California’s Consumer Privacy Act: An Underwhelming First Step

“Senator, we run ads.” During his 2018 testimony before the Senate Judiciary and Commerce Committee, Facebook CEO Mark Zuckerberg’s patronizing response to then-Senator Orrin Hatch’s rudimentary question illustrates the elusive nature of Facebook’s business operations. Nearly 70% of Americans use Facebook. Many Americans support regulating social networking sites to ensure their data are secure. For the supporters of social media regulation, the new California Consumer Privacy Act (CCPA) may not be the “model” regulation many claim it will be.

Data breaches are not a recent phenomenon. However, the wide breadth of information compromised in recent data breaches sparked national calls for action. Thus, unsurprisingly, Mr. Zuckerberg was summoned to Capitol Hill for a collaborative discussion on social media privacy and personal data security following the 2018 Cambridge Analytical breach. In the Cambridge Analytical breach, over 87 million Facebook users, mostly American, had their personal data secretly harvested by third-parties. While many users of Facebook are now aware that Facebook stores their data, most are still unaware of how third-parties collect their data.

Before Cambridge Analytical, Facebook allowed third-party apps operating on its platform to harvest and sell users’ private data. To take a personality quiz or play a game on Facebook (i.e., Farmville), a user clicked a box allowing that app to access his or her profile. By clicking on that permission box, a user unknowingly allowed that app developer to harvest the user’s “private” profile information. Worse yet, by inadvertently allowing third-parties access to private profile information, the user also granted third-party access to the user data of their Facebook friends. Theoretically, if 100 people took one quiz, and each of them had 100 friends, the third-party that created the quiz could harvest 10,000 users’ data. Following the breach, Facebook restricted what information these third-party apps could access, claiming consumer data was now safe. Unfortunately, data breaches cannot be retroactively remedied. The stolen user data remains stored in the third-party servers.

The CCPA, which takes effect January 1, 2020, will likely establish a de facto baseline privacy standard for companies across the United States. The most notable provision requires large-tech companies to place a link titled “Do Not Sell My Personal Information” in a “clear and conspicuous place,” such as the website’s home page, and not buried in terms and conditions. The link allows consumers to stop companies from selling their personal information and prohibits companies from subsequently discriminating against consumers who decide not to sell their information. When the customer does not “opt-out,” companies must, upon request, disclose the entities to whom the data are sold. Many believe the CCPA will serve as a national model, but some are rightfully hesitant.

The CCPA attempts to broadly define “sell” with language such as “disseminating [or] making available” consumers’ private information. But does Facebook actually “sell” consumer data? Facebook sells ad space on its platform by leveraging its vast network of consumer preferences to ensure advertisers’ messages reach their intended audience. Facebook does not intentionally sell your private data or disclose sensitive information to the advertisers. Whether this method of advertising can be classified as “making available” consumers’ private information is one of many questions the courts will inevitably decide.

Finally, some praise the CCPA for requiring companies to generally disclose the categories, and uses, of the data they collect. For a company like Facebook, the CCPA requirement is not groundbreaking, as Facebook is already transparent about how it categorizes consumers to target advertisements based on age, interests, location, etc. This information is readily accessible from Facebook’s homepage. However, this information does little to empower consumers to better protect their data. It is too general. Unfortunately, this generality is precisely allowed under the CCPA.

The CCPA is a step in the right direction, but those who believe it will substantially disrupt the status quo in Silicon Valley may be left underwhelmed.

Brian Lewis is a second-year law student at Wake Forest University’s Law School. He holds a Bachelor of Science in International Business and Economics from the University of South Carolina. He is fluent in German and spent time studying Finance and Economics at the University of Mannheim Business School in Germany. Upon graduation, he intends to practice international corporate law.