California’s new restrictions on the use of personal data of online customers have a long reach — all the way to Massachusetts, where vendors are getting set to comply with the nation’s toughest data privacy law.
Effective Jan. 1, the California Consumer Privacy Act gives that state’s residents a right to know what information online businesses have collected on them, and to demand that any such data be deleted. Also, California residents can request their personal data not be shared with third parties, such as advertising companies. These are by far the strictest such protections anywhere in the United States.
“I think it will change the conversation,” said Mary Stone Ross, who helped California lawmakers craft the legislation and now serves as associate director of the Electronic Privacy Information Center. “I think it already has,” she added. “Businesses are in fact thinking about privacy.”
And not just California businesses. The law applies to any company with more than $25 million in revenue or that collects personal data on more than 50,000 people and has customers in California.
California law requires companies to post a clear notice on their homepage that reads “Do Not Sell My Personal Information,” so customers know they have a right to opt out.
Wayfair did not respond to requests for comment.
Other local companies have added the “do not sell” link, typically in small type at the bottom of their home pages. Needham travel company TripAdvisor sports a link to a complicated control panel that lets users block various tracking cookies used by advertisers to monitor the customer’s Internet habits.
By contrast, the Boston home security products company SimpliSaf e directs the user to an online form where users can request that their data be deleted or never sold. The Cambridge automotive shopping service CarGurus.com links to a simpler form where a customer can simply enter an e-mail address and state that he lives in California.
“We’ve had over a year knowing this was coming.” said Spurti Kanekar, director of regulatory and privacy at CarGurus. “We want to make sure that we’re complying with the sentiment of what the law wants to do.”
Kanekar said that CarGurus and many other companies were given a head start by the European Union, which began enforcing similarly tough new data privacy standards in May of 2018. The lessons learned from the European rules made it easier to comply with the California law, she said.
Still, Kanekar said that the compliance process forced her company to draw complete maps of customer data flows through the entire organization, to understand where the data was stored and who could access it.
The need for such an internal overhaul suggests that complying with the law could carry big costs. Indeed, a study commissioned by California’s attorney general estimated that getting set for the new law could cost businesses as much as $55 billion.
California is home to 13 percent of US residents; if it were a separate country, it would rank as the world’s fifth-largest economy. So it’s possible that the California law could become the default US standard. In fact, Microsoft Corp. has said that it will apply the California law to all its US customers.
However, there’s always the possibility that other states could enact tough privacy rules of their own. Nevada enacted its own version in October. Unlike the California law, which applies to physical stores as well as online businesses, the Nevada statute applies only to Internet-based companies.
Fifty different privacy laws could get messy, and a spokesman for TripAdvisor said that his company favors a unified national privacy law, as a simpler, less costly alternative.
Ross agrees. “We feel really strongly at EPIC that there needs to be a federal law,” she said. “Privacy isn’t something only Californians deserve.”