GSBE Business Update 12/09/2019
How California is rewriting the law on online privacy
Our actions online have created a vast trove of information worth billions of dollars. Every time we search, click, shop, watch, send, receive, delete or download, we create a trail of data that companies can use to figure out our tastes and interests. We also hand over information when we use social media or loyalty programs at our favorite stores.
How much information do companies have about us?
Last year, a writer downloaded his data from Google and Facebook and published an article about it in The Guardian. The amount of information the companies had about him was mind blowing:
- The Google data was the equivalent of 3 million Word documents
- The Facebook data was about 400,000 Word documents
- Histories of every location he’d been in the last year (with the time and date he was there)
- A calendar of which events he added and which ones he actually attended
- All the photos he’d ever taken with his phone (including when and where they were taken)
- Every email he’d ever sent or received (including those he deleted)
“They also have every image I’ve ever searched for and saved, every location I’ve ever searched for or clicked on, every news article I’ve ever searched for or read, and every single Google search I’ve made since 2009. And then finally, every YouTube video I’ve ever searched for or viewed, since 2008,” Dylan Curran wrote.
How did California’s new law come about?
Throughout 2019, tech companies lobbied to weaken the bill while privacy advocates lobbied to toughen it by, among other provisions, giving consumers more ability to sue.
What does the new privacy law do, exactly?
Key elements of California’s new data privacy law:
- Requires businesses give you all the information they collect about you, free of charge, if you request it from them. You can request it up to twice a year.
- Requires businesses delete information they have collected from you, if you ask them to. They can deny your request to delete in some circumstances, such as if the data is necessary to complete a transaction or protect against fraud.
- Requires businesses that sell personal information to create a simple way for you to opt out of having your data sold, through a “recognizable and uniform” button or logo on the company’s website. (The button design is currently under development by the Attorney General’s Office.)
- Allows businesses to charge you more for their services if you opt out of letting them sell your data. The difference in pricing must be commensurate with the value of your data.
- Allows you to sue companies that allow your personal information to be accessed or stolen through a data breach. This provision is meant to encourage companies to maintain strong security practices.
- Forbids businesses from selling the personal information of children under age 16 unless the parent (of children under age 13) or the child (age 13 to 16) opt in to the sale.
How big a change is this?
The biggest change most Californians likely will see is a flurry of notices that companies have updated their privacy policies. If you click through these emails and read the privacy policies, you may notice a California-specific section, such as this one from Kohl’s. You’ll also see directions on how to request the data the company has about you and how to ask that it be deleted.
Some companies already have tools for you to access your information:
- Download your Google data here
- Download your Facebook data here
- Download your Twitter data here
- Experts anticipate that commercial services will soon emerge to help consumers use the new law to protect their privacy. Common Sense Kids Action, a nonprofit group that co-sponsored the law, will offer free resources at this link to help people monitor their data and that of their children.
What about data brokers?
Under California’s privacy act, data brokers will have to add a button to their websites allowing people to opt out of having their information sold. But many people have no clue who these data brokers are, or how to find the websites where they can click on an opt-out button. So California enacted a follow-up law that will create a state registry of data brokers — but it won’t be available until January 2021.
Will I have to pay more if I opt out of having my data sold? Maybe.
Some privacy advocates are concerned about the provision in California’s law that allows businesses to charge more for their services to people who opt out of having their data sold.
What doesn’t the new law cover?
Saying California’s privacy law doesn’t go far enough, so sponsors of a new state initiative has been filed to be place on the November 2020 ballot. It would make it harder for the Legislature to change the privacy law and add new protections to make California’s privacy law more similar to Europe’s.