Last year, California passed the California Consumer Privacy Act, which requires companies to be more careful in the way they handle consumer data. It doesn’t go into effect until next year, and it’s still a work in progress. Big tech companies have been proposing almost constant changes to the law since it passed, while on the other side privacy advocates push for even more teeth. But however the final law is written, companies are also working on compliance, which is clearly confusing and can also be costly.
Host Molly Wood checked in with Jessica Lee, a partner at the law firm Loeb & Loeb advising clients on data privacy regulations. She said some companies are plowing ahead while others are trying to remake things in their favor. The following is an edited transcript of their conversation.
Molly Wood: The law doesn’t technically go into effect until next year. Where are companies doing now in the move toward compliance?
Jessica Lee: I see two tracks. Because there is a lot of movement on the legislative front, some companies are directing their efforts at engaging in lobbying activities, whether on the state level or trying to push the federal government to pass federal privacy legislation, which in the ideal world for these companies would preempt California. Other companies are at least trying to get started understanding that they might have to pivot or change or update some of the specifics about how they implement.
Wood: What was the overarching goal? What does it require companies to do?
Lee: This is really a bill that focuses on regulating the collection and then the transfer of personal data. There is a definition of sale, so there is a lot of language around restricting the sale of personal data, and sale is defined very broadly. You and I might think of sale as giving data in exchange for cash or some other monetary value, this could be sharing, transferring or disseminating orally an electronic copy for both monetary consideration or other valuable consideration. This really impacts a lot of data sharing deals that aren’t really data broker deals, but they’re deals where data is provided and the recipient gets some value from having it. For example, being able to improve their algorithm. The definition is fairly broad, and I think the goal was really to lift the cover on what happens online, which does involve a lot of data sharing, and to require companies to make more prominent notice about the fact that they’re engaging that kind of data sharing and give consumers the option to opt out, to have information deleted, corrected etc.
Wood: The obvious example here is how Facebook is able to say truthfully that it does not sell user data. But that answer to that question of what happens to our user data is still extremely narrow, because lots of app developers and advertisers still have pretty unfettered access to that data. Is that the kind of loophole that this would try to close?
Lee: Yeah, that’s exactly right. That’s the exact type of behavior that this bill is aimed to regulate.
Wood: Do you have a sense of how much it might cost for a company to adapt to a law like this?
Lee: Yeah, it definitely will depend on size and then also how you implement. This is a California regulation, it applies to California consumers. But for many companies, they’ll have to apply this across the board. They won’t have enough information to determine who’s in California or who’s not. Even if they did, it might not make practical sense. This is something that’s going to have a nationwide impact. If you think about what happened for [the General Data Protection Regulation, we got numbers that were anywhere from $1 million to $10 million in terms of what it would cost to implement. I think we’ll see numbers that are similar here because you have the same type of costs. You have project management costs, technical infrastructure, legal fees, because you have to pay your lawyers to help advise on these things, and then the business cost of changing what your program looks like.
Wood: Data is an industry. There are companies who essentially founded themselves on the idea that data would be their revenue stream. Do you think we are getting to the point where regulation might become a deterrent for data as a business plan?
Related links: more insight from Molly Wood
Jessica Lee told us that one thing this bill does is really broaden the definition of the “sale of data” to include all kinds of transmissions of information that have some monetary value attached. California Senate Bill 753 is being considered next week by the Senate Judiciary Committee. This bill would amend the California Privacy Act to say that it’s totally fine if a business passes along to another business harmless information like an online advertising ID, your IP address that shows where you are using your phone or computer, a web cookie that shows your browsing history, information about the device you’re using or “any unique identifier,” as long as the reason they’re sharing that information is so that they can show you an ad or see how well the ad is working. It’s my understand that yes, that’s the exact reason all our personal information gets shared, so that seems like a pretty big exemption.
It also says that the third party who got your information in order to advertise to you definitely cannot share or sell that information to anyone else, like a third-third-party, unless that company also wants to serve you an ad. Some privacy advocates have pointed out that this would effectively exempt Google and Facebook’s entire business model, which would seem to defeat the purpose. So, like we said, California’s entire privacy law is a work in progress.