Think about your everyday digital footprint: You pull up Facebook to see what your friends are up to and read the news, use your credit card to buy groceries and Google a stray thought.
All of your purchases, interactions and web searches rely on an exchange of information between you and the company providing the service. And it’s not always clear what personal details are collected, where that information goes and how it’s used.
But come 2020, Californians will have a bit more control. In June, Gov. Jerry Brown signed a landmark new data privacy law called the California Consumer Privacy Act. It’s the first law in the United States that comprehensively regulates data privacy — applying broadly to information collected by both online and brick-and-mortar businesses.
Privacy advocates are excited about the bill’s expansiveness. Aleecia McDonald, an assistant professor at Carnegie Mellon University’s Information Networking Institute based in Silicon Valley, says consumers are beginning to understand “there’s a whole lot of data that is being collected about them that they have no idea about.” But critics contend that it’s the scope of the law that makes it problematic.
Here are some things to know about data privacy and the law before it goes into effect.
What Is ‘Data Privacy’ And How Is It Regulated?
Data privacy involves giving people control over the personal information they put out into the world.
Depending on what devices you own and what services you use, that information can be lots of different things: where you live, what you watch on TV, your health and financial history — the list goes on and on.
We provide these details about ourselves all the time to access services and use products that improve our lives and make them more convenient. But privacy concerns arise when that information is not kept secure, or when we don’t understand how it’s being used or shared.
McDonald says there’s more at stake than most people think. “The implications of how this data get used are really much broader and deeper than just a couple of creepy ads,” she said. “It’s perhaps the fate of democracy.”
More than 80 countries and independent territories have comprehensive data privacy laws. Each varies in scope and detail, but these regulations lay out what counts as personal data and what rights consumers have to control how businesses use that information.
Under GDPR, a company must get permission from EU consumers before they can collect their personal data — they have to “opt in.” EU residents can also ask a company to delete their data, and the company has to comply or face a penalty.
The United States, notably, does not have a federal data privacy law.
“In the U.S., it’s really been the wild west for a really long time,” McDonald said.
Instead of taking a comprehensive approach, the U.S has a patchwork of federal laws that apply to specific types of information or demographics. HIPAA, for example, is a federal law that applies to health information, and COPPA applies to information collected online about children under 13.
Many states have privacy laws, too. But, again, they chip away at privacy issues, granting protections for certain types of information.
What Does The California Consumer Privacy Act Do?
The California Consumer Privacy Act gives residents the broadest privacy protections in the country.
“It will absolutely change the way that companies do business in the state of California, if not the United States,” said Christin McMeley, a Washington, D.C.-based attorney who represents cable industry clients on privacy and information security matters.
The text of the law is 10,000 words, and it’s extremely complex. But it’s the first law in the nation to do three key things: require companies to disclose what personal data they collect about you, give you the option to opt out of the sharing of that data with third parties, and require companies to delete your personal data upon request.
And if you exercise any of these rights, companies still have to give you equal service.
The law also gives consumers free, physical access to the personal data that businesses collect — requiring companies to provide your information in an accessible format, such as a downloadable file.
And you can sue for damages in certain circumstances, such as if your information is mishandled.
How The Privacy Law Impacts Businesses
The businesses who will have to comply just have to meet one of the following criteria: make more than $25 million in revenue a year, generate 50 percent or more of its annual revenues from selling consumers’ personal information, or collect personal information from 50,000 or more consumers, households or devices in a year.
The International Association of Privacy Professionals estimates that more than half a million companies that do business in California would be affected by the law in its current form.
McMeley said while there are unanswered questions about how the law will work in practice, business will be forced to make changes.
“Similar to what happened in Europe, businesses are really going to have to understand the different types of data that they collect and how they are maintaining and processing that data,” she said.
What Does It Mean For The Rest Of The Country?
While California is home to Silicon Valley, whose tech giants have sparked privacy concerns around the world, it does have more laws protecting privacy than any other state.
Now that California has passed the CCPA, experts say other states will follow suit with similar legislation to offer broad data privacy protections.
An example of how this has happened before is with security breach notification law: California was the first state to require businesses to let people know if their digital data had been compromised in a security breach. Now, as of March, all 50 states, as well as the District of Columbia, Puerto Rico and the U.S. Virgin Islands, have enacted similar laws.
The new California law also could be the first step down the road toward comprehensive federal legislation, McMeley said.
But can Congress in its current state actually enact a similar law for all Americans?
“I think it's a long shot,” McMeley said. “At a minimum, there's going to be a lot of activity in the states after this law gets a little more settled.”
What Happens Next?
Before the law’s 2020 enactment, businesses will likely ask lawmakers for changes or tweaks to make it easier for them to comply.
It’s important to note that the CCPA was drafted in a week, to avoid putting a data privacy measure before voters on the November ballot. The law was a better option for opponents of the initiative — which included Google, Facebook, AT&T, Comcast and the California Chamber of Commerce — because laws passed through the Legislature are easier to amend.
McMeley says that, because the law was created so quickly, there are a lot of unanswered questions about what exactly the law means and how, or even when, it will be enforced.
Critics, including law professor Eric Goldman with Santa Clara University’s High Tech Law Institute, say the law imposes high costs on businesses with unclear benefits to consumers, who may think that they want more control, but will be too overwhelmed by the nitty-gritty of data-collection policies.
“There's going to be a very expensive compliance structure built to handle those consumer inquiries, but if very few consumers take advantage of them, then we're all paying those costs, but it's not really delivering a lot of value,” he said.
Aleecia McDonald with Carnegie Mellon University says that if people care about this law, they should pay attention to the news and write their state lawmakers.
“Because companies will be finding ways to make sure that their voices are heard and that's good, that's important,” she said. “But those corporate voices need to be balanced with the citizens' voices.”