An illustration of the State of California and data.
  • Enforcement of the California Consumer Privacy Act began July 1, after a six-month grace period on enforcement.
  • The CCPA gives California residents more control over data held by private companies, and many companies have extended the same controls to all U.S. residents.
  • Consumer Reports research shows that people trying to use the mandated controls often run into confusing red tape, and some ultimately give up on the process.

At the beginning of this year, a new law gave consumers in California unprecedented rights to control how companies use and sell their data—and many firms extended those rights to all Americans. But until today, California’s attorney general could not bring the hammer down on companies that didn’t comply.

The landmark California Consumer Privacy Act provided companies with a six-month grace period before enforcement started, and thousands of companies have scrambled to organize their stores of personal data and provide ways for consumers to opt out of their data being sold, or demand that it be deleted altogether.

But many other companies have dragged their feet on the CCPA, privacy and legal experts tell Consumer Reports. Now, they say, how aggressively California Attorney General Xavier Becerra goes after scofflaws will set the stage for consumer privacy rights in California and around the country. Becerra’s office declined to comment on any potential investigations, but he has stressed all along that he’s planning on tough enforcement: In December, Becerra told Reuters that if companies don’t comply, “I will descend on them and make an example of them.” 

More on Privacy Protections

The new law applies to giants such as Amazon and Google, as well as thousands of large and midsized businesses that you wouldn’t think of as data companies—including online retailers, media organizations, and even restaurants and hotels.

Consumers haven’t been waiting for the grace period to end to flex their new privacy muscles, according to Dominique Shelton Leipzig, a privacy lawyer at the law firm Perkins Coie who advises companies on the CCPA.

Consumers have three major new legal rights under the law: They can ask a company for a copy of all the data the company holds about them, they can tell the company not to sell the data, and they can tell the company to delete the data. Some companies are receiving thousands of such requests every month, Leipzig tells CR.

The requests aren’t just coming from Californians.

“This is essentially a national law,” says Arlo Gilbert, CEO of Osano, a startup that helps companies comply with the CCPA. That’s partly because the law applies to all California residents, even if they travel out of state. It’s just too difficult for companies to know whether someone staying in a hotel elsewhere in the country is a California resident, so many companies have extended the same data rights to everybody in the U.S.

The law has led some companies to make consumer-friendly changes to the way they handle data. A number businesses have decided to dump data they don’t really need, as CR reported earlier this year. That means there’s less sensitive consumer data out there to get lost, stolen, or reused in ways consumers might not like. A number of businesses are also thinking twice about the traditional tech-company practice of collecting personal details they don’t plan to use right away, hoping to make money off it later.

“Businesses for the first time are thinking about what personal information they’re collecting, and getting rid of—or no longer collecting—what they don’t need,” says Mary Stone Ross, a privacy consultant and a co-author of the California ballot proposition that state legislators turned into the CCPA in 2018.

Confusing Opt-Out Controls

That’s the good news, according to privacy experts. But preliminary research from Consumer Reports backs up anecdotal evidence that many consumers are facing hurdles when they try to exercise their new data rights. 

CR followed more than 500 California volunteers through the process of making CCPA opt-out requests. The volunteers contacted hundreds of companies and often ran into confusing red tape. Almost a third of the time, when a volunteer tried to opt out of data sharing, they couldn’t figure out how to do it, even though the CCPA requires companies to provide clear instructions from their home page. For almost one-fifth of the companies in the study, at least one volunteer eventually gave up on trying to opt out.

“We’ve been really disappointed in how many companies have been trying to avoid compliance with the CCPA,” says Maureen Mahoney, a CR privacy and technology policy analyst who is overseeing the study. (The full results will be available later this summer.)

Karen McCall, a resident of Vacaville, Calif., was one of the study participants who gave up on submitting requests. She says she was uncomfortable with the information that one of the companies wanted her to provide: It asked for her Social Security number, and for a selfie holding up her photo ID.

“In order to opt out of my data being shared, they wanted more data than they already had on me—and more sensitive data—and I don’t feel that’s the way the process should work,” McCall says.

CR found that several companies ask people for selfies, government IDs, and Social Security numbers. That’s unfriendly to consumers, says CR’s Mahoney, and may run counter to the law’s intent. “The CCPA pointedly does not require verification of opt-out requests, and making consumers jump through hoops to opt-out will make it more difficult for them to control the unwanted disclosure of their personal information,” she says.

The attorney general is encouraging California consumers to report possible violations of CCPA. “We want to hear about any information you have on a business possibly violating the law—you can file a complaint or write to us,” Becerra said in a statement. The state has a website for filing complaints.

The state might not have to sue a company to get it in line, according to consumer advocates. A sternly worded letter could scare a company into paying attention, Ross says. “It’s not an enforcement action, but if you’re a company and you get one of those letters, your behaviors will change.”

But even as the CCPA grows teeth, some privacy advocates are pushing for stronger protections. In November, Californians will vote on a new ballot initiative put forward by one of the co-authors of the original CCPA, the San Francisco real estate investor Alastair Mactaggart. The new measure is often called “CCPA 2.0” because it would give Californians a whole new set of data rights. For instance, they could demand that a company fix inaccurate data instead of just asking for all data to be deleted. (It also makes several concessions to businesses that some privacy advocates are unhappy about.)

“We’re trying to regulate this world where suddenly there’s a ubiquity of information for those who have the money to procure it,” Mactaggart said at a June 30 Q&A session about the CCPA hosted by Perkins Coie. He said the new ballot initiative, if passed by voters, could prod action in other states or even in Congress. “Because we’re in California, if it happens here, it becomes part of the national discourse.”

If the measure passes—an October 2019 poll commissioned by Mactaggart’s advocacy group put support at about 88 percent—it could send a strong signal that consumers are serious about protecting their privacy. “I hope it’s interpreted that consumers care about privacy and gives legislators more incentive and confidence to push forward with privacy legislation,” CR’s Mahoney says.