California’s data protection law expands to cover employees
California has been a leader in consumer data privacy law. But those protections don’t mean much if they’re not being enforced.
So, under a sweeping voter initiative that took effect this year, the state has created an agency dedicated to the task. It’s the first of its kind in the U.S., which, unlike Europe, has no comprehensive federal data privacy regulation.
Marketplace’s Meghan McCarty Carino spoke with Ashkan Soltani, the executive director of the new California Privacy Protection Agency. He said one of his goals is to educate the public about their rights under the newly expanded California Privacy Rights Act. The following is an edited transcript of their conversation.
Ashkan Soltani: Californians have some unique rights under this law. So they have the right to access, delete and stop the sale of their personal information to third parties. They also have the ability to require that businesses, for example, correct information that’s not accurate or stop the sale and use of sensitive personal information. The California law also provides additional protections. For example, [it] requires businesses to employ data minimization, which means to not use data beyond what is reasonably necessary and proportionate for the purpose for which it was collected.
Meghan McCarty Carino: And the CPRA also, for the first time, covers data privacy in the workplace, right? How significant is that?
Soltani: So employees do now have the ability to exercise their privacy rights, like the kind that I just described. There are other existing exemptions, however, other laws that affect employment, which may impact some of those rights. But it’s quite unique. Particularly since the pandemic, we understand that employee privacy is more of a concern, as we all telework and we have kind of what’s known as nanny software and we have additional monitoring of our behaviors. So this is quite unique and quite an important law.
McCarty Carino: So you’ve been busy building the agency from the ground up and the rule-making process. What are some of the big issues you’re thinking about right now?
Soltani: So we are in our first rule-making. As part of this meeting, we’re also putting forward a set of preliminary rule-making questions for potentially our next rule-making, which governs topics with regards to automated decision-making with the rise of AI, the use of software and software systems to make automatic decisions about consumers. And often those decisions can impact not just what ads we see, but really our welfare or employment or housing or a number of facets with our everyday lives.
McCarty Carino: What about everyone’s current obsession, all of this generative artificial intelligence, things like ChatGPT?
Soltani: Of course. So not only does AI raise all the myriad of issues that I think consumers are aware of in terms of whether they’re biased, whether the data set that they’ve been trained on is representative, whether they are accessible to the broad constituents of California. But I think there’s also the question, generally, of what decisions can these systems make? How are they verified, tested? And what is meaningful information for consumers to know about how these decisions are made? What would you as a consumer need to know to trust the outcome of a fully automated decision? And should you have the ability, should you not want that outcome or not trust that outcome, to opt out or object to that automated decision? And that’s a right that’s provided to consumers in California under this new law. And that’s an area that we’re going to be making rules on.
McCarty Carino: Can you give us some examples of some enforcement actions — I know the agency itself is just getting geared up for enforcement — but enforcement actions related to California privacy law that our audience might not have heard about that might be good illustrations of how this will work?
Soltani: Oh, for sure. So, the California attorney general has been enforcing the California Consumer Privacy Act since July 2020. And most notably, they recently had an action against the cosmetics retailer Sephora alleging that they failed to disclose to consumers that Sephora was selling their personal information and, importantly, failed to process user requests through what’s known as an opt-out preference signal. This is a kind of user-enabled global privacy control. What’s neat about this is that, as I mentioned, Californians have the right to opt out of the sale of their personal information. And often, that requires that Californians go and find the button on their website that says, “Do not sell my personal information” or take an action.
What’s unique in California is that we also require that businesses honor what are called user-enabled global privacy controls. And these are — consumers can download a browser that supports these features or a browser extension that supports these features. And rather than go to every website they visit and click on the “Do not sell” link, they can just enable the setting in their browser and be opted out of the sale of their information automatically. And so the attorney general’s action was against a company for failing to support these opt-out requests. But the attorney general has been pretty active in a number of other areas, and they have on their website some of their cases that they’ve brought forth. Until January of this year, businesses had the right to, or the ability to, cure violations. So it was more of a fix-it ticket where an action brought by the attorney general can be remedied within a certain number of days. After the passage of the new rights or the new amendments, that ability to cure is not mandatory, although the attorney general and our agency will obviously have discretion into allowing companies to cure their violations. But they’ve been very active and I expect we will, too, once our enforcement begins.
McCarty Carino: What are some of the challenges dealing with these issues at the state level when there is not really a comprehensive federal regulation?
Soltani: I’ll be frank. We’re excited that California has these protections. But we do think that it would be great for the rest of the country to also have these protections. The caveat there: Last year, there was an attempt by Congress to pass federal privacy legislation. But our board and our agency took the position that that legislation was not only weaker than the California law, but in fact would set a ceiling on protections by states, which we think is an incredibly shortsighted view of privacy. This is one of the most rapidly emerging and rapidly moving areas of technology policy, and we think setting a ceiling on protections is a huge kind of give and a huge kind of limit on consumer protections. Just last year, when this legislation was passed, ChatGPT, which you mentioned, was not even on the radar of most legislatures. And we expect the pace of innovation to continue to move forward rapidly. So for that reason, our agency and the board had concerns about the federal law. But short of preemption, we think that it’d be important for other states to pass these laws. We just don’t think they need to be at the expense of Californians.
McCarty Carino: What are your hopes for the future of privacy protection?
Soltani: I am hopeful that we will see additional movement, at least maybe on kids’ privacy, if not general privacy for the country. But I am a little concerned if that privacy protection is designed in a way that puts a limit on what states can do moving forward. California has been a leader in the area of consumer protection. We’ve passed laws that build on the federal floor and provide greater protections for Californians. And I hope we continue to be able to do that for privacy as well.
Related links: More insight from Meghan McCarty Carino
Soltani is no stranger to regulatory agencies. He also served as a chief technologist for the Federal Trade Commission. And he’s no stranger to our show either. We last had him on to talk about how effective so-called privacy nutrition labels are in Apple and Google’s app stores.
These provide consumers with information about what data an app collects and what happens to it. But Soltani said unless it’s really easy to opt out, these are pretty meaningless to consumers. That issue is also going to be a big focus of his work with the California Privacy Protection Agency.
Soltani told me the regulation requires companies make it just as easy to opt out of data collection as it is to opt in. He also told me about a new app called Permission Slip, developed by Consumer Reports, that automatically compiles all the websites collecting your data. And with just a couple of clicks, you request to opt out or have your data deleted.
People outside California can use it too. They just might not have an enforcer like Ashkan Soltani to make sure companies comply with their requests.
The future of this podcast starts with you.
Every day, the “Marketplace Tech” team demystifies the digital economy with stories that explore more than just Big Tech. We’re committed to covering topics that matter to you and the world around us, diving deep into how technology intersects with climate change, inequity, and disinformation.
As part of a nonprofit newsroom, we’re counting on listeners like you to keep this public service paywall-free and available to all.
Support “Marketplace Tech” in any amount today and become a partner in our mission.