The Washington PostDemocracy Dies in Darkness

So far, under California’s new privacy law, firms are disclosing too little data — or far too much

The measure was supposed to provide consumers more transparency about their data. It’s looking more like a muddle.

California Attorney General Xavier Becerra (D) in November in San Francisco. (Ben Margot/AP)
Placeholder while article actions load

A new consumer privacy law in California was supposed to push companies toward greater transparency around the reams of data they collect every day. But weeks after the landmark law went into effect, the early results are not yet bringing consumers much clarity.

The California Consumer Privacy Act, which took effect Jan. 1 after being adopted in 2018, was hailed by privacy advocates as a great leap forward in holding companies accountable for how they handle personal data, one that would give U.S. consumers their first real glimpse at how they are being monitored and profited from online.

The law gives residents of the state the right to review the information companies collect about them online, allowing them to tell the companies to stop selling it and even to delete it. The CCPA is considered the nation’s most far-reaching online privacy law and a potential model for other states. Some companies are extending the disclosure privileges outside California, in part because of the difficulty of having a patchwork of policies.

‘There’s going to be a fight here to weaken it’: Inside the lobbying war over California’s landmark privacy law

But disclosure in the first few weeks under the law has run the gamut. Some companies have incorrect information on their websites about how the law affects them and consumers. Most companies acknowledge requests with emails or text messages, while other requests seem to disappear once filed. And once obtained, the volumes of data create a new burden for consumers — how to manage it.

Take Uber and Lyft, for instance. They collect detailed data on all their customers, including their ratings and the ratings they give drivers, what type of credit card they use, where they are when they request rides and where the rides actually begin, according to the companies.

But requests under the new law reveal huge variance in the data the companies disclose. Uber reveals a customer’s rating, but doesn’t disclose some customer service calls, users’ ratings of drivers or any inferences about its users that help shape its business decisions. The company also maintains other data undisclosed in CCPA requests, according to people familiar with the matter, such as whether a credit card is corporate or personal.

And nine days after the law went into effect, the privacy section of Uber’s website for requesting data failed to recognize some customers’ account information though it was properly plugged in, which spokeswoman Melanie Ensign called “a bug.” It was later corrected after an inquiry by The Washington Post. “Not every company is interpreting CCPA the same,” she said.

Not included in some Lyft files were any ratings data and several customer service calls. Lyft declined to comment on why it does not include that data.

Lyft spokesman Adrian Durbin said “our privacy policy and the tools and options we provide regarding data reflect our respect for customer data and privacy.”

California adopted the country’s first major consumer privacy law. Now, Silicon Valley is trying to rewrite it.

Adam Schwartz, a senior staff attorney with the Electronic Frontier Foundation, said that “companies are required to disclose all the individual pieces of data they collect on consumers, and if they are not releasing that, that’s a violation of the law.”

Companies including retailers, news organizations, manufacturers, streaming-video sites, apps, data brokers and phone providers all collect data on consumers, creating a huge data footprint from millions of people. For many corporations, data harvesting is effectively the secret sauce for staying ahead of competitors and developing new products. Plus, some of that data can be monetized and sold.

But many companies aggressively lobbied the California legislature to soften the bill to preserve their data collection practices. Any company that collects personal information on 50,000 people or more or brings in at least $25 million in sales per year is subject to the CCPA. Some of the compliance rules are still being worked out, leading to the current confusion.

“Compliance is all over the map and will be until the rules are clear and there are actual penalties for noncompliance,” said Mary Stone Ross, who helped design the legislation and is now associate director of the Electronic Privacy Information Center.

Here’s how we survive the surveillance apocalypse

Questions remain about the outlines of the law, such as whether providing user data to other companies free constitutes a “sale,” what the standards should be for identity verification and, critically, how much or how little data companies ultimately need to disclose to avoid censure or possible fines.

In addition, enforcement will not start for months and is likely to be underfunded.

“Companies are viewing the effective date as July,” Ross said. “There are many things we are just not going to know right now, particularly the inferences companies make about you based on your data.”

The office of California Attorney General Xavier Becerra (D) will have only about two dozen agents assigned to enforcement in a state with 40 million people. At an April state Senate hearing, the state’s supervising deputy attorney general on consumer protection said she will probably be able to prosecute just three cases per year.

I found your data. It’s for sale.

Legislators in Sacramento who passed the law viewed it as an opportunity for constituents to better manage their own data, to see with whom it is shared and to opt out of allowing companies to sell it.

The law survived fierce lobbying by the tech-backed Internet Association and the California Chamber of Commerce. An August report commissioned by Becerra’s office estimated compliance with the CCPA could cost companies $55 billion initially and as much as an additional $16 billion over the course of the next 10 years.

For some tech giants, the California law will not mean much of a change. Some of the largest companies, such as Facebook and Google, already gave customers the option to download their data, in massive files full of every change to their accounts, such as new profile photos or friends, as well as information such as ad preferences. Facebook has maintained it does not need to alter its practices to be in compliance with the CCPA, noting in a December blog post that many online activities do not constitute the sale of consumer data.

U.S. government issues stunning rebuke, historic $5 billion fine against Facebook for repeated privacy violations

Other tech companies appear to be counting on a grace period to figure out compliance. The law also gives companies 45 days to respond to requests and the right to an extension beyond that, which appears to be helping Amazon, Groupon and others that had no prior disclosure policy to compile voluminous customer files. (Amazon founder and chief executive Jeff Bezos owns The Washington Post.)

Personal-finance site PayPal directed users to a phone number that was inoperable, an error corrected after The Post contacted the company. A request filed with PayPal had to be made to a general customer-service inbox, and it remained unclear when PayPal may respond.

Twitter is sending users a file in a JavaScript format that is difficult for non-techies to open. Spokeswoman Katie Rosborough said the social media site is “working on ways to improve the download experience.”

And in some cases there is general confusion about the law. Restaurant reservation platform Resy says on its website that it will comply with CCPA beginning next year. Resy, which was acquired by American Express last year, said it is exempt this year under a 1999 law known as the Gramm-Leach-Bliley Act, which provides privacy protections for financial services firms that provide loans, investment advice or insurance. But American Express’s own privacy policy states it must comply with CCPA as of this year. Epic’s Ross said she believed the exemption would not apply to Resy and has written to the company herself to correct the error on its website.

After requesting his information from streaming-music service Spotify, Colin Szechy, a hardware engineer in San Francisco, said he was sent a file to download but was unable to access it, because the email said he did not “have permission to see its contents.” A day later, after sending a complaint, he was able to access it. He said the 4.7-megabyte file “seems rather light considering I’ve been a subscriber since 2011.” Spotify did not respond to a request for comment.

California legislators just adopted tough new privacy rules targeting Facebook, Google and other tech giants

Mark Rabins, a data scientist in Los Angeles, spent several hours recently trying to collect personal information about himself from a variety of corporations and data brokers. “Either they give you a fire hose of information that is almost impossible to interpret,” he said, “or they give you practically nothing.”

He said he requested Whitepages delete his information, but the company had not yet done so nearly two weeks later.

“Everyone seems to be putting their toe into the water to see what they can get away with,” Rabins said. “I hate to say it, but I think the companies are going to win.”