Confusion abounds as California’s online privacy law kicks in

Enacted in 2018 over the vigorous objections of Silicon Valley tech giants, California’s first-in-the-nation online privacy law took effect Jan. 1, 2020. But with the staff of state Attorney General Xavier Becerra still far short of finalizing an enforcement framework, it’s unclear what effect the California Consumer Privacy Act will have in the short term.

The law’s most important provisions appear straightforward. Californians can ask companies which collect information online what information they have on them. Companies must delete this information upon request. Websites with third-party trackers must make it easy for consumers to opt out of having their information sold by having a visible button allowing them to quickly do so on their home pages.

But echoing the warnings of the California Chamber of Commerce, there’s confusion on how much information companies can retain on their customers – as opposed to information on those who have visited websites or use phone applications. There are also questions about what constitutes the sort of data that consumers should be able to control.

Facebook, Google have different view of law’s scope

“Companies have different interpretations, and depending on which lawyer they are using, they’re going to get different advice,” privacy software executive Kabir Barday told the New York Times.

This is plain in the contrasting plans of California’s two most high-profile tech firms.

Facebook told advertisers in early December that it had no plans to change data-collection policies because it doesn’t believe that “routine data transfers” about consumers fit the definition of selling data contained in the California law, according to a Wall Street Journal report.

Google, however, has put up a website that says the company welcomes the California law and will fully adhere to its intent of letting consumers control their personal data. The company is telling advertisers that consumer data can only be used for fraud detection or to measure online views of ads – and never to try to ascertain the buying habits or product searches of individuals.

Meanwhile, the Experian credit-reporting service told Becerra’s office that it strongly objected to having to provide consumers with “internally generated data” about them, arguing that such information is proprietary and isn’t akin to snooping on individuals’ online search habits and histories.

The Evite company that lets people send out personalized online invitations to parties or events has taken a different tack: using its privacy policy page to make the case to users that the information it collects is used in benign ways that benefit users and improves the services Evite offers.

The law does not apply to businesses with annual revenue of less than $25 million that do not buy or sell personal information on at least 50,000 people a year.

Becerra expects to have guidelines finished by summer

Becerra issued draft guidelines for how the law would be implemented in October. His office is now evaluating the complaints and comments it got from privacy activists, affected companies and others. The goal is to have the regulations in place by the middle of the year.

A key question going forward is how hard Becerra will come down on the 100-plus “data broker” firms in the U.S. which accumulate and sell the most personal of information yet have managed to escape much attention. An investigation posted by the Fast Company media website last March detailed how “if you use a smartphone or a credit card, it’s not difficult for a company to determine if you’ve just gone through a break-up, if you’re pregnant or trying to lose weight, whether you’re an extrovert [and] what medicine you take.” Jewelry sellers, for example, can get customized lists of which consumers have a history of buying expensive gifts on Valentine’s Day.

The firms’ ability to provide such detailed, specific information could be widely curtailed if enough consumers opt out of sharing their personal information – at least if they’re based in California or a state or nation with similar rules. But since such data mining can be done about Americans by companies based in nations with no such rules, it’s certain to continue. A likely future policy fight is over whether California companies should be banned from obtaining such personal information from firms that don’t honor online privacy laws like the Golden State’s.