The Chaos of California’s New Privacy Law Has Already Begun

December 31, 2019

(Gizmodo) California is becoming a monument to how much businesses surveil and abuse its residents, as apps and stores are scrambling to put up “Do Not Sell My Info” notices in compliance with the state’s hefty data privacy law.

Under the California Consumer Privacy Act, which goes into effect on Wednesday, January 1, 2020, businesses operating within the state will be forced to provide consumers an option to opt-out of having their data sold, to have their data deleted, and to see data collected about them. Consumers may sue businesses for up to $2,500 per violation if they don’t get it together in time—and up to $7,500 anytime they intentionally skirt the law.

The act defines personal information broadly, including (but not limited to) identifiers (name, address, online identifier, IP address, etc), purchasing history, geolocation, audio/video, biometric data, inferences made about your personality or psychological trends, and even “olfactory” data (so now you’ll likely be able to see if Amazon’s smelling you!) The act also allows Californians to see the sources of that data, the types of third parties data is shared with, and how it’s been categorized.

The regulations apply to companies that make over $25 million annually; companies that buy, sell, or collect data of 50,000 or more consumers for commercial purposes; and companies that make 50 percent or more of their revenue from selling consumers’ personal information. As Reuters reports, this means notices will not only pop up as windows in apps and on Target.com, but even as physical signs in brick-and-mortar retailer outlets like Walmart.

Companies have already been paying up to get ready in time. In August, an independent report sponsored by the California Department of Justice estimated that initial compliance would cost companies around $55 billion.

“Most U.S. companies are far from CCPA ready,” Altaz Valani, director of research at the software security company Security Compass, told Gizmodo in an email. “U.S. companies with operations in the EU that have proactively made changes to their privacy practices when the GDPR [Europe’s General Data Protection Regulation] came into effect are ahead of the compliance curve, but the majority of companies are still in preparation-mode [and] are not expected to be compliant by the January 1, 2020 deadline.”

Companies will have to undergo at least three major overhauls: taking accountability for data and its comings and goings over the entirety of a system or app’s lifespan; shoring up security architecture; and retraining engineers to think about privacy.

California is effectively doing the duty that the Trump-era FCC has baldly flouted, and the effects look to be fanning out beyond its borders. Home Depot and Microsoft have announced that they’ll be applying this as a blanket policy for consumers nationwide. On the other hand, the Times reports, job-search site Indeed will give customers who want to opt-out no option except to delete their accounts.

Hilary Wandall, an executive at the privacy compliance company TrustArc, told Gizmodo that she expects companies to update their privacy policies and vendor contracts to get around the do-not-sell rule. “The do-not-sell language is overly broad and no one agrees on the scope,” Wendell said. “This is resulting in inconsistent implementation that is likely to result in a lot of consumer confusion.”

Click here for the rest of the article from Gizmodo.

Posted in: