SAN FRANCISCO - Forty million Californians will soon obtain sweeping digital privacy rights stronger than any seen before in the U.S. - rights that could pose a significant challenge to Big Tech and the data economy it created.
So long as state residents don't mind shouldering much of the burden of exercising them, that is.
Come Wednesday, roughly one in 10 Americans will gain the power to review personal information collected by large companies around the world, from purchase histories and location tracking to compiled “profiles” that slot people into categories such as religion, ethnicity and sexual orientation. Starting January 1, they can also force these companies - including banks, retailers and, of course, tech companies - to stop selling that information or even to delete it in bulk.
The law defines data sales so broadly that it covers almost any information sharing that benefits companies, including data transfers between corporate affiliates and to third party “data brokers” - middlemen who trade in personal information.
And because it applies to any company that meets a threshold for interacting with state residents, the California law might end up serving as a de facto national standard. Early signs of compliance have already started cropping up in the form of “Don't sell my personal information” links at the bottom of many corporate websites.
“If we do this right in California," says California attorney general Xavier Becerra, the state will "put the capital P back into privacy for all Americans.”
California's law is the biggest U.S. effort yet to confront “ surveillance capitalism," the business of profiting from the data that most Americans give up - often unknowingly - for access to free and often ad-supported services. This law is for anyone ever weirded out when an ad popped up for the product they were just searching on, or who wondered just how much privacy they were giving up by signing into the briefly popular face-changing tool FaceApp.
But there are catches galore. The law - formally known as the California Consumer Privacy Act, or CCPA - seems likely to draw legal challenges, some of which could raise constitutional objections over its broad scope.
It's also filled with exceptions that could turn some seemingly broad protections into coarse sieves, and affects only information collected by business, not government.
if you're alarmed after examining the data that Lyft holds on you, you can ask the company to delete it. Which it will legally have to do - unless it claims some information meets one of the law's exceptions, which allow companies to continue holding information needed to finish a transaction or to keep it in a way you’d “reasonably expect” them to.
“It’s more of a ‘right to request and hope for deletion,’” says Joseph Jerome, a policy director at privacy group Common Sense Media/Kids Action.
A more fundamental issue, though, is that Californians are largely on their own in figuring out how to make use of their new rights. To make the law effective, they'll need to take the initiative to opt out of data sales, request their own information, and file for damages in the case of data breaches.
“If you aren’t even reading privacy agreements that you are signing, are you really going to request your data?” asks Margot Kaminski, an associate professor of law at the University of Colorado who studies law and technology. “Will you understand it or sift through it when you do get it?”
State residents who do make that effort, but find that companies reject their requests or offer only halting and incomplete responses, have no immediate legal recourse. The CCPA defers enforcement action to the state attorney general, who won't be empowered to act until six months after the law takes effect.
Among other limitations, the law doesn’t really stop companies from collecting personal information or limit how they store it. If you ask a company to delete your data, it can start collecting it again next time you do business with it.
The law does offer stronger protection for children, and forbids the sale of data from kids under 16 without consent. “The last thing you want is for any company to think that we’re going to soft on letting you misuse kids’ personal information,” Becerra, the attorney general, said at a press conference in December.
The coming year will provide the first evidence of how much protection the CCPA actually offers - and how thoroughly Californians will embrace it.