How California is rewriting the law on online privacy
- How much information do companies have about us?
- How did California's new law come about?
- What does the new privacy law do, exactly?
- How big a change is this?
- How do I use this new law to protect my privacy?
- What about data brokers?
- How much is my data worth?
- Will I have to pay more if I opt out of having my data sold?
- Why are we doing this?
- What doesn’t the new law cover?
- What are other states doing?
- Is there going to be a nationwide policy on data privacy?
Our actions online have created a vast trove of information worth billions of dollars. Every time we search, click, shop, watch, send, receive, delete or download, we create a trail of data that companies can use to figure out our tastes and interests. We also hand over information when we use social media or loyalty programs at our favorite stores.
This data has formed the foundation of the internet economy, allowing advertisers to better target the people they want to reach — whether that’s a company that wants to sell you something or a politician who wants your vote.
But many Americans have grown concerned about what else can happen with all this data. Hackers have stolen it from email providers and credit card companies. Facebook was fined $5 billion for mishandling information on millions of people that political consultants exploited to influence the 2016 presidential race. Health apps have been criticized for sharing their users’ most intimate details — including when they have sex or ovulate.
Responding to outcry that technology companies have invaded consumers’ privacy, California became the first state in the nation to pass a law giving people more control of their digital data. The new rules took effect on January 1. This explainer will walk you through what California is — and isn’t — doing to give you options to protect your privacy.
How much information do companies have about us?
In 2018, a writer downloaded his data from Google and Facebook and published an article about it in The Guardian. The amount of information the companies had about him was mind blowing:
- The Google data was the equivalent of 3 million Word documents
- The Facebook data was about 400,000 Word documents
- Histories of every location he’d been in the last year (with the time and date he was there)
- A calendar of which events he added and which ones he actually attended
- All the photos he’d ever taken with his phone (including when and where they were taken)
- Every email he’d ever sent or received (including those he deleted)
“They also have every image I’ve ever searched for and saved, every location I’ve ever searched for or clicked on, every news article I’ve ever searched for or read, and every single Google search I’ve made since 2009. And then finally, every YouTube video I’ve ever searched for or viewed, since 2008,” Dylan Curran wrote.
How did California’s new law come about?
It all started with some dinner party chitchat between a San Francisco real estate developer and a Google engineer. The engineer told the developer that Americans would freak out if they knew how much information Google has on them. The developer then spent $3.2 million to put an initiative on the California ballot that would give people more control of their digital data.
Tech companies put up $1 million to fight the ballot measure before deciding they’d rather not wage a public campaign against consumer privacy. The developer, Alastair Mactaggart, agreed to take his measure off the ballot if the Legislature would pass a privacy law.
Lawmakers had caved to pressure from tech companies in 2017 and let a privacy bill stall. But Mactaggart’s initiative forced them to act, and the two sides worked out a compromise that lawmakers passed in 2018. Mactaggart won a nation-leading privacy law. Tech companies won limits on the ability for people to sue over privacy violations. And both sides won the ability to keep lobbying for changes for a year before the law took effect.
Throughout 2019, tech companies lobbied to weaken the bill while privacy advocates lobbied to toughen it by, among other provisions, giving consumers more ability to sue. (Privacy advocates were divided on that detail; Mactaggart did not advocate for more power to sue, but many other groups did.) When lawmakers gaveled down for the year, however, neither side had won any significant changes to the privacy law.
What does the new privacy law do, exactly?
The law gives Californians new rights and businesses new responsibilities. It does not apply to journalistic coverage and nonprofit organizations. Businesses must comply if their revenues exceed $25 million a year, if they get at least half their annual revenue from selling consumers’ personal information, or if they buy or sell personal data of at least 50,000 households a year. That means as many as 500,000 companies are likely to have to follow the law.
How big a change is this?
Depends on your perspective. On one hand, California’s privacy law is the strongest in the United States, giving consumers a new level of control that may become the national standard. Companies are spending an estimated $55 billion to comply, largely on updates to their policies and systems.
On the other hand, the law doesn’t stop companies from collecting personal data — it just gives people more ways to know what’s being collected and ask that their information be deleted. In other words: the impact of the law may rest in how many people exercise their new rights.
The biggest change most Californians likely will see is a flurry of notices that companies have updated their privacy policies. If you click through these emails and read the privacy policies, you may notice a California-specific section, such as this one from Kohl’s. You’ll also see directions on how to request the data the company has about you and how to ask that it be deleted.
How do I use this new law to protect my privacy?
Even with the new law, scrubbing your information across the internet remains a pretty painstaking process. You have to request to see your data, and request that it be deleted, individually from each company that has it. If you want businesses to stop selling your data, you have to separately request that from each individual company that has it, too.
