Illustration: Sarah Grillo/Axios
A landmark privacy law in California, which kicks in Jan. 1, will give Golden State residents the right to find out what a company knows about them and get it deleted — and to stop the company from selling it.
Why it matters: It could effectively become a national privacy law, since companies that are racing to comply with it may give these privileges to non-Californians, too.
The California Consumer Privacy Act will apply to companies with at least $25 million in revenue, personal information on at least 50,000 people, or earning at least half their money by selling consumers' personal information.
- Next year, any Californian will be able to demand that a company disclose what data it's keeping on them — and knock it off.
- Starting next July, Californians will be allowed to sue businesses for certain data breaches, and the California attorney general will be able to bring enforcement actions.
Detractors of the law say it is overly broad and will have unintended consequences, opening the way to identity theft, disgruntlement among consumers who find out how much information Corporate America has on them, and a bonanza for class-action litigators.
Where it stands: Companies are racing to get their computer systems ready, spending as much as $100 million, according to a PricewaterhouseCoopers estimate quoted in the Wall Street Journal and confirmed by Axios.
- U.S. retailers in particular are struggling, because many of them haven't already had to deal with the big European privacy law that took effect last year.
- “You have to find a way to capture all that information and track it so you know what’s happening with that information,” Dan Koslofsky, associate general counsel for privacy and data security at Gap, told the Wall Street Journal.
- That, he said, is “a pretty significant undertaking for most companies. Unless you’ve been in a regulated space like health care or financial services, you probably haven’t done that previously.”
Computer architecture is the big sticking point. Consumer information can reside in lots of databases, and the same consumer can be listed under different names, addresses or nicknames.
- "Large companies are struggling with this because they have vast amounts of data, and small companies are struggling with this because they don't have those resources," Peter McLaughlin, a privacy law attorney at Womble Bond Dickinson, tells Axios.
Between the lines: While efforts to pass a federal privacy law have failed, companies think it's certain that something like the California law will hold sway nationally — and that other states will follow California's lead — so they're planning accordingly.
- Companies fully expect that people outside California will call them after Jan. 1 to demand that their data be deleted — or cease being sold — and many will comply.
- "The general consensus is that it's an inevitability — not an 'if' but a 'when,'" Kabir Barday, CEO of OneTrust, which helps company comply with privacy laws, tells Axios.
What they're saying about the California law:
- "It establishes some really important rights for Californians,” Hayley Tsukayama of the Electronic Frontier Foundation tells Axios. But she worries about enforcement, saying the California attorney general's office has "said they don’t have resources to handle more than a handful of cases.”
- TechNet, which represents the tech industry, tells Axios: "As it stands, meaningful clarifications still need to be made to ensure consumers continue to have the online experience they have come to expect."
- Facebook, which continues to be on the hot seat over privacy matters, tells Axios: "We believe people should be in control of their information and companies should be held to high standards in explaining what data they have and how they use it, especially when they sell data."
What's next: The Californian whose efforts led to the privacy law, real estate developer Alastair Mactaggart, is gunning for a 2020 state ballot initiative with more privacy protections. Consumers would have to opt in before companies could sell their data, the Washington Post reports.
The bottom line: "Consumers want to have more control over their data," Jay Cline, who leads the privacy practice at PwC, tells Axios. "They want to have the foundational rights to access, correct and delete their data."