California's new privacy law is like "a Freedom of Information Act for private companies," says the former CIA analyst who co-authored it.
Under the California Consumer Privacy Act (CCPA), which came into effect on Jan. 1, consumers can demand companies disclose what data has been collected on them, request that companies delete their data, and stop businesses from selling their data to third parties.
"The heart of the CCPA is this right to know," Mary Stone Ross, a CIA analyst-turned-privacy advocate, told As It Happens guest host Helen Mann.
"So I can go to a business and say, 'What do you know about me or my device or my children?' And they have to tell me."
Ross is the co-author of the law and the associate director of the Electronic Privacy Information Center, a public interest research organization focused on privacy issues.
'Most comprehensive privacy legislation' in the U.S.
The new law is one of the most significant regulations overseeing the data collection practices of U.S. companies. The American Bar Association called it "the comprehensive privacy legislation in the United States."
It applies to any business that has an annual gross revenue of more than $25 million US, derives more than 50 per cent its revenue from selling users' personal information, or processes the personal information of at least 50,000 consumers, households or devices a year.
In addition to retailers, the law also affects social media platforms such as Facebook and Alphabet's Google, advertisers, app developers, mobile service providers and streaming TV services.
Shoppers ride escalators at the Beverly Center mall in Los Angeles, Calif. (David McNew/Reuters)
"Right now, Americans are consenting to the collection and use and sale of our personal information without truly understanding what we are consenting to," Ross said.
"Businesses are collecting our precise geographic location. They're collecting biometrics information. They're collecting our health information. And unfortunately ... it's really difficult to find out in plain English what they are collecting. This will change."
Ross said companies that don't comply with the new law will face "massive penalties."
The state's attorney general office can issue fines of between $2,500 to $7,500 US for intentionally violating the CCPA.
"I am worried that even though their office has gotten additional resources, that they still do not have enough resources to go after the extent of the problem," Ross said.
"But I am hopeful that they will take some businesses and use them as examples, encouraging other companies to also comply with the law."
Large U.S retailers have been rushing in recent months to comply with the CCPA. Walmart and Target are adding "Do Not Sell My Info" links to their websites and putting up signs in their stores.
An economic impact assessment prepared for the California Attorney General's office by an independent research firm found compliance with the regulations will cost businesses between $467 million and $16.5 billion US over the next decade. Industry estimates peg initial compliance costs at over $50 billion.
<a href="https://twitter.com/hashtag/CCPA?src=hash&ref_src=twsrc%5Etfw">#CCPA</a> is FINALLY in effect and, wait for it...the internet is definitely NOT broken. Merry New Year. It's going to be an interesting one! —@MarySRoss18
Retail lobbyists and attorneys advising retailers told Reuters the law is overly ambiguous, especially on what exactly constitutes the sale of information.
But Ross says she takes those complaints with a grain of salt.
"Before the law was passed, we spent 2 ½ years really thinking critically about what should be in good consumer privacy regulation, and so I think these are excuses that businesses are using to try to say that they can't comply," Ross said.
Consumer data is "incredibly valuable" to companies, she said.
"That's why they have fought the CCPA tooth and nail and continue to try to weaken the law."
Written by Sheena Goodyear with files from Reuters. Interview with Mary Stone Ross produced by Jeanne Armstrong.
SIXxOFxONE on January 2nd, 2020 at 14:11 UTC »
Fun legal nuggets for those unfamiliar: The law requires businesses (gross rev of 25m or more, 50% of revenue or more from selling data, OR 50k or more records shared for commercial purpose) to provide your data up to one year retroactively...meaning requests made on 1/1/2020 should include all information from 1/1/19 and on. In other words, compliance obligations were triggered before the act went into effect. Note that if you are a Californian who is planning to exercise these rights, businesses have 45 days to respond, should send an acknowledgement of your request, and may ask for verification. Finally, note that while there is a private right of action, the act also contains a cure period, which must be satisfied before consumers can sue under the act.
Not an attorney, and this is not legal advice. Just like to discuss interesting things :)
TipOfLeFedoraMLady on January 2nd, 2020 at 13:56 UTC »
What America really needs is a way to opt out of companies such as Experian. I never opted in yet they got my info stolen and have zero liability.
larvase on January 2nd, 2020 at 13:49 UTC »
How do I go about making these requests to specific companies?