California’s new privacy law, explained

The California Consumer Privacy Act gives Californians some control over their data, but only if they know how to take advantage of it.

Your data, whether it’s your name, your location, or your shopping habits, has been a commodity for decades now. Collected, bought, sold, shared, transferred — however businesses get it, a lot of them have access to a lot of information about you. They use it in ways you never agreed to (and often that you’re not even aware of), and they make a lot of money off of it. And there wasn’t much you could do to stop them.

That’s about to change … to a point.

When the California Consumer Privacy Act, or CCPA (which you can read in full here), goes into effect on January 1, 2020, Californians will finally have certain rights over the data that companies like Facebook, Google, data brokers, and even Recode’s parent company, Vox Media, collect from them. While these rights have limits, the very existence of this law is a victory for consumer privacy rights because it will introduce changes to a data collection industry that has gone unregulated and unchecked for so long.

For all the discussion about our online data and the privacy concerns surrounding it, it’s sometimes hard to wrap your head around what companies really know about us, and what it means for us when they gather and sell this information. This data can be deeply personal. To give a few recent examples: Copley Advertising used location data collected from people’s phones to send anti-choice ads to the devices of people who were near abortion clinics. The consumer DNA testing company 23andMe gave drug company GlaxoSmithKline access to de-identified data from millions of customers who probably thought their DNA was only being used to discover their ancestral homelands. And political consulting firm Cambridge Analytica exploited Facebook’s developer tools to access and collect data from 87 million profiles — only several hundred thousand of which were given any kind of notice that their data was being gathered at all. The Trump campaign then used Cambridge Analytica’s data to deliver carefully targeted ads and content at potential voters in the runup to the 2016 presidential election.

“The use of personal information has continued to evolve in ways that many consumers find increasingly offensive, as the drive to track us across all our devices, all the time, continues to be the focus for many businesses,” Alastair Mactaggart, founder of Californians for Consumer Privacy and author of the 2018 ballot initiative that led to CCPA, told Recode.

If you don’t live in California, you can still benefit from at least some of the law’s requirements. At the very least, there is added transparency: Businesses must now notify consumers what personal information they collect about you and why. And some companies may give people all across the US the same opt-out and deletion rights they give to Californians because it’s easier to roll out a widespread change.

That said, most experts and stakeholders told Recode the law is far from perfect. Some critics, like Eric Goldman, a professor and co-director of the High Tech Law Institute at the Santa Clara University School of Law, worry that the law will hurt the businesses that must comply with it. A report prepared for the state’s office of the attorney general estimated that CCPA compliance will cost businesses $55 billion in initial charges.

“I think California consumers are going to be shocked by how rarely the CCPA helps them and how often it creates challenges for them,” Goldman said. “Few consumers will ever take advantage of the rights created by the statute, but all consumers will implicitly pay more to help businesses cover their CCPA compliance costs.”

If you want to take advantage of your rights, you first have to know what they are. The law’s introduction lists the five rights it’s meant to ensure, so let’s start there. We’ll use the new CCPA section of Vox Media’s privacy policy as a real-world example.

1. The right of Californians to know what personal information is being collected about them

What this means: A business must tell you that it collects personal information about you either before or as that information is collected.

In the real world: Vox Media will now tell you in its privacy policy that it has collected several categories of personal information from users within the last 12 months, such as names, email addresses, and demographics. It also refers back to another section in the policy that details the information that it automatically collects whenever you interact with Vox Media’s services, like what you are doing right now: reading an article on one of Vox Media’s websites. That information includes things like your IP address and location.

Limitations/potential Issues: CCPA’s definition of “personal information” includes everything from the obvious (your name) to the less obvious (your internet browsing history). If it can be linked back to you in some way, it’s protected here. That’s generally good for the consumer but makes it much more difficult for businesses to monitor and account for all of that data.

“Not all data is created equal, and therefore shouldn’t be regulated in the same way,” Ari Levenfeld, chief privacy officer at Quantcast, told Recode. “Data falls on a spectrum of sensitivity, ranging from personally identifiable information like names and email addresses, to less sensitive information such as pseudonymous data that is based on probabilistic, indirect identifiers like cookie IDs and IP addresses. The implications of exploiting or misusing the different types of data are fundamentally different, and therefore the regulations aimed at mitigating privacy risks should reflect those nuances.”

2. The right of Californians to know whether their personal information is sold or disclosed and to whom

What this means: A business must tell you the types (though not the names) of third parties it shares your personal information with, but it’s up to you to ask for this information. You also have the right to tell the business to delete your personal information and to not sell it (more on that later).

In the real world: You have the right to ask Vox Media for the categories of third parties that Vox Media has disclosed your personal information to, as well as what personal information was disclosed. You can do this by emailing [email protected] or submitting a request through the online form.

Limitations/potential Issues: This is a part of CCPA that some critics say falls short on protecting people like you: In order to protect your personal information or to even know what data businesses are gathering about you and selling to other companies, you have to take action on your own. It doesn’t just happen by default. That’s a problem, says Jennifer King, the director of privacy at the Center for Internet and Society at Stanford Law School.

“I think if we continue to legislate with this ‘individual consumers are the ones who have to make all these choices for themselves’ approach, and it’s all on the burden of their shoulders to navigate this impossibly complicated ecosystem, these laws are only going to be somewhat effective,” she said. “Not to completely criticize this law, because I think that it’s important. It’s a place to start,” she added.

