PASO ROBLES, Calif. — California tried to do what Washington hasn’t: Force the nation’s tech industry to hand people control over the massive troves of data it collects on them.
But one year in, it’s almost impossible to tell how many Californians are taking advantage of their new rights, or precisely how the biggest players are complying.
The largest companies targeted by the landmark 2018 California Consumer Privacy Act are required to disclose detailed figures on data-privacy requests they have received from the state’s residents since last year. But the firms have published widely disparate figures that make it impossible to evaluate the law’s effectiveness.
Microsoft says it received 2.8 million petitions to delete Californians’ data, while Apple got fewer than 295,000.
Google, a company with billions of users worldwide, reported a mere 276 deletion requests from Californians.
And Twitter hasn’t posted any data at all.
The idea was that these stats would show Californians what they were getting out of the law and help enforcers track whether companies are following the rules. What they’ve created is a lot of confusion.
“I think it’s a bit of a mess so far, is what I’m observing,” said Jennifer King, the privacy and data policy fellow at the Stanford Institute for Human-Centered Artificial Intelligence. “Certainly if there’s no way to truly understand what these numbers are measuring, then it’s really difficult, just from a research perspective. How do we assess whether this law is working?”
California in 2018 enacted the nation’s first comprehensive privacy rights law, which empowers residents to find out what personal information companies have gathered about them and ask the businesses to delete those details or not sell them. But one year after CCPA took full effect, it’s hard to tell how much it has really changed, for businesses or for Californians.
The California Department of Justice, which has the sole authority to bring a Privacy Act lawsuit, has rolled out a slate of warnings but has not taken a single company to court. Attorney General Rob Bonta, who was appointed to the role this spring after his predecessor Xavier Becerra joined the Biden administration, held a news conference last month with a rare enforcement update. Bonta said about 75 percent of companies warned about potential Privacy Act violations had fixed the problem within the 30 days allotted to them under the law. He would not say how many firms received warnings, only that it was “quite a few.”
Bonta, a progressive Democrat from the San Francisco Bay Area who faces a statewide election next year, said in an interview Thursday that the law has established a “strong privacy regime” that his office is still in the early stages of establishing.
“We’re active with investigations, and in learning more about how corporations are acting, their compliance or lack thereof,” he said. “When there are folks that are not acting in good faith and not complying, we will — should the facts and the law point there — take action to enforce. We want people to know this is the law, it’s not a suggestion, it’s not voluntary.”
The state DOJ wrote the transparency rule into the regulations, but it does not keep a full list of firms that must comply with it — those that collect the personal data of at least 10 million Californians each year. There is no central repository for the businesses’ data, forcing the public to track down each company’s numbers in a time-consuming and convoluted way. And the volume of customer requests, as reported by the businesses themselves, range from the single digits to millions, a trend confirmed by Catherine Baron, a research fellow at Stanford who has analyzed the metrics of 100 companies so far.
Facebook logged about 82,000 deletion requests compared to 4,264 for PayPal and only two for LinkedIn, which lets all of its customers download and delete their data but counts only the CCPA-linked requests in its self-reporting. Amazon says it’s received fewer than 590,000 deletion requests for all of Amazon.com in the U.S.
One explanation for these sweeping inconsistencies could be simple: Some firms bury their California-focused privacy links deep in their websites so they are hard to find. But the numbers also show that companies may be taking totally different views of their new responsibilities. Some could be using different measures to track their compliance. Others are using nationwide numbers instead of California-specific ones.
“The data is functionally useless,” said Eric Goldman, a law professor at Santa Clara University who focuses on the tech sector and is a critic of the CCPA. He sees the transparency regulation as a pointless and expensive exercise and stressed that it may not be possible to directly compare one company’s numbers to another since they may be taking different approaches to the data.
Google, for example, says it’s received and granted just 516 CCPA-specific requests for access to the data the company collects on people, and only 276 requested deletions of personal information. At the same time, the company says that more than 15 million people in the U.S. used its existing tools to delete some of their information in 2020. Some of these likely include Californians.
Some of the giants that tend to draw considerable consumer skepticism over their data collection methods — like Facebook, Google and Amazon — contend they don’t sell personal data to third parties and that therefore the CCPA’s right to opt out of sale of people’s details doesn’t apply to them. Privacy advocates refute that claim, arguing CCPA applies to online identifiers, such as third-party “cookies” that can track users across the web for marketing purposes.
The companies that do allow people to opt-out of the sale of their information are reporting a much higher volume for those requests than any other.
The data broker Acxiom says it has complied with all of the nearly 20,000 nationwide requests to be opted out of the sale of personal data, though a company spokesperson said such a policy has been in place since the 1990s and that those numbers are not “significantly different” than they were before the CCPA.
The firm was far less likely to grant other privacy asks. It denied more than half of the 300 deletion requests it received in the last year, and more than half of the 483 requests for the information it’s gathering on people.
The Privacy Act allows companies to require identity verification for deletion and information requests, which they argue is necessary to prevent breaches. Acxiom and others said most denials stemmed from customers abandoning their privacy petitions.
Target says it logged 650 requests under the CCPA to delete customers’ personal details and agreed to less than half of them, compared to 139,000 requests for the opt-out of the sale of data, which the company mostly honored.
And Fox News complied with just 19 of the 314 requests from Californians to delete their data, saying the other petitioners didn’t verify their identities.
California Senate Majority Leader Bob Hertzberg, a Democrat who helped broker a legislative deal on the law, said he didn’t see these reporting problems as significant in the long term. The CCPA is still in the “maturing” phase, he said.
The CCPA in 2023 will be replaced by a more expansive California Privacy Rights Act, which voters approved in November through a ballot measure. The new law will bring a whole new set of regulations, greater enforcement ammunition and more clarity around data trafficking prohibitions.
Hertzberg argued privacy is now in the public consciousness and something companies are taking seriously, “beyond just a PR stunt.”
At the turn of the 21st century, he said, firms were trying to figure out what privacy was.
“Now you have companies for the first time taking the issue of privacy quite seriously, and having chief privacy officers,” Hertzberg said. “That’s kind of how this maturing works.”