Whether it’s a Social Security number or your mother’s maiden name, it could be easier to find out the personal data companies have about you — and ask them to delete it — starting Jan. 1. That’s when a strict California law goes into effect requiring businesses, including many in Colorado, to make changes like adding a “Do Not Sell My Info” button on their homepage.
The California Consumer Privacy Act applies only to California residents, but legal experts believe all Americans stand to gain more control over their digital data as companies nationwide update privacy policies to get into compliance.
“There is a sense that California’s law is only the start and that there is an anticipation that laws like California will start to come into effect in other states,” said Guy Sereff, an associate attorney specializing in privacy and cybersecurity at Brownstein Hyatt Farber Schreck in Denver. “It’s a preparation mode, almost a sense of there will be some level of compliance required at some point in the future and getting in front of it now is beneficial.”
The California law goes further than any other U.S. law when it comes to who has access to a consumer’s personal data online. Beyond opting out, individuals can ask the company for what reason the data is being collected and sold, learn about the types of third-party companies buying the data and find out the financial incentives for the business selling user data. The law also applies not just to an individual, but personal data for a household or connected devices.
That’s a lot of legal legwork for any company, said Elizabeth Harding, an international privacy attorney at Polsinelli law firm in Denver.
“Just updating privacy notices is not going to get you compliant with the CCPA,” Harding said. “You’re telling people what you do, but there’s a lot of stuff in the backend that has to go into actually making sure you can do what you say you’re going to do.”
What does California’s law do?
the genesis of the law dates back to 2017 with Alastair Mactaggart, a real estate developer and privacy advocate in San Francisco. He had self-funded a ballot initiative to stop companies from mining personal data. Then he withdrew it, but only after the state legislature agreed — and passed — a law addressing his privacy concerns. California’s AB 375 passed unanimously.
“This is a new human right. It’s like a new civil right,” said Mactaggart, who became a privacy-rights advocate after a friend who worked as a Google engineer told him, “if people just understood how much we knew about them, they’d be really worried.”
While this is strictly a California law, Mactaggart said he thinks companies, especially larger ones, will have to offer the same terms for any consumer.
“I think it’s really untenable for AT&T to say to a New Yorker, no, you can’t get your information and then to say to a Californian, here it is,” he said. “People will get mad.”
California doesn’t exclude out-of-state companies, which will face fines if they do nothing when their California customers want their personal and household data deleted. Fines are $2,500 per violation with intentional violations at $7,500 each.
Whether the California AG’s office will pursue actions against out-of-state firms remains to be seen, but the European Union in defending its privacy and data security law imposed $123 million in fines on Marriott and $57 million on Google this summer.
Businesses must comply with the California law if they meet one of these three things:
- Has $25 million or more in gross revenues
- Buys, sells or shares personal data of 50,000 Californians or more
- Makes 50% or more of its revenues from selling data
Smaller companies probably won’t hit the threshold, said Liam Norcup, an attorney at Cochran Norcup, who has worked in Colorado, California and the United Kingdom.
But, he added, “smaller companies should apply a common sense in respect to data privacy, such as not storing any data on unencrypted servers, implementing acceptable-use policies and information-security policies (and complying with them) and providing access to only the employees that require access to such data.”
Chris Achatz, an attorney at Denver law firm KO, is finding that it’s not just the big companies who are updating their policies.
“In our experience, the most common limit that companies hit is the handling of personal data of more than 50,000 Californians because the definition of personal information is so broad,” Achatz said. “Personal information is anything that relates to an individual.”
That includes an IP address, browsing history, records of purchases, biometrics, geolocation, olfactory data, employment or educational related information. Of course, it includes the usual identifiers too, like emails, passport or driver’s license numbers. According to the law, personal information is defined as anything that “could reasonably be linked, directly or indirectly, with a particular consumer or household.”
CCPA requires companies to put a Don’t-sell-my-data button on their homepages. That may be the easy part. Companies also need a verification system to make sure consumers are who they say they are. They also must create a system to respond to consumers’ requests, keep track of them and meet deadlines.
