For the better part of a generation, corporations have hoovered up your private data and sold it with little to no transparency or accountability. That was made obvious when Motherboard revealed that mobile carriers routinely collect your daily location data and sell it to a long list of often dubious middlemen, often with no oversight.
That era ends—or at least it’s supposed to end—under California’s shiny new privacy law, the California Consumer Privacy Act (CCPA). Under the CCPA, which took effect January 1, companies must make it clear consumers now have the right to opt out of the sale of their private data. Companies must also delete this data within 45 days of a request.
That applies not just to giants like Facebook, but to real world establishments like the Brazilian steakhouse Fogo de Chão, whose diners in the new year received a little something extra with their filet mignon—a notice informing them they can opt out of having their data sold:
“A business that collects a consumer’s personal information shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used,” the law says.
Jad Boutros, the CEO and diner who received the paper notice, told Motherboard that it came alongside a digital bill presented on a handheld terminal. The restaurant did not respond to several requests for comment.
The third page of the restaurant’s online disclosure statement informs customers it collected everything from social security numbers to geolocation data last year to help “engage with you on social platforms, market to you, track rewards, conduct surveys, or facilitate requests to send you communications.”
Dylan Gilbert, a lawyer and privacy expert at consumer group Public Knowledge, said that while such efforts are a good first step in educating consumers on the raw scope of data collection, transparency alone isn’t going to be enough to fix what ails American industry.
For example, under the CCPA companies don’t have to stop collecting your data upon request, they only have to stop selling it. The restrictions also don’t apply if your data has been “anonymized”—despite the fact that numerous studies have shown that anonymized data isn’t really all that anonymous.
The CCPA also only applies to companies that earn more than $25 million in gross annual revenue, collect personal data on more than 50,000 users, or make more than 50 percent of their revenue selling user data.
In short, there’s numerous areas where the CCPA falls short on protection, and plenty of loopholes for companies to try and tap dance around in enforcement. Gilbert pointed to a 2020 California ballot initiative, the Privacy Rights and Enforcement Act, he said would include tougher, broader restrictions on both the sale and collection of user data.
Gilbert and other privacy experts have also taken issue with the CCPA’s tendency to place the onus for privacy protection squarely at the feet of the consumer.
“Folks cannot be expected to be their own personal privacy managers when basically every product or service that we use nowadays collects and uses our data in some way,” Gilbert said. “This is why it's critical that privacy legislation impose obligations on companies like restrictions on the collection, use, and retention of data in addition to notice and choice.”
While the restaurant’s notice informs consumers about "the rights available to Californians" under the CCPA, users have to dig through lengthy pdfs to figure out what those rights actually are.
“Individuals are going to be much less inclined to exercise their rights when they don't know what those rights are,” Gilbert said. “It's important that notice is meaningful and doesn't turn into a nuisance. It will be interesting to see how this plays out in California.”
Companies will have a better idea of how best to comply with the law once the California Attorney General begins enforcing it in earnest, something that isn’t likely to happen until this summer, and is only expected to result in about three prosecutable cases a year. The rest of the heavy lifting will rest in the lap of consumers who chose to sue over privacy violations.
While it may be strange to get a privacy warning at dinner, both the law—and efforts to comply with it—are viewed as a sloppy first step in the right direction. Experts are quick to note the CCPA needs work, but also note it’s an important shift away from zero meaningful privacy protections whatsoever toward something vaguely resembling accountability.