Most companies are including directions in their updated privacy policies, so you may have to scroll through a lot of text to find out how to request your data. Some businesses have tools allowing you to access your information without filing a request:
Asking a company to stop selling your data involves a different process and is not available at every site. That’s because businesses disagree about what constitutes a “sale” of personal information under the new law.
Some websites are posting prominent buttons saying “do not sell my personal information.” Others are adding the phrase in small type at the bottom of the page. Clicking leads to a form you must complete, and, in some cases, an email asking you to verify your request.
Experts anticipate that commercial services will soon emerge to help consumers use the new law to protect their privacy. Common Sense Kids Action, a nonprofit group that co-sponsored the law, offers free resources at this link to help people monitor their data and that of their children.
What about data brokers?
“There are other ways they utilize personal information that secure their market position and still bring them monopoly revenues without having to sell information,” said Dipayan Ghosh, a former Facebook executive who is now co-director of the Digital Platforms & Democracy Project at Harvard.
Instead, these companies aggregate users’ data and sell advertisers access to them based on categories such as age bracket, geographic region, buying habits or hobbies.
Data brokers are different. They scoop up loads of personal information from various sources, combine and organize it, then sell it to advertisers. For example, they sell lists of people:
- likely to spend at least $100 on their sweetie on Valentine’s Day
- considered “campus trendsetters” for back to school shopping
- planning beach vacations or international trips
Data brokers may know:
A review by Fast Company found 121 data brokers operating in the United States, calling it a “bustling economy that operates largely in the shadows, and often with few rules.”
Under California’s privacy act, data brokers will have to add a button to their websites allowing people to opt out of having their information sold. But many people have no clue who these data brokers are, or how to find the websites where they can click on an opt-out button. So California enacted a follow-up law that will create a state registry of data brokers — but it won’t be available until January 2021.
How much is my data worth?
“California’s consumers should… be able to share in the wealth that is created from their data,” Gov. Gavin Newsom said a few weeks after he was inaugurated in 2019.
He directed his staff to come up with a proposal for a “data dividend” for Californians, but has yet to release any details on how it might work. One idea, floated by Facebook co-founder Chris Hughes, would be to structure a data dividend similar to the way Alaska shares the wealth from its oil by sending annual checks of $1,500 to each resident. (Another former Facebooker panned the idea.)
So, how much is our data worth? There’s not one agreed upon method for calculating the answer, but here are a few estimates economists have come up with:
Will I have to pay more if I opt out of having my data sold?
Some privacy advocates are concerned about the provision in California’s law that allows businesses to charge more for their services to people who opt out of having their data sold.
“Privacy is not something that should be available only to rich people. It should be available to everyone,” said ACLU attorney Jacob Snow.
The law says the price differential would have to be commensurate with the value of a customer’s data. Snow cautions this may lead to a two-tiered internet economy — one for Californians who pay with money, another for those who pay with personal data.
But if price differentials like that emerge, they’re unlikely to roll out immediately. That’s because even though the law takes effect in January, the attorney general is still developing rules that will guide how much more businesses can charge.
“There is going to be a little bit of a warm-up period on some of this,” said Internet Association lobbyist Kevin McKinley.
Why are we doing this?
What doesn’t the new law cover?
Saying California’s privacy law doesn’t go far enough, Mactaggart is now back with a new initiative he’s aiming to place on the November 2020 ballot. It would make it harder for the Legislature to change the privacy law and add new protections to make California’s privacy law more similar to Europe’s.
What are other states doing?
In 2018, California and Vermont were the first states to pass data privacy laws (though Vermont’s is narrower, focused only on data brokers). The next year, about half the states introduced legislation on data privacy. Several of the state laws that passed only require further study of how to regulate consumer privacy. Nevada and Maine passed laws similar to California’s, and Illinois passed a law prohibiting genetic testing companies from sharing personal data with health and life insurance companies without written consent from the consumer.
Is there going to be a nationwide policy on data privacy?
Hard to say. Several bills have been introduced in Congress but they have not advanced very far. Microsoft has announced that it will make the privacy controls required under California law available to all its customers in the United States. If lots of companies follow suit, California’s law could become the de facto standard nationwide.
“It’s going to be unworkable to have a balkanized approach to data privacy,” said Dan Jaffe, an executive vice president of the Association of National Advertisers. “But what a national law will look like is up in the air.”
Privacy advocates hope any law that comes out of Washington will use California’s provisions as a baseline.
“If they want to add regulations we are OK with it, but not with repealing any piece of the California Consumer Privacy Act,” said privacy campaign spokeswoman Robin Swanson.
No matter what, it seems California is bound to shape any national policy that may emerge, not only as the home of Silicon Valley but also as home of both Democratic House speaker Nancy Pelosi and Republican Leader Kevin McCarthy.
“They would be hard pressed to override a law that gives rights to Californians,” Swanson said.