California's Big Privacy Law Gets Teeth
- Enforcement of the California Consumer Privacy Act began July 1, after a six-month grace period on enforcement.
- The CCPA gives California residents more control over data held by private companies, and many companies have extended the same controls to all U.S. residents.
- Consumer Reports research shows that people trying to use the mandated controls often run into confusing red tape, and some ultimately give up on the process.
At the beginning of this year, a new law gave consumers in California unprecedented rights to control how companies use and sell their data—and many firms extended those rights to all Americans. But until today, California’s attorney general could not bring the hammer down on companies that didn’t comply.
The landmark California Consumer Privacy Act provided companies with a six-month grace period before enforcement started, and thousands of companies have scrambled to organize their stores of personal data and provide ways for consumers to opt out of their data being sold, or demand that it be deleted altogether.
But many other companies have dragged their feet on the CCPA, privacy and legal experts tell Consumer Reports. Now, they say, how aggressively California Attorney General Xavier Becerra goes after scofflaws will set the stage for consumer privacy rights in California and around the country. Becerra’s office declined to comment on any potential investigations, but he has stressed all along that he’s planning on tough enforcement: In December, Becerra told Reuters that if companies don’t comply, “I will descend on them and make an example of them.”
Confusing Opt-Out Controls
That’s the good news, according to privacy experts. But preliminary research from Consumer Reports backs up anecdotal evidence that many consumers are facing hurdles when they try to exercise their new data rights.
CR followed more than 500 California volunteers through the process of making CCPA opt-out requests. The volunteers contacted hundreds of companies and often ran into confusing red tape. Almost a third of the time, when a volunteer tried to opt out of data sharing, they couldn’t figure out how to do it, even though the CCPA requires companies to provide clear instructions from their home page. For almost one-fifth of the companies in the study, at least one volunteer eventually gave up on trying to opt out.
“We’ve been really disappointed in how many companies have been trying to avoid compliance with the CCPA,” says Maureen Mahoney, a CR privacy and technology policy analyst who is overseeing the study. (The full results will be available later this summer.)
Karen McCall, a resident of Vacaville, Calif., was one of the study participants who gave up on submitting requests. She says she was uncomfortable with the information that one of the companies wanted her to provide: It asked for her Social Security number, and for a selfie holding up her photo ID.
“In order to opt out of my data being shared, they wanted more data than they already had on me—and more sensitive data—and I don’t feel that’s the way the process should work,” McCall says.
CR found that several companies ask people for selfies, government IDs, and Social Security numbers. That’s unfriendly to consumers, says CR’s Mahoney, and may run counter to the law’s intent. “The CCPA pointedly does not require verification of opt-out requests, and making consumers jump through hoops to opt-out will make it more difficult for them to control the unwanted disclosure of their personal information,” she says.
The attorney general is encouraging California consumers to report possible violations of CCPA. “We want to hear about any information you have on a business possibly violating the law—you can file a complaint or write to us,” Becerra said in a statement. The state has a website for filing complaints.
The state might not have to sue a company to get it in line, according to consumer advocates. A sternly worded letter could scare a company into paying attention, Ross says. “It’s not an enforcement action, but if you’re a company and you get one of those letters, your behaviors will change.”
But even as the CCPA grows teeth, some privacy advocates are pushing for stronger protections. In November, Californians will vote on a new ballot initiative put forward by one of the co-authors of the original CCPA, the San Francisco real estate investor Alastair Mactaggart. The new measure is often called “CCPA 2.0” because it would give Californians a whole new set of data rights. For instance, they could demand that a company fix inaccurate data instead of just asking for all data to be deleted. (It also makes several concessions to businesses that some privacy advocates are unhappy about.)
“We’re trying to regulate this world where suddenly there’s a ubiquity of information for those who have the money to procure it,” Mactaggart said at a June 30 Q&A session about the CCPA hosted by Perkins Coie. He said the new ballot initiative, if passed by voters, could prod action in other states or even in Congress. “Because we’re in California, if it happens here, it becomes part of the national discourse.”
If the measure passes—an October 2019 poll commissioned by Mactaggart’s advocacy group put support at about 88 percent—it could send a strong signal that consumers are serious about protecting their privacy. “I hope it’s interpreted that consumers care about privacy and gives legislators more incentive and confidence to push forward with privacy legislation,” CR’s Mahoney says.