Working under a tight deadline, California state legislators cobbled together and passed a sweeping privacy law in just 3 months, with much of the work done in about a week. (By comparison, Europe’s similar GDPR regulation took about four years.) At 31 pages and over 10,000 words, the California Consumer Privacy Act of 2018 (aka bill AB375) could have profound, and still unclear, effects not just in California but in other states that may emulate the law.
Quick recap on what it’s meant to do: By 2020, companies (tech and others) that collect personal information will be required, if a consumer asks them, to reveal exactly what data they have, and what they use it for. A consumer can demand that companies not sell this data to third parties (like the infamously leaky Equifax), and even that they delete all of his or her personal information. A consumer can also sue if unencrypted data is stolen by hackers.
Rushed to a vote, the massive law contains lots of vague, confusing, and maybe contradictory language that will fuel many political and legal fights. Here are five items in the California Consumer Privacy Act (and the sections they appear in) that you’ll be hearing a lot more about.
1) If a company already sold your data, you’re outta luck.
Company A, which collected your data, has to stop selling it–and even delete it–if you ask. But it won’t offer any help with companies B, C, and D that already bought the info. An earlier version of the bill would have required company A to provide “accurate names and contact information” for those other companies. The final version just requires naming “the categories of third parties.” [Section 1798.130 (a) (4) (B)] You’d have to contact every company in those categories and say, “Hi, do you happen to have my personal data?”
2) Non-sharers might get a lower tier of service–or not.
This part is baffling. For people who don’t share data, the law prohibits discriminating, denying goods or services, charging different prices or rates, or providing a different level of quality [Section 1798.125 (a) (1)]. Then, it says that all those things are OK if they are “reasonably related to the value provided to the consumer by the consumer’s data.” Businesses don’t know what to make of this “No company wants to be caught on the wrong side of what’s reasonably related to the value,” says Daniel Castro, VP at the Information Technology and Innovation Foundation, which opposes the law.
3) You might sell your data, or get a discount for sharing.
After the whole will they/won’t they discriminate part above, the law goes on to say that companies may “offer financial incentives” to people who share data. These could take the form of direct payments, it says, or of different prices (seeming to contradict text just a few lines higher up). Might sharers be able to get discounts at e-commerce sites through a kind of online loyalty card? Who knows, says Castro.
4) There’s no EU-style right to be forgotten.
Legislators specify that “personal information” doesn’t include anything that the local, state, or federal governments publish legally, such as court records. [Section 1798.140 (o) (2)] As for unflattering articles or social media posts, the law affirms a company’s right to: “Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law.” [Section 1798.105 (d) (4)] “If you post something about me, like my picture or my name or all this information about me . . . I can’t ask someone to delete that,” says Ariel Fox Johnson, senior counsel at Common Sense Media, which supports the law.
5) Companies can’t use vague wording or sneaky design
The law gets really detailed about how companies communicate with users. Reminiscent of the “Smoking Kills” label on cigarette packs, companies must “Provide a clear and conspicuous link on the business’ Internet homepage, titled ‘Do Not Sell My Personal Information'” [Section 1798.135 (a) (1)]. The state wants “broad public participation” to help work out all details, including wording of information about consumer rights and even “The development and use of a recognizable and uniform opt-out logo or button,” [Section 1798.185 (a) (4) (C)].