The Week in Tech: Countdown to the California Consumer Privacy Act

Each week, we review the week’s news, offering analysis about the most important developments in the tech industry.

Hello, readers. My name is Natasha Singer. I’m a technology reporter covering privacy and other thorny industry issues for The New York Times. I’ll be bringing you the week’s tech news.

But first, a data rights update: As the holidays approach, some families may be counting down the days to Christmas with Advent calendars. Many tech companies, on the other hand, are counting the days they still have left to figure out how to comply with a sweeping new law, the California Consumer Privacy Act.

The law, which takes effect on Jan. 1, will give Californians the right to see, delete and stop the sale of the personal information that companies have compiled about them.

The new law applies to businesses operating in California that collect personal information for commercial purposes and meet certain conditions — like collecting the data of 50,000 people or more. That means it will cover scores of tech companies, app developers, websites, mobile service providers, streaming TV services — as well as brick-and-mortar retailers, drugstores and many other businesses.

The effort has national implications. Companies like Microsoft have said they will honor the data rights in the California law for customers nationwide.

To prepare for consumers seeking to exercise those new data rights, many companies told me they have had to restructure the way they handle users’ information. It’s not Y2K. It’s YCCPA.

I’ve spent the last week talking to tech executives and legal experts about a few parts of the law that are so new to the United States that many companies are still working out how to comply with them.

The California law gives individuals a new right to see the specific pieces of information that companies have compiled about them. That includes inferences and categorizations — Status Seeking Singles, Blue Collar Comfort, Tight Money — that some companies use to classify people.

Does this mean Uber and Lyft will now be obliged to provide riders in California who request their personal data with a list of all the passenger ratings drivers give them after each ride? Will Amazon be required to give Prime customers detailed activity logs of their streaming video use? Will smart-mattress companies have to show sleepers moment-by-moment records of their tossing and turning?

“Yes, they have to come back with the specific pieces of personal information,” said Mary Stone Ross, a technology consultant who helped write the ballot initiative that led California to enact the law. “So if they’re collecting that, your sleep information, they have to respond with it.”

The California law’s definition of “selling” personal information includes sharing it for nonmonetary compensation. And the law requires companies “selling” personal information to give consumers the choice to opt out of having their data sold or shared for commercial gain.

Will much of the digital advertising industry, like apps that share user data in exchange for targeted ads, now be obliged to offer consumers a way to opt out?

“There are lots of information exchanges going on in the economy where people don’t pay with cash but there’s some kind of consideration for it,” Lothar Determann, a lawyer at Baker McKenzie who specializes in privacy regulation, told me. “And all of that is to some extent covered by this very overbroad law.” (Mr. Determann said he was speaking generally, not about any particular company.)

The law gives employees in the state some new rights related to the data their employers collect about them. How does this change business as usual?

Until now, Mr. Determann said, employees in the United States typically received “a notice saying that ‘you shall not have any privacy expectations at the workplace — we record and monitor everything for compliance and harassment, trade secret protection purposes,’ and so on. So they were getting antiprivacy notices.”

But as of Jan. 1, he said, employers in California must give contractors and employees a notice explaining the types of information the company collects about them and for what purpose. That is, he said, “something that employers in the U.S. never had to do.”

I’ll be following these new employer data disclosures. So please email me at [email protected] or DM me @natashanyt if you work in California, have already received your employer’s disclosure and want to share it.

Some tech companies say the new privacy law is too broad and prescriptive. Microsoft said it would like to see an even more comprehensive privacy regime. How so?

“California is a good first step because it has some very important rights built in around user control,” Julie Brill, Microsoft’s chief privacy officer, told me. “But too much of a burden has been placed on individuals. We need to ensure that companies share the burden to protect individual data in the United States.”

“That means things like requiring companies to assess the data that they have and to make sure that they’re adequately protecting it,” she added. “It should include privacy by design. Good stewardship requirements should also include principles like data minimization.”

Silicon Valley is not alone in having to contend with a new data rights law. As my colleague Vindu Goel reported this past week, India is set to enact data protection regulations that would give its population of 1.3 billion people some controls over their information.

The Indian data bill is an outgrowth of a Supreme Court decision that established a constitutional right to privacy in the country in 2017. Yet the effort is contentious.

The proposed law would give Indians more power over the details that companies compile on them. But it would also “place fewer restrictions on the government’s own use of sensitive data on its residents,” Vindu wrote, “which include the fingerprint and iris scans that are part of the Aadhaar national ID system and its detailed surveys of who receives government benefits in every household.”

2020 is shaping up to be a very interesting year as American tech giants face an increasingly balkanized landscape of data protection regimes in different countries and, if other states enact versions of California’s privacy law, at home as well. We’ll be covering industry efforts to push Congress to pass a federal law to standardize company obligations — and override some of the data rights that Californians have just gained.

  • A number of high-profile foundations — including the Ford Foundation, the Hewlett Foundation and the Economic Security Project, led by the Facebook co-founder Chris Hughes — are financing an antitrust movement against Big Tech, my colleague David McCabe reported. Can they build momentum for trustbusting?

  • Speaking of tech giants, an article in Washington Monthly argued that Amazon, Apple and Google should stay out of health care. The piece, by Matthew Buck of the Open Markets Institute, said the tech companies’ drive to maximize corporate revenues could skew the development of health technology away from the best interests of patients and toward overtreatment.

  • Do you own an Amazon Ring doorbell cam? A sobering look at the monitoring system in Vice called Ring “America’s Scariest Surveillance Company.” Meanwhile, a piece in Slate urged Ring owners to post a disclosure notice for passers-by and offers some mock-ups. One said: “Smile! You’re on a Ring Camera!”

  • An essay in The Atlantic riffed on the meaning of drunk texts and their rise as a popular communication style. “Like all texting, drunk texting is a form of nonintimate intimacy,” Kaitlyn Tiffany wrote in the piece. “Like all drunk communication, it’s susceptible to poor translation, missed meanings, embarrassment and horniness.”

  • File under the annals of technology: George Laurer, the man who developed the bar code, could not believe how ubiquitous it became, a Times obituary of the inventor reported. Officially called the Universal Product Code, it made its debut in 1974 when a scanner registered 67 cents for a 10-pack of Wrigley’s Juicy Fruit chewing gum at a Marsh supermarket in Troy, Ohio.

  • Computer science, the most popular major on many campuses, takes perseverance. This Twitter thread chronicled how one female undergraduate made it through — the A.P. Computer Science “brohort” notwithstanding.

  • A law professor, Frank Pasquale, says the time has come for a second wave of algorithmic accountability. “While the first wave of algorithmic accountability focuses on improving existing systems,” like tackling bias in facial recognition, he wrote in a blog post, “a second wave of research has asked whether they should be used at all — and, if so, who gets to govern them.”

We’d love your feedback on this newsletter. Please email thoughts and suggestions to [email protected].

Forward it to your friends, and let them know they can sign up here.