A comprehensive law aimed at rewriting California’s Internet rules will take effect on January 1,media reported. Most businesses with websites and customers in California,” or most large U.S. companies, must comply with new rules that should make online life more transparent and creepy for users.
The only problem: No one knows how the new rules work. The California Consumer Privacy Act begins with a simple premise: People should be able to know whether companies are selling their personal information, see what information companies have collected, and opt out of the system.
But it doesn’t seem easy for the fast- and largely opaque online data economy. Over the past two decades, technology companies have built a deep system that tracks the habits and identities of millions of users every day for a second second every day, then exchanges or sells that information to further adjust their marketing, advertising, and business strategies.
Due to the technical complexity of the system and the tight time frame for implementation, many basic questions remain unanswered. What does “sell” mean? How do companies determine that they want to delete data from the right people? Does having just one website that tracks how many people visit each year mean you have to get involved in regulating the “jungle”?
The Attorney General’s Office, which interprets and enforces the law, issued its first round of draft legislation in early October. The final decision won’t be finalized until 2020, and the law won’t be implemented until July.
At the same time, businesses are scrambling to make sure they don’t break the basic principles of the law. Large companies are entering into deals with companies that specialize in compliance to create “Don’t sell my personal information” buttons (and make sure they work) on their sites. Small companies are setting up e-mail accounts to process customer requests, or just bet on the attorney general’s trouble spending on starting to look for them.
“No privacy lawyer in the industry is working around the clock to prepare for January 1,” said Michael Hahn, general counsel at Interactive Advertising Bureau.
It began when San Francisco real estate developer Alastair Mactaggart had a disturbing conversation with Google engineers about digital privacy at a cocktail party. He decided to raise money for the 2018 vote. Sacramento lawmakers reached an agreement to turn it into law.
In the data economy, users’ personal information can be used for lightning-fast transactions, such as real-time auctions after each online ad, and stored in a database for decades. Sometimes, companies sell personal information (the location, age, or even name of a person) without any contact information and no easy way to verify that person’s identity. The result is blurred overall monitoring and record keeping the answers to seemingly straightforward requests, such as “Tell me about me” and “Stop selling my information.”
For businesses, the effect has reached a numerical equivalent of requiring every driver in the state to install a new catalytic converter on their car or face a fine – without sharing any of the required upgrades. The 2019 report commissioned by the attorney general’s office estimates that compliance with the law could result in $55 billion in upfront losses for affected companies and could add $16 billion over the next decade. Lawmakers who set the rules argue that chaos is necessary to control an industry that has been out of control for decades.
“It’s a wild west,” said Senate Majority Leader D-Van Nuys of California. There will always be some disputes, but the key is to keep an eye on it and make it workable, but it’s all about protecting consumers. “Once it becomes clear that it will become law, companies affected by the new rules will abandon their opposition to them.
At a meeting in Los Angeles in early December, representatives of powerful trade groups and individuals said that during the consultation period for the next round of draft regulations, it was more of a show of confusion than opposition.
Peter Watson, a board member of the California Self-Storage Association, asked a basic question: Which businesses must comply with the law?
The California Consumer Privacy Act applies only to companies with more than $25 million in revenue or more than 50,000 visitors. Other issues revolve around what appears to be contradictions: in some cases, companies may need to ask for more personal information before they can execute a request for users to delete or obtain copies of all their personal information.
“The vast majority of companies affected by THE CCPA use technology, but not technology companies,” says Bo Kim. Therefore, the data allocated on any existing balance sheet has no specific value. “
The broadest impact of the new law falls on the online advertising economy and the companies that rely on it, including tech giants such as Facebook and Google, as well as media companies such as the Los Angeles Times. The core mechanism of the online advertising world is called real-time bidding: behind every ad on a page, including that one, there is a series of near-instantaneous deals.
The page itself collects data on the reader by using a digital tracker. The page then sends the user information to the pipeline along with a specific set of rules, for example, which ads it is willing to show and at what price. The ad trading platform then immediately arranges an auction for the space and the user, usually seeking the highest bid among ad buyers who have pre-entered their preferred target, price, and ad appearance. Once the whole process is complete (about a few seconds), the ad will appear.
Today, each entity typically saves all the data it can store later. The more information a web page learns about a user, the higher the price it can charge for an ad, and each small piece of information can be added to the consumer profile, which can then be sold to other companies to find more information to target the audience. This approach allows the advertising technology industry to accumulate consumer data for millions of people. The new law empowers Californians to stop monitoring them.
Privacy laws don’t break the real-time bidding chain for data transfers and ad displays – Mactaggart already knows it’s not intentional – but it does allow users to opt out of the second phase of the process, where user data is stored and packaged for future sale. Those who opt out may see fewer hyper-targeting ads that show users what they didn’t buy during the checkout process, or that seem to promote stores they visited a few days ago. After multiple deletion requests, users end up seeing only ads related to the page they are visiting
Interactive Advertising Bureau, a consortium of most major U.S. publishers, advertisers and advertising technology companies, has held meetings for most of 2019 to explore how thousands of companies can meet user opt-out requirements. It presents a complex framework of contracts and digital labeling that functionally meets the needs of users who do not want to sell their data to the data itself.
Google logged into the system in December and provided its customers with a toolkit to build the exit system into their own website. Notably, Facebook announced in a blog post that there was no need to change its practices in order to comply with the law. The company’s argument depends on the definition of sales and third parties, provided that facebook does not engage in the sale of user data to third parties because it is the only entity that collects personal data within its system and monetizes it.
Xavier Becerra declined to provide details of its implementation of the legal plan. “Our office will issue the FINAL CCPA regulations in a timely manner for effective July 1, 2020,” Becerra’s office said in a statement. At the same time, we cannot weigh whether the practices of a particular company or business are consistent with the CCPA. Once the regulations are finalized, we will take action to enforce the law and ensure compliance. “
If enough people opt out and ask their data to be deleted, it could lead to a complete cut in advertising revenue. Advertisers are willing to pay high prices for higher-quality goals. But most industry experts seem to think the new law is unlikely to affect the bottom line of a data-driven business (except for the cost of basic compliance) simply because most users are less likely to opt out.
“People say yes,” said Ben Barokas, chief executive of SourcePoint, a compliance management company. “Even if there is an option to opt out, maybe 10 per cent of people will refuse to accept it” to sell their data to show more targeted ads.
Even as companies rush to comply, the makers of the California Consumer Privacy Act are preparing to introduce a new round of privacy regulations with a 2020 vote. Key changes include creating an independent body to enforce the law, rather than handing it over to the attorney general’s office, creating an opt-in system for users under the age of 16, and further restricting the program’s use of so-called “sensitive personal information,” including data such as location, health status and sexual orientation. Mactaggart hopes the next round of privacy, with money and people, will set new standards for the entire Internet.
“We believe that this has the same privacy impact as the California Air Resources Board’s efforts to improve air quality across the country,” Mactaggart said. “Mactaggart argues that the goal is not to destroy any business, but to ensure that it uses consumer data securely.