California is becoming a monument to how much businesses surveil and abuse its residents, as apps and stores are scrambling to put up â€œDo Not Sell My Infoâ€ notices in compliance with the stateâ€™s hefty data privacy law.
Under the California Consumer Privacy Act, which goes into effect on Wednesday, January 1, 2020, businesses operating within the state will be forced to provide consumers an option to opt-out of having their data sold, to have their data deleted, and to see data collected about them. Consumers may sue businesses for up to $US2,500 ($3,572) per violation if they donâ€™t get it together in timeâ€”and up to $US7,500 ($10,715) anytime they intentionally skirt the law.
The act defines personal information broadly, including (but not limited to) identifiers (name, address, online identifier, IP address, etc), purchasing history, geolocation, audio/video, biometric data, inferences made about your personality or psychological trends, and even â€œolfactoryâ€ data (so now youâ€™ll likely be able to see if Amazonâ€™s smelling you!) The act also allows Californians to see the sources of that data, the types of third parties data is shared with, and how itâ€™s been categorised.
The regulations apply to companies that make over $US25 ($36) million annually; companies that buy, sell, or collect data of 50,000 or more consumers for commercial purposes; and companies that make 50 per cent or more of their revenue from selling consumersâ€™ personal information. As Reuters reports, this means notices will not only pop up as windows in apps and on Target.com, but even as physical signs in brick-and-mortar retailer outlets like Walmart.
Companies have already been paying up to get ready in time. In August, an independent report sponsored by the California Department of Justice estimated that initial compliance would cost companies around $US55 ($79) billion.
â€œMost U.S. companies are far from CCPA ready,â€ Altaz Valani, director of research at the software security company Security Compass, told Gizmodo in an email. â€œU.S. companies with operations in the EU that have proactively made changes to their privacy practices when the GDPR [Europeâ€™s General Data Protection Regulation] came into effect are ahead of the compliance curve, but the majority of companies are still in preparation-mode [and] are not expected to be compliant by the January 1, 2020 deadline.â€
Companies will have to undergo at least three major overhauls: taking accountability for data and its comings and goings over the entirety of a system or appâ€™s lifespan; shoring up security architecture; and retraining engineers to think about privacy.
California is effectively doing the duty that the Trump-era FCC reports, job-search site Indeed will give customers who want to opt-out no option except to delete their accounts.
Hilary Wandall, an executive at the privacy compliance company TrustArc, told Gizmodo that she expects companies to update their privacy policies and vendor contracts to get around the do-not-sell rule. â€œThe do-not-sell language is overly broad and no one agrees on the scope,â€ Wendell said. â€œThis is resulting in inconsistent implementation that is likely to result in a lot of consumer confusion.â€
The initial bill cited Facebookâ€™s Cambridge Analytica scandal as the impetus for the legislation, and various other reports over the past year have made rampant consumer data abuse abundantly clear. Last year, the New York Times uncovered appsâ€™ extensive collection and dispersal of personal information, including that IBMâ€™s Weather Channel app analysed and collected data for hedge funds. In January, a Motherboard reporter gave a bounty hunter $US300 ($429) and was able to locate their phone from data major telecoms sold to middlemen. (T-MobileÂ told the Times that itâ€™ll stop doing that, but it â€œrefused to provide details.â€) Earlier this month, the Times analysed a stockpile of location data on 12 million people, collected by companies most people have never heard of, with oblique names like â€œSkyhook,â€ â€œGimbal,â€ and â€œSafeGraphâ€â€”the last of which advertises outright to â€œpreview and buy dataâ€ of consumer movements.
It seems that in part because data collection is so widespread and the law only applies to businesses operating in California, itâ€™s unclear how far this goes, the Times notes. And the act allows businesses to retain data against consumersâ€™ wishes for purposes like that which is â€œreasonably anticipated within the context of a businessâ€™ ongoing business relationship with the consumerâ€â€“which probably means that companies like Facebook (which previously opposed the act) arenâ€™t going out of business anytime soon. The social platform, which already allows you to see data they collect, craftily profits off your data by doing the legwork of analysing it themselves and packaging you as part of an ostensibly anonymous demographic for advertisers, a service Facebook argues often is necessary to keep the site running. And if you donâ€™t like it, they also like to remind you that you donâ€™t have to use its products, knowing that you probably will.Â
The Times reports that the California Attorney Generalâ€™s office plans to release clearer guidelines for implementation in the middle ofÂ 2020.