Trial ordered for 5 men in plot to kidnap Michigan governor

California is rewriting the rules of the internet; businesses are scrambling to keep up

Sam Dean
Los Angeles Times

A sweeping new law that aims to rewrite the rules of the internet in California is set to go into effect on Jan. 1.

Most businesses with a website and customers in California — which is to say most large businesses in the nation — must follow the new regime, which is supposed to make online life more transparent and less creepy for users.

The biggest impact of California’s law falls on the online ad economy and businesses like Facebook and Google that rely on it.

The only problem: Nobody’s sure how the new rules work.

The California Consumer Privacy Act started from a simple premise: people should be able to know if companies sell their personal information, see what information companies have already collected on them, and have the option of quitting the whole system.

But nothing is simple when it comes to the high-speed and largely opaque online data economy. For more than two decades, tech companies have built a deeply enmeshed system to track the habits and identities of millions of users, every second of every day, and then swap or sell that information to further fine-tune marketing, advertising and business strategy.

Thanks to the technical complexity of the system and the rushed timeline for implementation, a number of basic questions remain unanswered. What does “sell” mean? How can companies be sure they’re deleting the right person’s data? And does simply having a website that keeps track of how many people visit each year mean you must wade into the regulatory thicket?

The Attorney General’s office, which is tasked with both interpreting and enforcing the law, only published its first round of draft regulations in early October. A final set is unlikely to come until well into 2020, and the law won’t be enforced until July.

In the meantime, businesses are scrambling to make sure they aren’t breaking the basics of the law. Big companies are signing deals with firms that specialize in compliance to create “do not sell my personal information” buttons on their sites (and ensure they actually work). Small companies are setting up email accounts to deal with customer requests — or just keeping their heads down and betting that the attorney general won’t bother picking on them once enforcement starts.

In the data economy, users’ personal information can be used in lightning-fast transactions, like the real-time auction that goes on behind each online ad, and stored in databases for decades. Sometimes, companies sell personal information — someone’s location, age or even name — without any contact information, or easy ways to verify that individual’s identity.

The result is a murky mix of total surveillance and slapdash record keeping, which makes answering seemingly straightforward demands like “tell me what information you have collected about me” and “stop selling my information” surprisingly complex.

For businesses, the impact has been the digital equivalent of requiring every driver in the state to install a new catalytic converter in their car or face a fine — without sharing any brand names or technical specs of the required upgrade.

The lawmakers behind the rules see the chaos as necessary to rein in an industry that’s been operating unchecked for decades.

“It’s really been the Wild West,” says Bob Hertzberg, the California State Senate majority leader who championed the bill in Sacramento. “There’s always a bit of a scramble, but the key is keep your eye on the horizon, and make it workable but deeply forward-facing in terms of consumer protection.”

At a meeting in early December in Los Angeles, representatives of powerful trade groups and concerned individuals alike lined up to express not so much opposition as confusion as part of the comment period that will shape the next round of draft regulations.

The CCPA only applies to companies with more than $25 million in revenue or access to the personal information of more than 50,000 people. So if a self-storage company has the information of 10,000 current and former tenants, but more than 50,000 people visit its website every year, thus sharing their IP addresses with the company, does that qualify?

The most wide-ranging impact of the new law falls on the online ad economy and the businesses — including tech giants such as Facebook and Google — that rely on it.

The core mechanism of the online ad world is called real-time bidding: behind every ad on a web page, there’s a near-instantaneous series of transactions going on.

The page itself, through the use of digital trackers, collects data on the reader. Then, the page sends this user information up the pipeline along with a certain set of rules, such as what kinds of ads it’s willing to show, and at what price. An ad exchange then instantly arranges an auction for the space and the user, often seeking the highest bid among ad buyers who have also pre-entered their preferred targets, prices and what their ads look like. Once this whole process takes place — in a matter of microseconds — the ad appears.

The CCPA doesn’t break the real-time bidding chain of data transfer and ad display. But it does allow users to opt out of the second phase of the process, where their data is stored and packaged to be sold in the future.

Those who opt out will likely see fewer hyper-targeted ads, the kinds that show users an ad for a product that they left unpurchased halfway through the checkout process, or that seem to eerily show an ad for a store they visited a few days earlier. Combined with multiple deletion requests, users could eventually see only ads that are related to the page they are visiting — car ads on an article about cars, or meal-delivery ads on a food website.