California's new privacy law puts you first. Too bad companies are ignoring it

Days without a CCPA violation: 0.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
4 min read
Keys and handcuffs

Your online privacy got some support from a California law that went into effect Jan. 1.

James Martin/CNET

For 2020, your New Year's resolution might be to have better control of your digital privacy . In California, it's not just a resolution, it's the law. The problem, though, is that some companies are pushing back against key provisions of the California Consumer Privacy Act

The law, which came into effect on Jan. 1, is the most sweeping data privacy law in the US, which doesn't have any federal legislation on the issue. California's new rules require companies to tell people what data they're collecting about them, as well as to allow the state's residents to request that those companies refrain from selling their data and delete any information that's been collected. 

Many companies have made changes to their privacy policies to follow this new law, and there's a directory that lists how you can request your data and improve your privacy settings. But a handful of companies aren't complying with the new law, whether by failing to provide, essentially, a "do not sell my data" link or button on their websites -- which the law requires -- or arguing that the rules don't apply to them. 

Watch this: California's new privacy law: Everything you need to know

Facebook said in a December blog post that it doesn't plan to make any changes to its web tracking, believing that the law's definition of selling data doesn't apply to it. The social networking giant argued that it shares data with third parties, which it doesn't consider selling. 

But under the new law, sharing is still considered a sale, according to Mary Stone Ross, co-author of the CCPA. 

"The definition of 'sell' is written in a way to include the sharing of personal information," said Ross, associate director at the Electronic Privacy Information Center, or EPIC. "They are playing fast and loose with the definition of 'sell.'"

Facebook didn't immediately respond to a request for comment for this story.

Enforcement of the CCPA won't happen until July 1. California Attorney General Xavier Becerra has raised concerns about a lack of resources to hold companies accountable.

Ross said that when writing the bill she anticipated companies would seek to interpret the law as they saw fit. A day after the law went into effect, she said she found multiple businesses that aren't complying with the CCPA. 

That includes The Weather Channel, a company owned by IBM and facing a lawsuit from the city of Los Angeles over its app's collection of location data on roughly 45 million people. In its privacy policy, updated on Dec. 29, The Weather Channel discloses that "we may have sold information within the categories as defined by the CCPA," but it doesn't have a button to opt out of your data being sold. 

IBM said that it's had a "Do Not Sell My Information" link on The Weather Channel's page and app since Dec. 29, and said that the experience was "specifically customized for users in California," which could explain why out-of-state visitors had not seen the button. But Ross said she is a California resident, and did not see the link when she checked the website. 

"The Weather Company -- including weather.com and The Weather Channel app -- is fully committed to user privacy," an IBM spokeswoman said in a statement. "We comply with all applicable privacy laws and regulations, including CCPA."

Ross also pointed to the pharmacy giant CVS, which is dealing with a lawsuit for a 2017 data breach that revealed the HIV status of more than 6,000 people. CVS doesn't have a "do not sell my data" button on its homepage, even though it shares people's data with advertisers and social media companies, according to its privacy policy. Like Facebook, it has offered the argument that sharing data with third parties isn't the same as selling data.

CVS didn't respond to a request for comment. 

Ross called out TiVo as well. In its privacy policy, the DVR pioneer says that "We do sell De-Identified Data to third parties" and that it shares personal data with service providers. It also doesn't have a button to let people opt out.

The policy takes pains to distinguish what's sold and what's not.

"TiVo's privacy policy states that 'we don't believe we sell your personal data to third parties' therefore we believe we are in compliance with applicable laws," a company spokeswoman said.

Ross noted that even if the data doesn't have a person's name attached to it, it's still considered personal data under the law. 

"Today, it's not just my name that's personal information," she said. "I wear a smartwatch, I have a phone. They might not have my name attached to it, but for all intents and purposes, it's data on me."

Until enforcement begins later this year, Ross said, the best way to keep companies from skirting the law could be public pressure.

"You have privacy advocates that are going to be publicly shaming companies that aren't complying," Ross said.
Originally published Jan. 2.
Update, Jan. 2: Adds response from TiVo. Update, Jan. 3: Adds response from IBM.