• Californians get control over their own information…
• ..Including the right to have it completely deleted 
• Ownership of data = power and money...
• Those that have it wouldn't relinquish control until compelled - and now they have been

Yesterday, January 1, 2020, (my doesn't time just fly by when you're having fun?) the California Consumer Privacy Act (CCPA) became law in the Golden State. The intent of the wide-ranging and revolutionary new legislation is entirely to reset the relationship Californians have with web companies and completely change the rights individuals have in regard to their private data, who holds it and what can be done with it.

The new law is very popular and, in the minds of the great majority of ordinary Californians, long-overdue. There are hopes that, over time, the CCPA might have a beneficial knock-on effect across the rest of the US given that America has no over-arching nationally-applicable privacy legislation like the General Data Protection Regulation (GDPR) that covers the entirety of the European Union. 

However, on the downside, the Office of the Attorney General of California, the body responsible for framing and enforcing the Act, only got round to actually publishing the first draft of it in late October 2019, which is about half as millisecond ago in terms of the glacial rate of speed of the legislative processes.

As a result, the Attorney General will now "rush through" the final draft of the law in "record-breaking time". What that actually means is that it could be, might be, maybe published before the end of October this year. It's a moveable feast and that's why it has already been decided that the new Act won't be enforced until July this year at the earliest - and that hopeful date may well be pushed further back "if necessary", which it almost certainly will be. Indeed, January 31, 2021 is already being touted as a "preferred date" by online companies who want to put off telling people how much data they hold on each and every user and to whom they the sell-on that data for as long as possible.

The main idea behind the CCPA is that individual citizens shall have enshrined in law the right to know what companies and organisations hold their personal data, what they use that data for and to whom they sell it on. The sting in the tail, as far as data brokers and commercial companies is concerned, is that individuals will be legally able to demand that their personal data be deleted and proof be adduced to them that their records have been so purged.

That's great news for Joe and Josephine Public but a possible kiss of death for websites and companies that have, for the past 20 years and more, assiduously been designing and implementing IT systems to garner as much information as humanly and inhumanly possible about every individual consumer (often by questionable means) and continually tracking their millions and billions of online actions. These records are now the lifeblood of countless commercial websites and online stores, have immense value and change hands for vast sums of money.

Given the unplanned, opportunistic, unchecked and slap-dash ways in which these data-surveillance and data-gathering systems have been implemented and managed the result is a marketing and sales and money-making utopia for the big online organisations and a soul-sapping dystopia for commoditised private citizens who have no control over what happens to the data they have given away in exchange for the mess of pottage that is apparently free access to content that is, in fact, anything but free. But at last some corrective action is being taken.

Bringing lawmen in to clean up the digital frontier

Bob Hertzberg, a Democrat senator in the California State Senate represents the Van Nuys district and is one of the leading proponents of the CCPA in Sacramento. He says, "It’s really been the Wild West. There’s been a scramble, but the key is keep your eye on the horizon, and make it workable but deeply forward-facing in terms of consumer protection.”

As might have been expected the online companies and organisations that will be effected by the CCPA opposed it tooth and nail until it became apparent that the law would be passed anyway and have now changed tack and are making efforts to ameliorate some of the effects that enforced transparency will have on them.

So far one big part of the defensive strategy has been to bombard users with reams of emails of the fine print of updated privacy policies and the provision of limited disclosure of parts of the data that the companies hold on subscribers. Simultaneously they are becoming customers themselves - of emergent companies that claim they are experts in compliance with the CCPA and provide "Do Not Sell My Personal Information" buttons that appear when a user accesses given online sites and services. And who knows, perhaps some of them might actually work? I wouldn't bet on it though.

Legislation to dismantle private IT systems that have been growing for decades is necessarily complex and will take a long time to bed-in. What's more research shows that 86 per cent of businesses in California are completely unprepared for the CCPA. And then, of course, there's the cost...

Last summer the Office of the Attorney General of the State of California published a report estimating that taking the necessary actions to comply with the CCPA will cost companies some US$55 billion immediately and a further $16 billion over the next ten years as they new system takes hold and shakes down. Online companies companies are squealing but consumer and privacy organisations point out that they have had a free run on the digital frontier for 20 years and more and it's high time for the lawmen to move in and impose some control.

So, as of yesterday and in its first incarnation, the CCPA applies to companies with revenues above $25 million per annum or with access to the personal data of 50,000 individuals. Sounds straightforward enough doesn't it? But it's not. Already legal arguments are raging about what "sell" actually means where private data is concerned.

If you thought the medieval arguments about the number of angels that could dance on the head of a pin were arcane, just wait until the lawyers sink their greedy fangs into the CCPA. Data is power, and those that have it will fight, and pay through the nose to keep as much of it as they can.