Who's Selling Data? New California Privacy Law Gives Users More Control

Adobe Stock

California's attorney general is now able to enforce the state's newest consumer privacy law, and voters could extend protections even further in November.

With more streaming services on the market than ever and a global pandemic incentivizing people to stay at home, it's not a leap to assume the amount of data being collected about viewing habits has hit a fever pitch. And it's happening as California's newest data privacy law has become ripe for enforcement and an even stronger version has been approved for the November ballot.

July 1 marked the first day California Attorney General Xavier Becerra could enforce the California Consumer Privacy Act (CCPA), a law that aims to protect personal data and increase transparency about what information is collected online and sold to third parties.

"Companies make money by serving the right ad to the right person at the right time," says Loeb & Loeb Privacy, Security & Data Innovations co-chair Jessica Lee. "In theory, it should be a win-win, but the concern is that the data that gets shared isn't clear to the consumer and there are privacy concerns."

After several rounds of public comment, Becerra's office on June 1 released its final proposed regulations, a layer of rules in addition to what's written in the law.

"It’s not perfect, but in the first draft these regulations were extremely challenging," says Lee. "The second version walked some of them back and was a lot more business-friendly. This lands us somewhere in the middle. There are some new obligations that were introduced that put burdens on companies that have to comply, but it’s a decent compromise."

The requirements include providing a prominent and easy-to-understand notification of what information is being collected; an opt-out for consumers who don't want their information sold to third parties; and a privacy policy written in "plain, straightforward language" that avoids technical and legal jargon. Businesses, except those that are exempt like nonprofits and corporations with annual revenue of less than $25 million that don't trade much in consumer data, must also respond to reasonable, verified requests to delete information by either erasing it, deidentifying it or aggregating it with that of other consumers.

Daniel Goldberg, a privacy and data security attorney at Frankfurt Kurnit Klein & Selz, says it was surprising that there were no substantive changes to the proposed version that was released in March, noting “it makes me think the AG is eager to enforce the regulations as soon as statutorily permitted.”

The law as written in the statute can be enforced now, even if Becerra's regulations can't. They're awaiting approval from the California Office of Administrative Law, which could take longer than usual thanks to an executive order from Gov. Gavin Newsom that gives state agencies an extra 60 days to finalize regulatory changes amid the coronavirus pandemic. That means, even though Becerra requested expedited review, it could be Sept. 1 before the OAL signs off.

"Many of the problematic issues remain," Mark McCreary, co-chair of Fox Rothschild's Privacy & Data Security practice, says of the final CCPA regulations. The vagaries he's concerned about include what constitutes a sale and what's considered reasonable data security. He also says guidance had been removed that addressed if the way a business maintains certain data affects whether it’s considered personal information. (One example he offered was IP addresses only being dubbed PI if they could be linked to an identifiable consumer or household.) Says McCreary, "Unfortunately, much of the clarity that could have been provided will likely have to be decided through litigation or be replaced by the highly anticipated California Privacy Rights Act (CPRA), which will be on the ballot in November 2020."

One aspect of Becerra's regulations that could be challenging for some businesses is the requirement that organizations recognize and honor a browser's do-not-track signal. 

"Most browsers have settings where you can click ‘do not track me,'" explains Rachel Marmor, a data privacy expert at Davis Wright Tremaine. "That’s been around for some time, but there’s no great set of guidelines as to [what happens] when an organization sees a browser-visited website with the ‘do not track’ signal activated and what that means in terms of the precise data they can and cannot collect from that person."

She notes that data collection is required for some sites to even display properly and the lack of specificity in the rules creates conflict when a user has opted in for data collection on a particular website but also has the general 'do not track' feature activated on their browser.

"If the organization is not allowed to collect any data at all in this instance, that’s a much broader obligation that exists under the CCPA," adding that the statute doesn't regulate collection for internal use and otherwise only applies the opt-out to data that's sold to a third party. "It’s really not clear how organizations are supposed to respond to this mismatch — particularly if an individual has separately chosen to opt in."

Voters on Election Day will decide whether CPRA becomes the new operating law in 2023. Marmor says it's expected to pass. "I think the overwhelming feeling is that voters will see a bill that gives them more choices about their privacy and will be in favor of having those choices." 

The CPRA would take the rules up a notch by, among other things, extending protection to data that is shared, not just data that's sold; enhancing penalties for mishandling children's data; and expanding the type of information considered sensitive. It also shifts rulemaking authority and enforcement of the law from Becerra's office to a new California Privacy Protection Agency — but, just as its predecessor, it largely leaves the burden on consumers and only protects those who take the steps to protect themselves. Still, privacy experts generally agree it’s a step in the right direction.

While the CPRA wouldn't go into effect for two and a half years, Marmor says now's the time to get to know those rules. "The technical processes that have to change to facilitate opt outs are rather complicated," she says. "It's important for a business to understand now what activities they're engaging in that are going to be subject to the opt out and think strategically about the best way to implement it."

A version of this story first appeared in the July 8 issue of The Hollywood Reporter magazine. Click here to subscribe.