Coronavirus Sparks New Fight Over Privacy Law

By Dustin Gardiner originally printed in San Francisco Chronicle

California Attorney General Xavier Becerra’s office is gearing up to enforce the state’s landmark internet privacy law, despite pleas from business groups that say they aren’t ready because of the coronavirus pandemic.

The California Consumer Privacy Act gives people the power to tell companies not to sell their personal data and to demand they delete the information altogether. The law took effect Jan. 1, but enforcement was delayed until July 1 to give businesses time to prepare for a mountain of data requests from their customers.

Business groups across the state have asked Becerra to hold off. They warn many companies won’t be in compliance by July because of staggering losses and layoffs brought on by the pandemic and state-ordered shutdowns of public life.

Privacy advocates counter that the need to protect data is more crucial than ever, because so many people are now isolated at home and dependent on the internet to work, socialize, shop and learn.

If Becerra sticks to the law’s timetable, companies will face potential fines of up to $7,500 per violation in two months. That prospect has created anxiety for small brick-and-mortar shops already struggling to keep workers on the payroll, said Rachel Michelin, president of the California Retailers Association.

She said that anxiety is growing because Becerra’s office has yet to issue its final regulatory rules, detailed guidelines that tell businesses how to comply with the law. Michelin said that, at this point, businesses will have no more than a few weeks to master the regulations.

“We don’t know exactly yet what we’re complying to,” she said. “We need them to be able to bring their employees back. The goal should be to reignite the California economy.”

In March, 65 trade organizations, including tech representatives TechNet and the Silicon Valley Leadership Group, wrote a letter to Becerra urging him to delay enforcement until January 2021. They warned that “businesses will not have the operational capacity or time to bring their systems into compliance.”

Becerra has rejected those complaints, though he hasn’t given a detailed response to industry concerns.

“We’re committed to enforcing the law starting July 1,” Becerra’s office said in a statement. “We encourage businesses to be particularly mindful of data security in this time of emergency.”

Privacy advocates say businesses have had plenty of time to get ready for enforcement since the state passed its law in June 2018. They note that tech lobbyists repeatedly tried to delay its implementation before the coronavirus made its way to the U.S.

Broad new rights under California law

California has the most sweeping internet privacy law in the nation, the California Consumer Privacy Act. The law, which the state can enforce starting July 1, gives consumers broad new rights to control how their personal information is used and sold.

New rights: Californians can tell businesses to stop selling personal information to third parties. They can also tell a company to give them access to their information or delete it.

More disclosure: Businesses are required to tell their customers what kinds of information they gather about them and how they use or sell it.

Companies affected: The law applies to any company that meets any one of three thresholds annually: It has at least $25 million in revenue, makes at least half its money by selling data or gathers information on at least 50,000 consumers.

Fines: Companies that don’t fix violations within 30 days of being notified can be fined up to $7,500 for each intentional violation. The law also allows consumers to sue companies if their personal information is breached.Read More

“First of all, they knew this was coming,” said Maureen Mahoney, an analyst with Consumer Reports, the business watchdog group. “These are things that companies should be doing anyway.”

Under California’s law, the first major statewide internet privacy act in the country, businesses that handle significant amounts of data must tell people what information they intend to collect about them before they do it.

Businesses must comply if customers ask them not to sell their data or to delete it entirely. Customers can also request a copy of their data or an explanation about how the company uses or sells it.

Tracy Rosenberg, co-coordinator of the group Oakland Privacy, said behavior changes brought on by California’s stay-at-home order make people more vulnerable to having their data used without their knowledge or permission. For example, she said, more people are banking online and having conversations over video sites like Zoom.

“All of these things are creating a much larger data footprint for all of us,” Rosenberg said. “The more we are running our lives through computer screens, the more critical (the state law) becomes.”

Zoom came under fire last month after media reports revealed it sent app user data to Facebook. Zoom says it has since changed its practices.

The pandemic has also brought new privacy debates to the forefront. Gov. Gavin Newsom has discussed partnering with Google and Apple to use anonymous smartphone data to bolster contact tracing efforts to track who might have come close to people infected with the coronavirus.

Some retailers, including Amazon and Walmart, are using thermometers to check the temperatures of employees when they come to work. Newsom has said temperature checks could also be used to fight the virus and help restaurants and other businesses reopen to in-person customers.

Michelin of the California Retailers Association said many businesses will probably have to figure out how to handle health data about their employees and customers without clear guidance from the state.

“We’re in a whole different ballgame,” she said. “Nobody really knows what the right answers are. What can we do and not do?”

Meanwhile, supporters of a proposed ballot initiative to expand the law are pushing ahead despite hurdles gathering signatures during the pandemic.

On Monday, they submitted petitions with what they said were more than enough signatures to qualify the measure for the November ballot. However, it’s unclear whether counties will have enough time to validate the signatures before the June 25 deadline.

The measure would enshrine the data privacy act in state law, so legislators cannot weaken it, and create an agency to enforce privacy protections. It’s bankrolled by Alastair Mactaggart, a wealthy San Francisco developer who was also a prime force in pushing the privacy act through the Legislature.

“Even as we’ve worked to strengthen privacy laws here in California, we’ve realized that our laws need to keep pace with the ever-changing landscape of constant corporate surveillance, information gathering and distribution,” Mactaggart said in a statement.