Companies can, however, charge a different rate to those who opt out with the difference no more than the value of the consumer’s data.
Colorado and data privacy
American consumers have long traded personal privacy for freebies online — free access to news sites, videos, apps and shopping discounts in exchange for allowing sites or advertisers to track a user’s online preferences and whereabouts.
But several changes are at play to create a new attitude toward personal privacy. There’s a heightened awareness among consumers these days to take control of their data, especially after numerous online security breaches and the Facebook loophole that let political consulting firm Cambridge Analytica collect personal data from unsuspecting users.
There are also more states considering their own laws. Opening privacy policies to all consumers nationwide today could reduce the time spent on updating procedures when a new state law passes later, said Sereff, with Brownstein.
“By putting in a comprehensive program, it does give you, potentially, the flexibility to add small bits to your compliance program if there is a specific requirement that you have to address within a state,” he said.
Sereff said many clients updated their policies last year when the European Union’s General Data Protection Regulation, or GDPR, went into effect. That required companies worldwide to protect the data of EU citizens and allow them to delete it, giving citizens “the right to be forgotten.” Complying with California’s law was easier for many clients since they’re not starting from scratch.
There’s a benefit to consumers when regional privacy laws force out-of-area companies to comply, said Achatz, with KO.
“We will have additional details of how companies use and manage personal information as a general matter. There are many companies that will uniformly address a request for access or deletion from any U.S. resident,” Achatz said. “Many of the companies we’re working with are doing that, even Colorado companies are choosing to do that just to be privacy forward.”
Currently, only three states — California, Nevada and Vermont — have a data-privacy law, according to the National Conference of State Legislators. The NCSL also tracked at least 25 states that considered some sort of data-privacy bill in their last session. Colorado was not among them.
Few believe a federal law will be adopted within the next several years.
In Colorado, the state adopted a data-protection law last year that was considered one of the nation’s strictest. It required companies storing a Coloradan’s personal data to have a data-protection policy that includes a system to notify customers within 30 days of a data breach. It also required companies to destroy the data when no longer needed.
But a key reason for the Colorado law was to prevent identity theft and hold companies accountable for personal data they store. It didn’t touch on consumer-privacy issues.
“What’s lacking in Colorado is this more nuanced, transparency piece, the do-you-have-a-good-reason-for-having-this-data piece,” said Harding, with Polsinelli. “I think that certainly Colorado could have gone further, and I’ll be honest, I suspect with the current AG, we might see some movement now because (Colorado Attorney General) Phil Weiser, he’s a very pragmatic person but he’s also publicly made statements to say, look, if we don’t have federal legislation around the protection of the data then it’s down to the state to do that.”
The cost of compliance
According to a report by the California AG’s office, this will cost California businesses between $467 million to $16.5 billion in compliance efforts. That ends up being a cost of about $50,000 initially for small firms with fewer than 20 employees to $450,000 for firms of up to 500 employees and $2 million for the largest companies.
Harding, with Polsinelli, estimated that costs can be $30,000 to $50,000 and more for larger companies. That includes updating privacy notices, figuring out the consumer data collected, evaluating vendor agreements and making sure there are adequate responses for consumers. Her firm also has seen interest from smaller companies that don’t have to comply but plan to grow large enough to one day be liable. Her firm added a kit to help these emerging-growth companies.
“My favorite thing with privacy generally is that everything’s fine until it’s not,” she said. “The regulators are not going to come knocking on the door doing an audit. But either you have a breach, a security incident, or somebody makes a complaint, then from past experience with GDPR, the regulators will come look at that. And then they’ll say, ‘Oh, and by the way, where’s all your other compliance stuff?’”
Just going through the process of getting into compliance has helped some clients realize they don’t need all that personal data, Harding said.
“From a business perspective, I think it’s a good thing because it really does force businesses to be more responsible about the data that they’re using and (ask) ‘Why do I keep this data?’” she said. “Asking those types of questions as part of a privacy-policy review can help really reduce risk for companies because, of course, the big risk for all of these companies is if there’s a data breach. Do I really need that data? And if the answer’s no, that’s one data set less that you have to deal with if you have a security incident.”