California Privacy Law Prompts Companies to Shed Consumer Data
For retailers, airlines, and other businesses, people’s personal information suddenly can seem more trouble than it’s worth
Last year, a major U.S. airline went looking for all the things it knew about its passengers. Among the details it had gathered, the company found, were consumers’ food preferences—information that seems innocuous but that could also reveal a passenger’s religious beliefs if they select a kosher or halal meal. So the airline decided to stop saving the food-preference information, according to Integris, the data privacy startup that helped the airline review its data practices. (Integris declined to name its client.)
Instead, the airline will ask passengers what they’d like to eat before every flight.
Recently, treasure hunts like this one have been taking place across industries and all around the country. Companies are mapping the data that they own, and some, like the airline, are proactively scrubbing sensitive information to avoid trouble.
When companies cut back on hoarding sensitive data, consumers win. Less of their private information is susceptible to data breaches and leaks, viewable by unscrupulous company insiders, or available to be sold to data brokers or advertisers.
This is a surprising turn: Data about consumers can be wildly lucrative—it fuels a $100 billion-plus digital-advertising industry, among other things—and companies generally like to gather as much of it as they can. But something changed this year. A new state law, the California Consumer Privacy Act, or CCPA, has turned data from an unadulterated asset into a potential liability.
Hunting Down Personal Data
Complicating matters is that many companies don’t even know what personal consumer information they’re holding. (The California law defines personal information very broadly, and it’s not limited to digital records.)
Over time, sensitive data may have metastasized across a company’s servers—and for older companies, decades of records can be stuffed into basement filing cabinets. One large clothing company preparing for the CCPA spent two months digging up paper receipts from years past, says Kimball Dean Parker, CEO of SixFifty, a subsidiary of the law firm Wilson Sonsini that helps businesses like this one navigate the law. (Parker asked CR not to name his client.)
“It’s surprising how many businesses have no idea how much personal information they have,” says EPIC’s Ross. “It shouldn’t be that way. One of the purposes of privacy regulation is to force a business into self-reflection: Do I really need this piece of information to perform a business function?”
That introspection is driving some firms to just delete sensitive data—or avoid gathering it altogether. “Businesses are actually better served if they collect less data and prove to customers that they’re treating their data with a higher level of care,” says Arlo Gilbert, co-founder of Osano, a data privacy startup.
Several privacy experts and lawyers tell CR that many companies in various industries are making these changes. But firms are extremely tight-lipped about their efforts, in part to avoid drawing the California attorney general’s attention. Of the two dozen companies CR contacted for this article, only three agreed to speak on the record about what they’re doing.
In one example, Personal Capital, an online investment service, says it has begun automatically deleting user data when a customer closes an account, after a government-mandated waiting period expires. “In all the places we could, we looked at it from the perspective of, ‘Okay, is this data that we don’t need anymore? Are we done with this? Then let’s just get rid of it,’” says Maxime Rousseau, the company’s chief information security officer.
Blackboard, a leading educational tech platform, says it didn't need to do much to adjust to California’s new law because it was already complying worldwide with the much more stringent European law, the General Data Privacy Regulation. The company shared examples of tweaks it made ahead of GDPR that probably mirror smaller companies’ moves ahead of the CCPA. In one product, for example, it stopped asking students and teachers for several types of personal information, including their birthday and mailing address.
The California law covers companies that bring in more than $25 million in revenue annually, deal with the personal information of more than 50,000 Californians, or make at least half of their money selling personal information. That would seem to spare smaller firms—but the scramble to shore up data privacy has begun to trickle down.
Big companies worried about painful penalties are asking their vendors far more questions than before about the information they collect and store about users, or baking privacy and security requirements into contracts, says Christina Cacioppo of Vanta, a data security company that works mainly with startups.
That’s because a large company can be punished even if its vendors fumble customers’ personal data. “A company subject to the CCPA must now be more vigilant in vetting, contracting, and overseeing its vendors,” says Stuart Kupinsky, Blackboard’s chief legal officer.
The scrutiny is much more intense during investment rounds or mergers and acquisitions, too, says Dominique Shelton Leipzig, a partner at the law firm Perkins Coie. Leipzig says she has seen deals fall through because of a company’s bad privacy practices.
“Founders now see it incumbent upon themselves [to make sure] if there’s any data being collected about people that the proper disclosures are being made,” says Shahin Farschi, a partner at the venture capital firm Lux Capital. “It is a question they will certainly be asked by investors, customers, partners, and potential future employees, acquirers, and the public markets.”