Starting New Year’s Day, you may notice a small but momentous change to the websites you visit: a button or link, probably at the bottom of the page, reading “Do Not Sell My Personal Information.”
The change is one of many going into effect Jan. 1, 2020, thanks to a sweeping new data privacy law known as the California Consumer Privacy Act. The California law essentially empowers consumers to access the personal data that companies have collected on them, to demand that it be deleted, and to prevent it from being sold to third parties. Since it’s a lot more work to create a separate infrastructure just for California residents to opt out of the data collection industry, these requirements will transform the internet for everyone.
Ahead of the January deadline, tech companies are scrambling to update their privacy policies and figure out how to comply with the complex requirements. The CCPA will only apply to businesses that earn more than $25 million in gross revenue, that collect data on more than 50,000 people, or for which selling consumer data accounts for more than 50 percent of revenue. The companies that meet these qualifications are expected to collectively spend a total of $55 billion upfront to meet the new standards, in addition to $16 billion over the next decade. Major tech firms have already added a number of user features over the past few months in preparation. In early December, Twitter rolled out a privacy center where users can learn more about the company’s approach to the CCPA and navigate to a dashboard for customizing the types of info that the platform is allowed to use for ad targeting. Google has also created a protocol that blocks websites from transmitting data to the company, which users can take advantage of by downloading an opt-out add-on. Facebook, meanwhile, is arguing that it does not need to change anything because it does not technically “sell” personal information. Companies must at least set up a webpage and a toll-free phone number for fielding data requests.
Some companies are reportedly hiring outside firms to design special buttons that users can click to exercise their CCPA rights. The links and buttons will direct users to interactive forms where they can specify what they want done with their data. Each company will have its own way of setting up these forms, but there are some basic pieces of information that most will want to fulfill the request. “You might want to capture who is the consumer, what exactly is the information, and depending on how much information you store about consumers, you might want to know what time frame they’re talking about,” says Joseph Lazzarotti, a privacy and data lawyer who is assisting companies with CCPA compliance.
Depending on which right a consumer wants to exercise—access, deletion, or opting out—there may be different kinds of information that a company will want to gather through the web form in order to verify the identity of whoever is making the request. “With regard to the right to access your data, that has the highest threshold for risk analysis and what mechanisms you use to authenticate the person,” says Tara Cho, a privacy and cybersecurity lawyer who is also helping companies navigate the new law. “You could end up creating a data breach by sharing the information with a fraudulent actor.”
The law is vague on how much power and transparency companies must offer to consumers in this process. Some companies may thoroughly spell out in their privacy policies exactly what kinds of information they collect and use; data covered by the CCPA includes IP addresses, contact info, internet browsing history, biometrics (like facial recognition and fingerprint data), race, gender, purchasing behavior, and locations. In some cases, consumers may be able to choose what specific data they want the company to use or delete, though this isn’t strictly mandatory under the CCPA. Other companies will be much vaguer about data collection methods in their privacy policies to meet the bare minimum of transparency requirements set out by the law. “We’ve seen a real spectrum in the level of granularity in the disclosures. There’s a lot of confusion over how exactly you’re supposed to do it,” says Adam Connolly, a privacy and cybersecurity lawyer at Cooley LLP, another firm working with clients on CCPA issues. Some of this ambiguity may be clarified in the final draft regulations, which the California attorney general’s office is expected to release later in 2020.
Though the law will really only have teeth in California, many companies will extend these new protections to users across the country so they don’t have to worry about distinguishing who is or isn’t a resident of the state. For example, Microsoft has decided to extend protections under the CCPA and Europe’s General Data Protection Regulation to all of its customers in the U.S. According to Lazzarotti, companies may want to spell out in their websites’ privacy policies that they will only fulfill requests for Californians, but then apply the new standards to everyone regardless of residency in practice. That way the company isn’t legally obliged to accommodate people out of state, but can still do so just to be safe. “If you wanted to do this for everybody, even though your website says it’s only for people in California, that would be OK,” says Lazzarotti. “You’re being more generous in that sense.”