California is becoming a monument to how much businesses surveil and abuse its residents, as apps and stores are scrambling to put up “Do Not Sell My Info” notices in compliance with the state’s hefty data privacy law.
Under the California Consumer Privacy Act, which goes into effect on Wednesday, January 1, 2020, businesses operating within the state will be forced to provide consumers an option to opt-out of having their data sold, to have their data deleted, and to see data collected about them. Consumers may sue businesses for up to $2,500 per violation if they don’t get it together in time—and up to $7,500 anytime they intentionally skirt the law.
The act defines personal information broadly, including (but not limited to) identifiers (name, address, online identifier, IP address, etc), purchasing history, geolocation, audio/video, biometric data, inferences made about your personality or psychological trends, and even “olfactory” data (so now you’ll likely be able to see if Amazon’s smelling you!) The act also allows Californians to see the sources of that data, the types of third parties data is shared with, and how it’s been categorized.
The regulations apply to companies that make over $25 million annually; companies that buy, sell, or collect data of 50,000 or more consumers for commercial purposes; and companies that make 50 percent or more of their revenue from selling consumers’ personal information. As Reuters reports, this means notices will not only pop up as windows in apps and on Target.com, but even as physical signs in brick-and-mortar retailer outlets like Walmart.
Companies have already been paying up to get ready in time. In August, an independent report sponsored by the California Department of Justice estimated that initial compliance would cost companies around $55 billion.
“Most U.S. companies are far from CCPA ready,” Altaz Valani, director of research at the software security company Security Compass, told Gizmodo in an email. “U.S. companies with operations in the EU that have proactively made changes to their privacy practices when the GDPR [Europe’s General Data Protection Regulation] came into effect are ahead of the compliance curve, but the majority of companies are still in preparation-mode [and] are not expected to be compliant by the January 1, 2020 deadline.”
Companies will have to undergo at least three major overhauls: taking accountability for data and its comings and goings over the entirety of a system or app’s lifespan; shoring up security architecture; and retraining engineers to think about privacy.
California is effectively doing the duty that the Trump-era FCC has baldly flouted, and the effects look to be fanning out beyond its borders. Home Depot and Microsoft have announced that they’ll be applying this as a blanket policy for consumers nationwide. On the other hand, the Times reports, job-search site Indeed will give customers who want to opt-out no option except to delete their accounts.
Hilary Wandall, an executive at the privacy compliance company TrustArc, told Gizmodo that she expects companies to update their privacy policies and vendor contracts to get around the do-not-sell rule. “The do-not-sell language is overly broad and no one agrees on the scope,” Wandall said. “This is resulting in inconsistent implementation that is likely to result in a lot of consumer confusion.”
The initial bill cited Facebook’s Cambridge Analytica scandal as the impetus for the legislation, and various other reports over the past year have made rampant consumer data abuse abundantly clear. Last year, the New York Times uncovered apps’ extensive collection and dispersal of personal information, including that IBM’s Weather Channel app analyzed and collected data for hedge funds. In January, a Motherboard reporter gave a bounty hunter $300 and was able to locate their phone from data major telecoms sold to middlemen. (T-Mobile told the Times that it’ll stop doing that, but it “refused to provide details.”) Earlier this month, the Times analyzed a stockpile of location data on 12 million people, collected by companies most people have never heard of, with oblique names like “Skyhook,” “Gimbal,” and “SafeGraph”—the last of which advertises outright to “preview and buy data” of consumer movements.
It seems that in part because data collection is so widespread and the law only applies to businesses operating in California, it’s unclear how far this goes, the Times notes. And the act allows businesses to retain data against consumers’ wishes for purposes like that which is “reasonably anticipated within the context of a business’ ongoing business relationship with the consumer”–which probably means that companies like Facebook (which previously opposed the act) aren’t going out of business anytime soon. The social platform, which already allows you to see data they collect, craftily profits off your data by doing the legwork of analyzing it themselves and packaging you as part of an ostensibly anonymous demographic for advertisers, a service Facebook argues often is necessary to keep the site running. And if you don’t like it, they also like to remind you that you don’t have to use its products, knowing that you probably will.
The Times reports that the California Attorney General’s office plans to release clearer guidelines for implementation in the middle of 2020.