Three questions on California’s new privacy law

The Explainer

Passed unanimously by the state’s legislature in June 2018, the California Consumer Privacy Act (CCPA) took effect on Jan. 1. Aimed at giving consumers in California more control over their personal data, the law could extend far beyond the Golden State’s borders.

“If we do this right in California,” said the attorney general, Xavier Becerra, in a November press conference, the state will “put the capital P back into privacy for all Americans.”

Critics of the law, which runs more than 10,000 words, say that it places unreasonable restrictions on businesses, and that it may impact California’s economy far more than what its advocates bargained for.

What does the law do?

California real estate developer Alastair Mactaggart spent $3 million collecting signatures for a ballot initiative, one whose popularity quickly gained steam amid news of high-profile privacy leaks. State lawmakers viewed the initiative as risky, stepped in to draft their own law, and Mr. Mactaggart withdrew the initiative.

The law requires businesses to tell consumers what information they are collecting about them, why they are collecting it, and who they are sharing it with. It grants customers the right to opt out of having their data collected and to have their information deleted, and it prohibits companies from reducing the quality of service for those who do so. It also makes it more difficult to gather data on people under 16. The legislation also makes it easier for consumers to sue companies for a data breach.

The CCPA affects California businesses that collect personal data from 50,000 people or more yearly or whose annual revenues top $25 million. A study conducted by the state’s Department of Justice estimated that it will impact between 15,000 and 400,000 businesses. Up to half of those are classified as “small” businesses. And even brick-and-mortar stores that do relatively little of their business online could still require CCPA compliance.

“This is not about the internet,” says Eric Goldman, a law professor at Santa Clara University School of Law who specializes in internet law. “This is about Joe’s Pizzeria.”

Why did the law come about now?

Since 2016, public animosity toward Silicon Valley has intensified, particularly in the wake of the Cambridge Analytica scandal, in which a U.K. political consulting firm working for the Trump campaign collected raw data from up to 87 million Facebook profiles.

“It’s impossible for consumers to ignore the constant flow of coverage of the missteps made by technology companies,” Professor Goldman says. “Consumers have lost trust in some of the major internet companies across all facets of their businesses.”

That said, while the law seems to be aimed directly at Facebook, it will have indirect effects on a wide range of businesses across the state, and, because so many global technology companies are based in California, the world.

Ironically, Facebook, which has more than $52 billion in cash on hand, can probably afford the costs of complying with the law. “Facebook is going to be just fine,” Professor Goldman says. “But it’s their competitors we should be worried about.”

How is the law apt to change privacy?

The effectiveness of this law and its long-term effects are hard to predict. The law has come under criticism from many privacy experts, including Professor Goldman, for being poorly thought out – it was rushed into existence in just seven days, with only modest revisions since. They have argued that it is difficult and expensive for businesses to comply with, and could result in poor handling of user data. Some critics have noted that the law could also violate the First Amendment.

And Mr. Mactaggart isn’t done. He has submitted a new ballot initiative that would beef up the existing law.

But the CCPA is nonetheless inspiring a number of state legislatures to mull tougher digital privacy laws; Nevada and Maine have already passed them. On the federal level, the Senate held a hearing in December to discuss a federal standard. A Democratic proposal, submitted by Sen. Maria Cantwell of Washington, would not supersede state laws but would make it easier for consumers to directly sue companies. The Republican framework, proposed by Sen. Roger Wicker of Mississippi, would preempt state data privacy laws.