Consumer privacy law off to uneven start in California

A new consumer privacy law in California was supposed to push companies toward greater transparency with the reams of data they collect every day. But weeks after the law went into effect, the early results are not yet bringing consumers much clarity.

The California Consumer Privacy Act, which took effect Jan. 1 after being adopted in 2018, was hailed by privacy advocates as a leap forward in holding companies accountable for how they handle personal data, giving U.S. consumers their first real glimpse at how companies monitor them and profit from the information.

The law gives residents of the state the right to review the information companies collect about them online, allowing them to tell the companies to stop selling it or even to delete it. It's considered the nation's most far-reaching online privacy law and a potential model for other states. Some companies are extending the disclosure privileges outside California, in part because of the difficulty of having a patchwork of policies.

But disclosure in the first few weeks under the law has run the gamut. Some companies have incorrect information on their websites about how the law affects them and consumers. And most companies acknowledge requests with emails or text messages, while other requests seem to disappear once filed.

Uber and Lyft, for instance, collect detailed data on all their customers, including their ratings and the ratings they give drivers, what type of credit cards they use, where they are when they request rides and where the rides actually begin, according to the companies.

But requests under the new law reveal huge variance in the data the companies disclose. Uber reveals a customer's rating but doesn't disclose some customer service calls, users' ratings of drivers or any inferences about its users that help shape its business decisions. According to people familiar with the matter, the company also leaves other information undisclosed in data requests, such as whether a credit card is corporate or personal.

Nine days after the law went into effect, the privacy section of Uber's website for requesting data failed to recognize some customers' account information, which spokeswoman Melanie Ensign called "a bug." It was later corrected after an inquiry by The Washington Post.

"Not every company is interpreting CCPA the same," she said.

Not included in some Lyft files were ratings data and several customer service calls. Lyft declined to comment on why it does not include that data.

Lyft spokesman Adrian Durbin said that "our privacy policy and the tools and options we provide regarding data reflect our respect for customer data and privacy."

Adam Schwartz, a senior staff attorney with the Electronic Frontier Foundation, said that "companies are required to disclose all the individual pieces of data they collect on consumers, and if they are not releasing that, that's a violation of the law."

Companies including retailers, news organizations, manufacturers, streaming-video sites, apps, data brokers and phone providers all collect data on consumers, creating a huge data footprint from millions of people. For many corporations, data harvesting is key to staying ahead of competitors and developing new products. Plus, some of that data can be monetized and sold.

Many companies aggressively lobbied the California legislature to soften the bill to preserve their data collection practices. Any company that collects personal information on 50,000 or more people or brings in at least $25 million in sales per year is subject to the privacy law. Some of the compliance rules are still being worked out, leading to the current confusion.

Questions remain about the outlines of the law, such as whether providing user data to other companies for free constitutes a "sale," what the standards should be for consumers' identity verification and, critically, how much or how little data the companies ultimately need to disclose to avoid censure or possible fines.

In addition, enforcement will not start for months.

"Companies are viewing the effective date as July," said Mary Stone Ross, who helped design the legislation and is now associate director of the Electronic Privacy Information Center. "There are many things we are just not going to know right now, particularly the inferences companies make about you based on your data."

The office of California Attorney General Xavier Becerra will have only about two dozen agents assigned to enforcement in a state with 40 million people. At a state Senate hearing in April, California's supervising deputy attorney general on consumer protection said she will probably be able to prosecute only three cases per year.

Some of the largest companies, such as Facebook and Google, already gave customers the option to download their data, in large files full of every change to their accounts, such as new profile photos or friends, as well as information such as ad preferences. Facebook has maintained it does not need to alter its practices to be in compliance with the privacy law, noting in a December blog post that many online activities do not constitute the sale of consumer data.

Other tech companies appear to be counting on a grace period to figure out compliance. The law also gives companies 45 days to respond to requests and the right to an extension beyond that, which appears to be helping Amazon, Groupon and others that had no previous disclosure policy to compile voluminous customer files.

Business on 01/22/2020