By Dustin Gardiner. Originally published in SF Chronicle July 21, 2019
SACRAMENTO — As a consumer, Dirk Lorenz says he understands the anxiety many people feel about online ads that seem to stalk their search and social media visits. He, too, finds the mass collection of personal data invasive.
But as the longtime owner of Fremont Flowers, Lorenz said California lawmakers’ antidote to those concerns could be toxic for small retailers like him.
A year ago, the Legislature passed the California Consumer Privacy Act, the most sweeping law of its kind in the nation, with lightning speed. The law’s requirements are significant — consumers can tell businesses not to sell their data or demand that they delete the information altogether.
Lorenz said people assume the law will affect only big tech firms, but it will apply to his flower shop as well. He handles more than 50,000 web visitors and store transactions per year, which makes his business subject to the law’s requirements. Lorenz said he may have to hire a data analyst so he can comply.
“I’m a company with 15 employees or fewer, and I don’t have that resource,” said Lorenz, who has owned his East Bay store for 35 years. “It’s going to cost a good deal of money. To put it on the backs of small business, it’s just very burdensome.”
When the law passed, nearly everyone agreed it would need clarification before it takes effect Jan. 1, 2020.
But with lawmakers close to the end of their session in September, privacy proponents and industry groups have yet to agree on any major changes. That has left many small business owners struggling to understand how to prepare.
Backers of the bill say they’ve held the line against attempts to weaken the new law. They claimed victory last month when a series of largely business-driven bills to amend it failed or were watered down in the state Senate Judiciary Committee.
The outcome was a relief to Alastair Mactaggart, a wealthy San Francisco housing developer who pushed legislators to approve the law in 2018 — and threatened to go to the voters if they didn’t. He thinks the business-backed bills were tabled because lawmakers understand public sentiment is on the side of privacy rights.
“I don’t think in this state you want to be perceived as caving to industry,” Mactaggart said. “No legislator in California wants that to be something they can get tagged with.”
The Legislature passed the law, AB375, after Mactaggart spent more than $3 million collecting signatures to get a privacy initiative on the 2018 ballot. He agreed to withdraw his measure after the law passed.
Mactaggart concedes that the law has a lower threshold than his initiative, which would have applied to companies that sell the information of at least 100,000 customers in a year. But he said fears that it will greatly affect mom-and-pop stores or websites are misplaced.
State lawmakers passed the most sweeping internet-privacy law in the nation last year, the California Consumer Privacy Act of 2018. The law, which takes effect Jan. 1, gives consumers broad new rights to control how their personal information is used and sold.
New rights: Californians can tell businesses to stop selling personal information to third parties. They can also tell a company to give them access to their information or delete it.
More disclosure: Businesses are required to tell their customers what kinds of information they gather about them and how they use or sell it.
Companies affected: The law applies to any company that meets any one of three thresholds annually: It has at least $25 million in revenue, makes at least half its money by selling data, or gathers information on at least 50,000 consumers.
Fines: Companies that don’t fix violations within 30 days of being notified can be fined up to $7,500 for each intentional violation. The law also allows consumers to sue companies if their personal information is breached.
Many details of how the law will be enforced will be contained in regulations drawn up by state Attorney General Xavier Becerra’s office. Mactaggart expects those rules will make clear that the law doesn’t apply to small businesses handling one-time transactions if they don’t sell or reuse the customer’s data.
Becerra’s office, which declined to discuss the details of the regulations, has until July 1, 2020, to adopt the rules. While the law takes effect Jan. 1, enforcement won’t start until six months later.
The law applies to any company that meets at least one of three thresholds: it receives $25 million in annual revenue, collects the data of 50,000 people in a year, or makes half its money by selling personal data to third parties.
Under the new law, the companies must start telling people what data they collect. At consumers’ request, companies must delete their data, provide access to their information or stop selling it.
Tech behemoths such as Google and Facebook probably won’t have to change their business practices as much as small retailers. That’s because California’s law is similar to a European Union privacy law that took effect last year, which covered U.S. companies that do business there.
Rachel Michelin, president of the California Retailers Association, said the way legislators hurriedly pushed the state law through — from drafting to passage, the process took less than a week — left many details murky.
“For my members in particular, it’s the uncertainty,” Michelin said. “They want to know the boxes that they have to operate within, and I don’t think those lines are straight right now.”
One of the industry groups pushing hardest to change the law is the powerful California Chamber of Commerce, which represents businesses of all sizes, from big corporations to corner retailers.
“Folks want to go after those big tech companies, and that’s really what this law was written to do,” said Sarah Boot, a lobbyist for the chamber. “But that seems to be blinding people to the ramifications of what all these other types of businesses are going to face.”
She said business groups are grappling with how to adjust before lawmakers return from their recess in mid-August. Bills could still be revived before the Legislature ends its session for the year in September.
One of the most controversial bills, AB873, would have limited what’s considered personal information under the law by excluding more types of information that isn’t linked to an individual. The current law broadly defines personal information to include data “capable of being associated with” a person or household.
Industry groups say they fear that definition could force retailers to find and delete data they don’t necessarily associate with individuals, such as security-camera footage and website traffic.
The bill, by Assemblywoman Jacqui Irwin, D-Thousand Oaks (Ventura County), would have excluded data that cannot “reasonably” be linked to an individual. But some privacy advocates said it would weaken the law because companies can easily link such data to individuals with a bit of effort, and the bill failed in the Senate committee.
Backers of the privacy law were also intent on killing AB1416, which would have allowed businesses to ignore customers’ requests to delete data if the firms provide the information to a government entity or sell it to another company for fraud-detection purposes.
The bill was withdrawn from the Senate committee by its sponsor, Assemblyman Ken Cooley, D-Rancho Cordova (Sacramento County), after Senate legal analysts concluded it “would dramatically erode the rights of consumers” under the law.
Government and business groups argued that the privacy act could make it harder to find family members of foster children, let people know they have an infectious disease or track down people who don’t pay taxes or child support.
But privacy advocates said the bill would give businesses a blanket excuse to evade the law. They emphasize that the law already contains a broad exemption allowing companies to respond to government inquiries, as well as court subpoenas and summons.
Tracy Rosenberg, co-coordinator of the group Oakland Privacy, said AB1416 would have created a more Orwellian” state by allowing corporations to keep any data they want for any government program without consumers’ consent.
“The business lobby is extremely powerful,” she said. “They were united in wanting to significantly water down (the law). And on the whole, they were unsuccessful.”
Business groups did succeed in advancing a handful of smaller clarifying bills. One such measure, AB1564, would free smaller online companies from having to provide a toll-free number for submission of privacy requests. That was a priority for small-website owners such as Aileen Luib, a bloggerwho writes about fashion and lifestyle and lives in Moreno Valley (Riverside County).
She runs the site herself, but says that if AB1564 doesn’t pass, she will probably have to hire someone to field calls to a toll-free line. The bill has cleared the Assembly and is awaiting a Senate vote.
Legislators “don’t realize that the cost of compliance is so high that it’s actually going to drive small businesses out of the competition,” Luib said.
Business groups aren’t the only ones that have failed to persuade the Legislature to make major changes to the privacy law. Bills backed by consumer advocates that would have gone further — including one that would have required companies to ask customers to opt in before their personal information could be shared — were shelved earlier in the session.
Assemblywoman Buffy Wicks, D-Oakland, who sponsored the measure creating the opt-in rule, said the law as it stands is “logistically very difficult” for consumers because they must tell every company that has their information that they don’t want it sold.
“It kind of seems like nobody was happy with the deal last year,” she said. “We’re going to keep pushing forward very aggressively.”