Despite a last-minute push by Big Tech to water down California’s consumer-privacy law, the first of its kind in the nation, six bills tacked onto California Consumer Privacy Act do not fundamentally change it.
The final version of the landmark CCPA, which California Gov. Gavin Newsom is expected to sign into law by Oct. 13, gives internet users the ability to see what information is collected about them and stop that data from being sold. It empowers California’s attorney general to penalize the worst offenders.
However, it does not cover scenarios such as third parties gaining unfettered access to mountains of data, as Cambridge Analytica infamously did with Facebook Inc. FB, -0.69%, according to Samantha Corbin, a Sacramento, Calif., lobbyist representing the Electronic Frontier Foundation, Common Sense Media, Privacy Rights Clearinghouse and American Civil Liberties Union on the issue.
Real-estate developer Alastair Mactaggart, who spent $3.1 million of his own fortune to make CCPA happen, worked on the law for two years after California voters approved it in the 2016 election. The fight since passage included contending with tech giants like Facebook, Alphabet Inc.’s GOOGL, -2.33% ( GOOG, -2.36% Google, and Uber Technologies Inc. UBER, -0.51% — all of which unsuccessfully sought to soften it with amendments before the state legislature adjourned Sept. 13.
California will be the first government in the U.S. to regulate how businesses retain and use electronic consumer data, but at least 15 other states have introduced legislation similar to the act. CCPA goes to the heart of the digital economy, and how data is amassed and used by many of its largest players based in California such as Facebook and Uber (About 99% of Facebook’s $56 billion in revenue last year came from ad revenue, gleaned in large part from personal data.) CCPA is beginning to crop up in the risk section of the prospectuses of IPO candidates, and the name is being uttered during quarterly financial conference calls.
“I’ve realized the immense power consumers are up against when it comes to having true control over their own data,” Mactaggart told MarketWatch in a phone interview.
Representatives from Facebook and Google did not respond to email messages seeking comment.
In its final form, CCPA mirrors the European Union’s General Data Protection Regulation (GDPR) with one key difference: It defines “personal information” more expansively and offers opt-out rights, earning it the nickname “GDPR lite.”
While there was some concern about the effects of GDPR on Big Tech companies, analysts say investors don’t have much to worry about from California’s privacy act. Precise rules on data management would offer guide rails — and possibly fines — but a clearer road map for their long-term business plans, says Wedbush Securities analyst Daniel Ives. Legislation and federal probes will have a minimal material financial impact, he said.
“We reiterate our opinion that [federal regulation and investigations are] more noise vs. the start of broader structural changes across the tech food chain and will likely result in business model tweaks and potential DOJ/FTC fines (in the billions of dollars) in a worst-case scenario rather than forced breakups of the underlying businesses,” Ives said in a Sept. 27 note.
“There will be a lot of doomsday predictions and scares, but ultimately we see fines,” Ives told MarketWatch.
Case in point, Facebook. Despite being hammered with a record $5 billion fine for its privacy practices from the FTC in July, Facebook shares are up 34% this year. Investors continue to be sold on the company’s financial performance, including second-quarter revenue of $16.9 billion, up 28% from the year-ago period.
There were some 11th-hour additions to CCPA that could ease businesses’ compliance efforts around employee data for at least a year. (One bill that did not make the cut would have expanded consumer rights to file civil lawsuits in the event of an alleged CCPA violation.)
The additions do not alter CCPA’s general purpose: To give Web users the ability to see what information is collected about them and stop that data from being sold, as well as empowering California’s attorney general to penalize the worst offenders. However, it does not cover scenarios such as third-parties gaining unfettered access to mountains of data, as Cambridge Analytica infamously did with Facebook, according to Samantha Corbin, a Sacramento, Calif., lobbyist representing EFF, Common Sense Media, Privacy Rights Clearinghouse, and the ACLU on the issue.
Indeed, the last-minute tweaks to CCPA by the legislature, while minor, impact Big Tech and other collectors of massive troves of data.
How the changes affect businesses
Limited exemption for employment-related personal information. Businesses would be exempt for one year – until Jan. 1, 2021 – from being required to respond to consumers’ requests for access to or deletion of the employment-related data the business collects and uses solely in an employment context.
The California Employment Lawyers Association (CELA) has strongly opposed the bill, AB 25, one of the more controversial proposed amendments to CCPA, out of concern it will do little to stop workplace surveillance and data tracking of employees. It pointed to a letter from a coalition of 16 labor and employee rights groups including the ACLU of California and SEIU California.
“We need to protect the data rights of workers and excluding them from this bill — with no plans to include them in an alternative system — would be a significant step in the wrong direction,” they said in a June letter to state Assemblyman Edwin Chau, D-San Gabriel Valley, chairman of the Assembly Privacy and Consumer Protection Committee.
A CELA spokeswoman said it hopes the data rights of employees are more strongly addressed in future legislation.
Limited exemption for personal information collected in a business-to-business context (AB 1355). Businesses would be exempt for one year – until Jan. 1, 2021 – from the requirements to provide notice or extend other CCPA rights to consumers who act in their capacity as representatives of another business in certain contexts.
Clarification of Fair Credit Reporting Act (FCRA) exemption (1355). The current exemption for data regulated by FCRA would be clarified. The amendments would remove the previous reference to the “sale” of consumer report information and make it clear that any “activity” subject to the FCRA would be exempt from the CCPA.
A wild card in all this is that CCPA allows California Attorney General Xavier Becerra to issue regulations specifically around requests for information on households — an issue that has vexed businesses since the CCPA’s passage.