CCPA could cause issues for businesses as well because it leaves some things open to interpretation. Facebook, for example, sells ads based on its Pixel service, which is a line of code that businesses put on their websites that tracks users’ behavior and links it to their Facebook accounts. What’s tricky is that Facebook does not sell the actual data that Pixel gathers. Facebook makes money off of that data, but is that a sale? Facebook appears not to think so.

And some businesses are confused about how to interpret CCPA, according to Anneka Gupta, president and head of products and platforms at LiveRamp, a data processing company. “For example, we’ve heard that individuals and businesses are unclear about the exact definition of what constitutes ‘selling data,’” she told Recode.

Vox Media’s policy on data sales alludes to the uncertainty here: “We do not generally ‘sell’ personal information as the term ‘sell’ is traditionally understood.”

3. The right of Californians to say no to the sale of personal information

What this means: Businesses must give you ways to opt out of having your personal information sold to or shared with third parties like advertisers or data brokers, and they must honor your opt-out request. They must also put a link to their opt-out page on their homepage advising you of this right.

In the real world: Vox Media provides two ways to opt out. You can email your request to [email protected], or click a link in the site footer that says “Do not sell my info.” Here’s what that looks like on Vox.com’s homepage (highlight added):

You’ll then be redirected to a contact form that requires you to disclose some personal information (ironic, but Vox Media has to know who you actually are in order to fulfill your request):

Exception: Businesses can still sell your information as long as personally identifiable details have been removed.

Limitations/potential Issues: You can tell a business you don’t want it to sell your data, but there’s no way to opt out of having that data collected in the first place. This means data collection kings like Google and Facebook can mostly continue on their merry way, even though the law was originally meant to rein both companies in.

“CCPA is focused on data brokers and other companies selling customer data,” Roger Allan Ford, professor at the University of New Hampshire’s Franklin Pierce Center for Law and Technology, told Recode. “That’s a legitimate privacy problem, but the bigger problem comes from the ways that companies can gather and use information about consumers without buying or selling any data.”

4. The right of Californians to access their personal information

What this means: Businesses must offer you ways to request a copy of the personal information they have collected about you, and they must provide it free of charge within 45 days of your request. You have the right to know the types of personal information (for example: name, email, or location) a business has collected, where it came from, why it was collected, the categories of third parties it has shared that information with, and the specific pieces of information it has collected. You can also tell them to delete that information.

In the real world: Vox Media’s “right to know and delete” section gives you two ways to do this. Similar to the right to opt out, you can email [email protected] or use Vox Media’s contact form.

Limitations/potential Issues: Some businesses are still trying to figure out how to verify these requests.

“There seems to be confusion in … how companies are to validate that the person is who they say they are,” Gupta told Recode. “We do know there is a series of information that individuals are supposed to provide in order to validate their residency (name, address, phone number, email, identity verification materials, etc.), but there will need to be a significant amount of education around the type of proof needed for removal requests.”

5. The right of Californians to equal service and price, even if they exercise their privacy rights

What this means: Businesses can’t charge you extra or refuse to provide a service to you if you take advantage of your privacy rights under the new law. But they can offer bonuses or incentives in exchange for information.

In the real world: Vox Media’s policy includes a “right to non-discrimination” that spells this out. It also has a “financial incentives” section that says it may pay customers for their personal information.

Exception: Loyalty programs, like those store cards that give you discounts on products in exchange for the information you provide to them (your name, email, items purchased), are not considered discriminatory.

What happens next

Once the law goes into effect, it must be enforced. That’s up to the state attorney general’s office. In certain cases, you might be able to sue businesses for privacy breaches, but only if a business’s inadequate security measures caused your information to be disclosed, and it only covers the most sensitive stuff, like Social Security numbers, credit cards, or health information. Privacy advocates including the American Civil Liberties Union and the Electronic Frontier Foundation don’t think CCPA goes far enough.

“It’s not clear what enforcement will look like,” Ford said. “Consumers can only sue for data breaches, which are a fairly small category of privacy problems. State enforcement of the rest of the law might help focus enforcement on real privacy problems rather than technical violations, but it might also mean the law winds up being under-enforced.”

In the end, CCPA’s legacy may not be the law itself, but the laws it inspires. California tends to be a national trendsetter when it comes to legislation. Several other states are already considering their own privacy laws. There are also several data privacy bills making their way through the federal government — in both chambers of Congress and from both sides of the aisle.

“While the CCPA is not perfect, it does provide a framework for approaching privacy in the age of technology,” Levenfeld said. “The first-of-its-kind US law will lead to more comprehensive regulations in the future.”

And Alastair Mactaggart is now collecting signatures for a new 2020 ballot initiative, called the California Privacy Rights Act, to address what he thinks CCPA is still missing. The law would tell consumers how and when automated decisions “significantly affect their lives” and it would create a new state agency to enforce the new laws.

“I believe consumers must be given even stronger rights to control their own information, all the time — not just the sale of information, which CCPA regulates effectively, but also the use of our most sensitive personal information,” Mactaggart said.

Open Sourced is made possible by Omidyar Network. All Open Sourced content is editorially independent and produced by our journalists.