privacy protections the public has demanded and deserves. This measure was hastily drafted and needs to be fixed.”
Implemented on June 28 and going into effect in 2020, the California Consumer Privacy Act of 2018 (CCPA) sets out to change how businesses handle data in the United States’ most populous state.
CEO and founder of the non-profit Common Sense James P. Steyer agrees with the law.
“The state that pioneered the tech revolution is now, rightly, a pioneer in consumer privacy safeguards, and we expect many additional states to follow suit,” he said on the organization’s website. “This is the right first step toward ensuring that Americans have strong data privacy protections.”
However, law professor Goldman told WikiTribune he disagreed with those who herald the law as a model for other states for follow.
“It’s hard to imagine a worse precedent for other states to follow.”
What’s it meant to do?
Essentially, supporters say the law will give consumers more rights and power to control personal information companies collect about them.
By 2020, companies that collect personal information will be required, upon request by consumers, to reveal what data they have, what they use it for, and with whom they’re sharing it.
Consumers have the right to demand companies delete their data or to not sell it to third parties. In the case of a data breach, the law makes it easier for consumers to sue companies for up to $750 for each violation (Fortune).
Discuss or suggest changes to this storyTalk
States attorney generals also have more authority to fine companies that don’t adhere to the new regulations.
To fall within the jurisdiction of the law, businesses must meet one of the following conditions:
- Have $25 million or more in annual revenue
- Hold the personal data of more than 50,000 “consumers, households, or devices.”
- Earn more than half of its annual revenue selling consumers’ personal data – a “consumer” in this context is defined as a Californian resident
Defining ‘personal information’
Privacy regulation is a difficult task with enormous consequences if done wrong. One first step to getting it right is clear and specific language. However, critics say the CCPA goes against this, notably pointing out its broad view of what “personal information” is.
In a section of the legislation, it defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
In an analysis of how CCPA defines “personal information,” Mike Masnick, the CEO of internet blog Tech Dirt, wrote that the law misunderstands how a lot of privacy is contextual, and that in effect, the act is “not an ‘internet’ privacy bill. It’s an everyone privacy bill.”
“Let’s take ‘information regarding a consumer’s interaction with an internet web site,'” wrote Masnick.
“Okay. Yes, you can see that there are reasonable privacy concerns around a company tracking everything you do on a website. But… that’s also generally useful information for any website to have just to improve the user experience – and basically every website has tended do some form of user tracking. It’s not privacy violating – it’s just understanding how people use your website.”
It’s vaguely GDPR
When the European Union implemented the General Data Protection Regulation (GDPR) on May 25, it set the standard for a privacy framework globally. Under that law any company, anywhere in the world, is subject to the law as long as it handles the data of EU citizens.
The CCPA may not be as expansive considering its size, but does it emulate some of GDPR’s effectiveness?
Though the CCPA “covers the same concerns addressed by the GDPR,” Goldman told WikiTribune, “the wording isn’t based on the GDPR and each law covers different things.”
Know a fact to enhance this story? You can edit itEdit
“Thus, businesses that already spent a lot of money to comply with the GDPR are not necessarily compliant with the new law. As a result, every business will have to redo the expensive compliance work they already did for GDPR, and they have less time to do so.”
To add more complexity, California is the only state to have this law, meaning that lack of uniformity across the U.S. will be “confusing for corporations and consumers alike,” according to The Mercury News, a Californian newspaper.
The law also only took three months to draft and go through legislation, with much of the work done in about a week (New York Times). Such a time frame is telling to critics who pointed out its imperfections.
“The GDPR took four years and involved consultations with many stakeholders before it was adopted,” said Goldman. “The California legislature worked a week on the bill (it was introduced seven days before passage) and only heard from a few lobbyists, not from the wider range of affected constituents. Not surprisingly, the law reflects this sloppy process. It’s riddled with typos, errors, completely unintelligible provisions, and bad policy.”
The new CA Consumer Privacy Act is riddled with (likely hundreds of) drafting errors. Here’s one: a business can’t sell info of consumers “less than 16” unless “consumers between 13 & 16” opt-in. For consumers exactly 16, what result? #MoveFastandBreakThings
In the above tweet, Goldman states the legislation makes it unclear if a consumer aged exactly 16 is considered “less” or “more.”
Consumer Watchdog, a consumer advocacy group, supports the law, citing that while it’s not perfect it “is a substantial forward step for privacy protection in California.”
Sweeping, but not in the way it intends
Goldman, the law professor at Santa Clara, said the law was marketed as a way of targeting Internet giants such as Facebook and Google, as well as people engaged in buying and selling data.
“While the law reaches those companies, it also reaches hundreds of thousands of small local businesses with no online activity whatsoever. It treats your local pizzeria just as harshly as the sleaziest data broker.”
The International Association of Privacy Professionals (IAPP), a non-profit based in New Hampshire, estimated that the law will affect more than half a million U.S. companies, most of which are small to medium-sized enterprises.
In emails obtained by The Intercept, companies including Google and Facebook are quietly working to amend the law. Facebook’s inclusion is striking, as it publicly announced in April that it had dropped out of its opposition (The Verge) to the initiative. Even so, Goldman told WikiTribune those larger companies won’t be the only ones lobbying to amend the law.
“The law affects every business, whether they are in the tech industry or not, so I expect other business advocacy groups to speak up,” he said.
“Everyone expects changes to the law, but I am skeptical that the legislature will make major changes. I expect 99 percent of the words currently in the bill will remain the same after the amendment process.”
In a statement to WikiTribune, Lee Tien, a senior staff attorney at digital-rights group Electronic Frontier Foundation (EFF), said the law doesn’t take effect until 2020, so of course its “exact impact remain in flux.”
“We anticipate that the California legislature will consider many changes to the new law in the months and years to come,” said Tien.