Regulating Privacy: How California's Privacy Law May Affect Consumers

     We all know how easy it is to accept a company’s privacy policy. One click, the “accept” button turns green, and we are free to use the technology without a further thought. A 2017 study found that more than 90% of people accept privacy policies without more than a glance. Most of us do so for two reasons – we do not have the time to read the entirety of the policy or we know that refusing to accept the policy means we will be unable to access whatever we are seeking to use. Does this place the onus on the consumer, to be more selective in the choices they make regarding technology usage? Or should companies be held responsible for making privacy policies difficult to understand and technology inaccessible? Do individual consumers retain any market power in this setup?

     Federal Trade Commission (FTC) Commissioner Rohit Chopra explained the dangers of allowing companies to maintain control over data in an October 18 hearing in front of a House antitrust subcommittee. He pointed out that “companies can use their market power to change terms of service to enhance data collection efforts”. Essentially, Chopra argues that changes in privacy policy are a price hike, with the cost paid by the consumer’s data.

     The state of California has decided that cost is too high to continue allowing companies unfettered access to data without regulation. These regulations will be used to enforce California’s Consumer Privacy Act (CCPA) which was passed to give individuals control over their data – they can request their data be deleted and can choose to “opt out of having their information sold to a third party.” While the cost of this legislation is expected to be upwards of $50 billion, the necessity is clear – “Americans should not have to give up their digital privacy to live and thrive in this digital age.”

     What rights would consumers seek if they were given a choice? Would they want access to market power as individuals or would consumers be grouped as a whole in order to balance their strength against the strength of businesses? The four basic rights the CCPA grants are the right to know, to delete, to opt-out, and to non-discrimination. The first three are essentially self-explanatory – they concern how information is used and what this means for consumers. The fourth right – the right to non-discrimination – specifies that a company may not discriminate against a consumer who “exercises a privacy right under CCPA.”

     Importantly, it is the requirements of business under CCPA that provides the legal basis for compliance under the Act. For instance, to comply with a consumer’s right to opt-out, a business must (per the draft regulations) treat requests that indicate the choice to opt-out as valid. Further, if a business is offered financial incentives to retain or sell a consumer’s data, they must disclose the incentive offered and “explain how they calculate the value of the personal information”. This speaks to Commissioner Chopra’s concern regarding the lack of market power of consumers within the data marketplace. However, is the explanation sufficient to give consumers actual power to negotiate within the marketplace?

     What does California’s implementation of a privacy law mean for the future of privacy law? Will a national policy be more likely to go into effect? Will states seek to lure companies from California with the promise of less stringent data regulation? One of the proposals supported by company representatives is the implementation of a national privacy law, in particular, one that mimics the General Data Protection Regulation (GDPR) in Europe. That regulation informs consumers how personal data is collected and used. However, Microsoft President Brad Smith argues companies should not wait for a federal law to be enacted – they should take it upon themselves to protect consumer privacy. He supports CCPA, particularly because its emphasis is on how companies handle data, likely providing impetus for internal policy change by companies.

     Privacy law is complicated and introducing regulation will likely be an arduous process. Section 99.308 of the regulations California is proposing relate directly to the very issues consumers face when they hit the accept button. This section aligns closely with the GDPR – consumers have the “right to request that the business disclose what personal information it collects, uses, discloses, and sells.” However, it’s target seems to be the consumer – it is not the business that puts forward the information first; instead it is up to the consumer to seek out that information. While this process might simplify our ability to request information, does it actually offer consumers the protections they seek?

Julia Prieto

October 25, 2019