nedson.net | Book Log | links | pgp

Concerns About the California Consumer Privacy Act of 2018

In an effort to keep pace with online commerce and the protection of consumers and their privacy, California lawmakers are leading the nation with the development of The California Consumer Privacy Act of 2018. The Act is a move in a positive direction to help consumers take a bit more control of the data collected about them online. After reading the Act, I am left to ponder several issues and am curious how this legislation will affect the online business models of many popular services when it goes into effect in 2020. It is likely that the Act will require lawsuits to define the intention and scope of the regulations.

Key Areas of Concern
Data with No Consent?
According to the California Constitution, privacy is an inalienable right. The Consumer Privacy Act allows businesses to gather data about its users without their consent so long as it is not sold or used by a third party. It seems that if privacy is indeed an inalienable right, a business should not be able to gather data about a user without their consent. It is understandable that a business selling goods online would need to gather data in order to provide a service or goods. However, the amount and type of data gathered is left to the business to decide without disclosure to the consumer. While some might see this as perfectly acceptable so long as the business discloses the sale of private data to a third party, history has shown us that any data gathered online can be accessed and used nefariously. Consumers should have the right to decide if they agree with the type of data collected.

Opt-In not Out!
Staring in 2020, online services will be required to post a clear link with instructions on how to opt-out of the sale of their personal data to third parties. Making the sale of personal data to third parties more transparent is a wonderful step forward. However, it seems as though they have it backwards. Shouldn't businesses that deal in personal data, by default, assume that consumers do not want their data sold? Wouldn't an opt-in button give consumers better control of their data? Perhaps this was a consolation given to the powerful tech lobby that sees control of personal data a threat to their business model. Nonetheless, protecting consumers privacy should be the default and consumers should be able to opt-in if they choose to allow a business to sell their data to a third party.

More Specificity Needed
The Act, in it's current state, doesn't require businesses to disclose to consumers the personal data being sold and who the data is being shared and sold to. It requires businesses to know the "categories" of data being sold. Consumers should have a right to know exactly what data is being sold and for what purpose. Some consumers might object to certain types of data being collected, shared, and sold that exist within a category. Consumers should also have a right to know who their data is being sold to. A simple blanket agreement to allow a business to sell any and all of a consumer's data that exist in a "category" to a third party simply does not suffice.

Confusing Policy
Will the Act allow businesses to charge users who opt out of the sale of their personal information? The Act states that a business will not discriminate against a consumer who does not allow the sale of their personal information. However, it seems as though a consumer that refuses the sale of their information could potentially be faced to pay or receive reduced quality of goods or services according to the Act. This is a quite interesting point. Could companies like Google begin to charge users for use of their services? Could Facebook begin a fee for service model? The area that covers these issues is 1798.125. This section of the Act is confusing and contradictory and will potentially require lawsuits to more clearly define the policy.

Final Thoughts
While the California Consumer Protection Act has many positive elements it still leaves many questions unanswered about the protection and use of personal data by businesses. It will be interesting to see how online businesses react and the degree to which their business models change and/or adapt to the new legislation in 2020. Perhaps the herd will remain in a deep slumber.


contact: nme at nedson.net