California’s new data privacy law took effect Jan. 1, marking the first time many American tech companies must provide users with new rights to their information, including the ability to delete it.
While some companies already did the heavy lifting required to comply with new data standards when Europe’s privacy law took effect in 2018, others have been building out that capability for the first time. The law applies to companies that meet certain data collection standards and have customers in California, home to the nation’s biggest tech hub, Silicon Valley.
The reach of the California Consumer Privacy Act (CCPA) means many tech companies outside California, including those in Seattle, have been busily building new technical capabilities over the past year, too.
Integris, a Seattle company that helps clients automate their data privacy systems, saw a “huge spike in activity” over the summer as companies sought to get compliant before the holidays and the Jan. 1 deadline. That’s according to Drew Schuil, vice president of business development at Integris.
Like Bay Area firms, Seattle companies are more likely to tackle the challenge using software, “because there’s an innovation and technology DNA,” he said.
“Because it’s so broad and it’s not humanly possible to handle this manually, I would say Seattle’s ahead of other parts of the country in terms of looking at ways to automate this process and make sure that they’re getting ahead of potentially receiving tens of thousands of individual rights requests from their California customers in the first days of CCPA.”
One Integris customer, based in Bellevue, Wash., enlisted four different data privacy companies in its compliance efforts, according to Schuil.
Other Seattle tech companies, like Expedia Group, are opting to handle compliance in-house. The online travel giant relied on internal resources and existing processes built for Europe’s General Data Protection Regulation, according to Susan Koeppen, Expedia’s senior director of global privacy.
“Because our websites are so customized, and personal it really just was more effective for us to handle this internally,” she said.
Under CCPA, Californians have the following new data privacy rights, according to the state:
- “The right to know what personal information is collected, used, shared or sold, both as to the categories and specific pieces of personal information;
- The right to delete personal information held by businesses and by extension, a business’s service provider;
- The right to opt-out of sale of personal information. Consumers are able to direct a business that sells personal information to stop selling that information. Children under the age of 16 must provide opt in consent, with a parent or guardian consenting for children under 13.
- The right to non-discrimination in terms of price or service when a consumer exercises a privacy right under CCPA.”
The law applies to companies with more than $25 million in gross annual revenue and businesses that buy or receive personal information of 50,000 or more consumers. Firms that derive 50 percent or more of their annual revenue from selling consumer data are also subject to the law.
Microsoft plans to make the rights outlined in CCPA available to all its U.S. customers.
Companies subject to CCPA are required to notify consumers before collecting their data. They have to respond to consumer requests to opt-out and delete their data within specific time frames.
From a consumer perspective, the changes will mostly take the form of updated privacy notices. Zillow Group, for example, just launched a privacy portal that allows users to view and delete information collected on them.
Related: Sneak peek: How Washington state lawmakers plan to regulate data privacy and facial recognition
“We’ve rewritten the policy to clearly outline the types of personal information we collect, where that information comes from, how we use it and any third-party partners we might share it with,” Zillow said in an email to users.
Zillow is a Seattle-based tech company that serves users in the United States, making CCPA the first data privacy law the company must comply with.
Companies with European customers, like Expedia, were able to leverage some of the capabilities they built out for GDPR as they prepared for California’s law to take effect. It was a heavy lift for many companies but it made the CCPA compliance process easier.
“I heard at one point there was up to 800 employees working on a piece of it at any one time,” Koeppen said. “It was a very significant effort. That actually put us in a pretty good position with respect to the California law because we had built a GDPR infrastructure.”
Koeppen said it is hard to predict how many requests Expedia will receive from Californians who want to access or delete their data.
“With GDPR, we saw an initial volume that spiked and then it kind of settled in,” she said. “We’re probably expecting the same phenomenon in California and then it’ll trail off.”
But due to key differences between California and the European Union, Koeppen stressed, “it’s just really hard to predict. We don’t really know what to expect.”
Schuil said that companies with customers in Europe haven’t seen a huge surge in requests from users to access and delete data.
“In Europe, they haven’t seen a lot of these individual rights requests since it went into effect last year,” he said. “However, in the U.S. it seems that organizations are more concerned they may get thousands of these requests, this right to access, much more than Europe. Part of it is just the media. The media has been really focused on this.”
When GDPR took effect in 2018, it established some of the most rigorous data privacy rules in the world. Companies subject to GDPR must allow users to access, correct, delete, and move their data.
The U.S. has moved slower on data privacy despite high-profile scandals involving American companies, like Cambridge Analytica.
“Companies in the U.S. have benefited, arguably to the detriment of consumers, from fairly lax privacy regulations over the years when compared to Europe,” said Jared Friend, a senior associate at Hintze Law who has helped companies prepare for CCPA. “These changes mean that many companies have a fair amount of catch up to play.”
California became the first state in the nation to pass a data privacy law in 2018. Legislators in Washington state want to follow California’s lead in the upcoming legislative session. But the long-term fate of state privacy laws is uncertain as federal privacy regulations start to look like a possibility. The U.S. House Energy and Commerce Committee is circulating a draft of a federal privacy bill that has bipartisan support. Senate Democrats have also introduced a bill, led by Washington’s Maria Cantwell, but that bill faces opposition from Republicans.