California’s new privacy law puts you first. Too bad companies are ignoring it

0
628

Your online privacy got some support from a California law that went into effect Jan. 1


James Martin/CNET

For 2020, your New Year’s resolution might be to have better control of your digital privacy. In California, it’s not just a resolution, it’s the law. The problem, though, is that some companies are pushing back against key provisions of the California Consumer Privacy Act. 

The law, which came into effect on Jan. 1, is the most sweeping data privacy law in the US, which doesn’t have any federal legislation on the issue. California’s new rules require companies to tell people what data they’re collecting about them, as well as to allow the state’s residents to request that those companies refrain from selling their data and delete any information that’s been collected. 

Many companies have made changes to their privacy policies to follow this new law, and there’s a directory that lists how you can request your data and improve your privacy settings. But a handful of companies aren’t complying with the new law, whether by failing to provide, essentially, a “do not sell my data” link or button on their websites — which the law requires — or arguing that the rules don’t apply to them. 

Your online privacy got some support from a California law that went into effect Jan. 1


Now playing:
Watch this:

California’s new privacy law: Everything you need to…



2:52

Facebook said in a December blog post that it doesn’t plan to make any changes to its web tracking, believing that the law’s definition of selling data doesn’t apply to it. The social networking giant argued that it shares data with third parties, which it doesn’t consider selling. 

But under the new law, sharing is still considered a sale, according to Mary Stone Ross, co-author of the CCPA. 

“The definition of ‘sell’ is written in a way to include the sharing of personal information,” said Ross, associate director at the Electronic Privacy Information Center, or EPIC. “They are playing fast and loose with the definition of ‘sell.'”

Facebook didn’t immediately respond to a request for comment for this story.

Enforcement of the CCPA won’t happen until July 1. California Attorney General Xavier Becerra has raised concerns about a lack of resources to hold companies accountable.

Ross said that when writing the bill she anticipated companies would seek to interpret the law as they saw fit. A day after the law went into effect, she said she’d found multiple businesses that aren’t complying with the CCPA. 

That includes The Weather Channel, a company owned by IBM and facing a lawsuit from the city of Los Angeles over its app’s collection of location data on roughly 45 million people. In its privacy policy, updated on Dec. 29, The Weather Channel discloses that “we may have sold information within the categories as defined by the CCPA,” but it doesn’t have a button to opt out of your data being sold. 

IBM didn’t respond to a request for comment.

Ross also pointed to the pharmacy giant CVS, which is dealing with a lawsuit for a 2017 data breach that revealed the HIV status of more than 6,000 people. CVS doesn’t have a “do not sell my data” button on its homepage, even though it shares people’s data with advertisers and social media companies, according to its privacy policy. Like Facebook, it has offered the argument that sharing data with third parties isn’t the same as selling data.

CVS didn’t respond to a request for comment. 

Ross called out TiVo as well. In its privacy policy, the DVR pioneer says it sells “de-identified data to third parties” and shares personal data with service providers. It also doesn’t have a button to let people to opt out,. TiVo didn’t respond to a request for comment.

The CCPA was written to include data that’s de-identified, Ross said. She noted that even if the data doesn’t have a person’s name attached to it, it’s still considered personal data under the law. 

“Today, it’s not just my name that’s personal information,” she said. “I wear a smartwatch, I have a phone. They might not have my name attached to it, but for all intents and purposes, it’s data on me.”

Until enforcement begins later this year, Ross said, the best way to keep companies from skirting the law could be public pressure.

“You have privacy advocates that are going to be publicly shaming companies that aren’t complying,” Ross said.



Source

LEAVE A REPLY

Please enter your comment!
Please enter your name here