The California Consumer Privacy Act’s Promise and Limitations

At first glance, the California Consumer Privacy Act constitutes a major achievement for privacy advocates, the first statewide bill in the US to offer consumers control over how companies handle their personal information. It’s all the more significant that CCPA happened in California, a frequent bellwether for federal legislation and the state where many of the world’s top tech companies are headquartered.

It’s not entirely clear, though, that CCPA will put significant fetters on Silicon Valley’s hitherto unrestrained collection and monetization of user data. Major weaknesses include the law’s enforcement protocol, continued lobbying efforts to defang it, and its opt-out structure.

First, the basics. CCPA offers California residents the right to request access to all the data companies have collected about them. It grants the right to ask that this data be deleted and not be sold. It provides grounds to sue companies that fail to safeguard consumer data. The regulations apply to companies that collect data on at least 50,000 people per year or boast revenue exceeding $25 million per year, and management must fulfill requests within 45 days.

CCPA, then, marks a major improvement on a legal landscape that previously contained practically no provisions for data privacy. Even if CCPA leads to only a small number of data access and deletion requests per company, it will force large companies to develop the infrastructure to fulfill those basic privacy requests, a change that will likely facilitate better privacy practices overall. In other words, if a company needs to be prepared to inform consumers about how much data has been collected about them and how it is being used, that company will be incentivized to avoid reckless data sharing and unnecessary collection. No executive wants a story breaking about her company’s totally superfluous supply of location data.

Yet CCPA, which started out as a referendum initiative and, to some of its architects’ dismay, ended up a law passed in 2018 by the California legislature, falls short of privacy activists’ ambitions in a number of respects.

The law is hard to enforce, especially for those with limited resources. Besides data breaches, for which consumers can sue — but even then, how many consumers will make the demands CCPA affords, much less sue for their violation? — it’s up to the California attorney general to enforce the law. The AG’s office anticipates it will only be able to bring about three cases per year. That means, one of the referendum’s masterminds, Mary Stone Ross, argues, that CCPA is “largely toothless.”

The private right of action, which would have allowed individuals to sue companies for violating the law, was sacrificed when the referendum was forced into the legislative process, which saw the bill bent to the demands of lobbyists. That is the second major weakness: Lobbyists, whom Google and Facebook employ in droves, are hardly done trying to curb CCPA’s effects and tamp down the ambitions of future privacy legislation. Special interests have been working to limit privacy provisions for workers; chip away at the requirement for anonymous, or “de-identified,” data; and allow businesses to discriminate, demanding data in exchange for discounts and loyalty benefits.

Thirdly, CCPA’s fundamental flaw is that it requires consumers to opt out of unrestrained data collection and monetization. A law with the potential to effect change at scale would set a stronger standard by demanding companies obtain explicit permission before collecting data — without granting corporations the right to refuse services should consumers reject data collection. The fact remains that most consumers, who have plenty to worry about other than the ethics of data collection and have grown accustomed to Google and Facebook’s rapacity, will not go out of their way to request data, perform a cost-benefit analysis on its disclosure, and sue companies that fail to respect their rights. CCPA will not radically change the lives of most consumers.

That said, CCPA signals the dawn of major US privacy legislation. The law portends activist endeavors to follow. With the 2020 election looming, and the record having been set straight on data-driven ad targeting’s effects on the 2012 and 2016 political cycles (yes, it was not just President Trump’s campaign but also the Obama campaign and administration that buddied up to Big Tech to sway voters), the world will be more vigilant about the tech industry’s effects on democracy this time around.

Effective reform is not a given. Sharper scrutiny is certain.