For 2020, your New Year’s resolution might be to have better control of your digital privacy. In California, it’s not just a resolution, it’s the law. The problem, though, is that some companies are pushing back against key provisions of the California Consumer Privacy Act.
The law, which came into effect on Jan. 1, is the most sweeping data privacy law in the US, whichon the issue. California’s new rules require companies to tell people what data they’re collecting about them, as well as to allow the state’s residents to request that those companies refrain from selling their data and delete any information that’s been collected.
Many companies have made changes to their privacy policies to follow this new law, and there’s a directory that lists how you can request your data and improve your privacy settings. But a handful of companies aren’t complying with the new law, whether by failing to provide, essentially, a “do not sell my data” link or button on their websites — which the law requires — or arguing that the rules don’t apply to them.
Facebook said in a December blog post that it doesn’t plan to make any changes to its web tracking, believing that the law’s definition of selling data doesn’t apply to it. The social networking giant argued that it shares data with third parties, which it doesn’t consider selling.
But under the new law, sharing is still considered a sale, according to Mary Stone Ross, co-author of the CCPA.
“The definition of ‘sell’ is written in a way to include the sharing of personal information,” said Ross, associate director at the Electronic Privacy Information Center, or EPIC. “They are playing fast and loose with the definition of ‘sell.'”
Facebook didn’t immediately respond to a request for comment for this story.
Enforcement of the CCPA won’t happen until July 1. California Attorney General Xavier Becerra has raised concerns about a lack of resources to hold companies accountable.
Ross said that when writing the bill she anticipated companies would seek to interpret the law as they saw fit. A day after the law went into effect, she said she’d found multiple businesses that aren’t complying with the CCPA.
IBM didn’t respond to a request for comment.
CVS didn’t respond to a request for comment.
The CCPA was written to include data that’s de-identified, Ross said. She noted that even if the data doesn’t have a person’s name attached to it, it’s still considered personal data under the law.
“Today, it’s not just my name that’s personal information,” she said. “I wear a smartwatch, I have a phone. They might not have my name attached to it, but for all intents and purposes, it’s data on me.”
Until enforcement begins later this year, Ross said, the best way to keep companies from skirting the law could be public pressure.
“You have privacy advocates that are going to be publicly shaming companies that aren’t complying,” Ross said.