The California Consumer Privacy Act catapulted California to the forefront of national privacy protection two years ago, when California’s tech titans reluctantly acceded to the law in order to stop a popular ballot initiative from reaching voters. Now, these data barons are demanding to escape liability for CCPA violations at the same time they are ramping up surveillance for tracking Covid-19.
The CCPA is the first state law to give consumers a modicum of control over the spigot of personal information spewing from their online lives. Californians have the right to know, review, delete, and prevent the sale of the personal information that companies collect about us. If a consumer exercises these rights, firms are forbidden from charging them higher prices, refusing to do business with them, or selling them lower quality products.
As measures to curb Covid-19 become deeply invasive, the CCPA’s protections are particularly crucial. Location data taken from mobile devices is being used to evaluate whether citizens are social distancing; Apple and Google have combined forces to enable health authorities to contact trace infected people via Bluetooth on smartphones; Kinsa Health tracks individuals’ temperatures through its Internet-connected thermometers; 23andMe is analyzing customers’ DNA to see if their genes exhibit susceptibility to Covid-19; Experian, the credit reporting behemoth, is selling profiles of consumers who it deems are financially “at risk” as a result of the pandemic; Naborly, a company that screens potential renters, is asking landlords to confidentially identify people who fail to pay rent.
Don’t believe the assurances that our corona-data is “anonymized”: It can easily be reverse engineered to expose our identities and will quickly become part of the digital dossiers that companies maintain on every American. These privacy-busting profiles determine whether people get jobs, housing, credit, and insurance.
So, for Californians wanting to halt the weaponization of their data against them, companies’ compliance with the CCPA is imperative. California Attorney General Xavier Becerra (D) is authorized to sue violators starting July 1.
Claiming the pandemic as an excuse, over 60 corporate cartels, representing the tech, insurance, retail, advertising, cable, telecommunications, entertainment, and automotive industries, are pushing Becerra to postpone CCPA enforcement until next year. They complain that the shift to working from home has rendered them unable to adhere to the law, even though they had two years to prepare before it took effect on Jan. 1 of this year.
Personal Requests for Information
Becerra has made clear he will not delay prosecuting companies for CCPA infractions. And appropriately so: Businesses were defying the CCPA before the pandemic.
In January and February, I made CCPA requests to multiple companies for copies of my personal information.
Axciom, one of the world’s largest data brokers, thrust me into a “privacy circle of hell”: Its cumbersome identity verification process took over an hour to complete, and I got numerous error messages that my driver’s license photos were skewed, which led to my request repeatedly timing out. Some of the information I got back was inaccurate, like listing a friend’s San Francisco address as mine (I’ve never lived in San Francisco) and stating that my household includes children (I’ve never lived with kids).
Experian’s file on me was impossibly skeletal, improperly redacted, and identified a random man’s name as my alias. Walmart—where I have never shopped—showed I was enrolled in the Walmart Pay program, had used gift cards, and had been contacted by Walmart for a drug recall.
Home Depot sent me a spreadsheet of other peoples’ email addresses—a breach of their privacy—and a catalog of product searches I never performed. Verizon sent me a password-protected file and no password.
Of the 24 companies I queried, 12 responses were unreadable, incomplete, or riddled with errors that I cannot correct.
More Legal Liability Needed for Privacy Violations
An initiative slated to appear on November’s ballot, the California Privacy Rights Act, will expand the CCPA to allow consumers to correct their data. The initiative would also restrict companies from collecting more information than necessary to provide the products and services consumers request.
These are important advances. Unfortunately, under the CCPA and the ballot upgrade, consumers cannot sue companies that break the law by lying about what data they collect, selling a consumer’s data after being told not to, or failing to turn over, delete, or correct data. Only Becerra can.
For a privacy law to truly be effective, Californians need the authority to hold companies accountable in court when they violate our legal rights.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Laura Antonini is a California-based consumer advocate, attorney, and the policy director of #REPRESENT, a project of the nonprofit Consumer Education Foundation.