As It Happens

New California privacy law lets people find out exactly what companies know about them

California's new privacy law is like "a Freedom of Information Act for private companies," says the former CIA analyst who co-authored it.

The California Consumer Privacy Act comes into effect on Jan. 1

A new California data privacy law won't stop companies from collecting people's information, but it will force them to disclose the details upon request. (Kacper Pempel/Reuters)

Read Story Transcript

California's new privacy law is like "a Freedom of Information Act for private companies," says the former CIA analyst who co-authored it.

Under the California Consumer Privacy Act (CCPA), which came into effect on Jan. 1, consumers can demand companies disclose what data has been collected on them, request that companies delete their data, and stop businesses from selling their data to third parties. 

"The heart of the CCPA is this right to know," Mary Stone Ross, a CIA analyst-turned-privacy advocate, told As It Happens guest host Helen Mann. 

"So I can go to a business and say, 'What do you know about me or my device or my children?' And they have to tell me."

Ross is the co-author of the law and the associate director of the Electronic Privacy Information Center, a public interest research organization focused on privacy issues. 

'Most comprehensive privacy legislation' in the U.S.

The new law is one of the most significant regulations overseeing the data collection practices of U.S. companies. The American Bar Association called it "the comprehensive privacy legislation in the United States."

It applies to any business that has an annual gross revenue of more than $25 million US, derives more than 50 per cent its revenue from selling users' personal information, or processes the personal information of at least 50,000 consumers, households or devices a year.

In addition to retailers, the law also affects social media platforms such as Facebook and Alphabet's Google, advertisers, app developers, mobile service providers and streaming TV services.

Shoppers ride escalators at the Beverly Center mall in Los Angeles, Calif. (David McNew/Reuters)

"Right now, Americans are consenting to the collection and use and sale of our personal information without truly understanding what we are consenting to," Ross said. 

"Businesses are collecting our precise geographic location. They're collecting biometrics information. They're collecting our health information. And unfortunately ... it's really difficult to find out in plain English what they are collecting. This will change."

Companies push back

Ross said companies that don't comply with the new law will face "massive penalties."

The state's attorney general office can issue fines of between $2,500 to $7,500 US for intentionally violating the CCPA.

"I am worried that even though their office has gotten additional resources, that they still do not have enough resources to go after the extent of the problem," Ross said.

"But I am hopeful that they will take some businesses and use them as examples, encouraging other companies to also comply with the law."

Large U.S retailers have been rushing in recent months to comply with the CCPA. Walmart and Target are adding "Do Not Sell My Info" links to their websites and putting up signs in their stores.

An economic impact assessment prepared for the California  Attorney General's office by an independent research firm found compliance with the regulations will cost businesses between $467 million and $16.5 billion US over the next decade. Industry estimates peg initial compliance costs at over $50 billion.

Retail lobbyists and attorneys advising retailers told Reuters the law is overly ambiguous, especially on what exactly constitutes the sale of information. 

But Ross says she takes those complaints with a grain of salt.

"Before the law was passed, we spent 2 ½ years really thinking critically about what should be in good consumer privacy regulation, and so I think these are excuses that businesses are using to try to say that they can't comply," Ross said.

Consumer data is "incredibly valuable" to companies, she said.

"That's why they have fought the CCPA tooth and nail and continue to try to weaken the law."

Written by Sheena Goodyear with files from Reuters. Interview with Mary Stone Ross produced by Jeanne Armstrong.