California Privacy Law Prompts Companies to Shed Consumer Data

For retailers, airlines, and other businesses, people’s personal information suddenly can seem more trouble than it’s worth

By Kaveh Waddell

February 11, 2020

Last year, a major U.S. airline went looking for all the things it knew about its passengers. Among the details it had gathered, the company found, were consumers’ food preferences—information that seems innocuous but that could also reveal a passenger’s religious beliefs if they select a kosher or halal meal. So the airline decided to stop saving the food-preference information, according to Integris, the data privacy startup that helped the airline review its data practices. (Integris declined to name its client.)

Instead, the airline will ask passengers what they’d like to eat before every flight.

Recently, treasure hunts like this one have been taking place across industries and all around the country. Companies are mapping the data that they own, and some, like the airline, are proactively scrubbing sensitive information to avoid trouble.

When companies cut back on hoarding sensitive data, consumers win. Less of their private information is susceptible to data breaches and leaks, viewable by unscrupulous company insiders, or available to be sold to data brokers or advertisers.

This is a surprising turn: Data about consumers can be wildly lucrative—it fuels a $100 billion-plus digital-advertising industry, among other things—and companies generally like to gather as much of it as they can. But something changed this year. A new state law, the California Consumer Privacy Act, or CCPA, has turned data from an unadulterated asset into a potential liability.

“Up until the CCPA went into effect, at least in the U.S., I don’t think there was really a cost associated with keeping information,” says Mary Stone Ross, associate director of the Electronic Information Privacy Center, a research center based in Washington, D.C. “The attitude was, ‘Even if I don’t need it, I might need it in the future.’”

The CCPA, in effect since Jan. 1, grants several new digital rights to Californians. They can now ask companies for a copy of the information the firms know about them, limit how that data is shared or sold, and demand that it’s deleted altogether.

Businesses also have to disclose new details about the personal information they gather and who they share it with.

Many companies have been setting up new tools to allow Californians to exercise these new rights, and some, such as Microsoft, have extended them to all their customers. But the law has had a second-order effect, too, that has an impact on almost every consumer: It has pushed some firms to slim down their troves of personal consumer data.

That’s because the CCPA’s new transparency requirements make it less attractive to hoover up everything there is to know about consumers. By gathering less, a company can avoid having to make damning disclosures about what kinds of data it keeps, and potentially turn privacy into a selling point.

Plus, companies can now get in legal trouble if they’re found to have not taken “reasonable” measures to safeguard particularly sensitive data such as Social Security numbers—a good reason to just get rid of that information if they don’t need it.

“That’s a huge incentive for companies not to collect those categories of information unless they absolutely need to,” says Ross, who co-authored the California ballot initiative that led to the CCPA.

But that’s just part of the picture, privacy and legal experts say. Some businesses are trying to exploit loopholes in the young law, or haven’t yet built the tools that allow people to request their data. And it’s unclear how stringently the law will be enforced.

Hunting Down Personal Data

Complicating matters is that many companies don’t even know what personal consumer information they’re holding. (The California law defines personal information very broadly, and it’s not limited to digital records.)

Over time, sensitive data may have metastasized across a company’s servers—and for older companies, decades of records can be stuffed into basement filing cabinets. One large clothing company preparing for the CCPA spent two months digging up paper receipts from years past, says Kimball Dean Parker, CEO of SixFifty, a subsidiary of the law firm Wilson Sonsini that helps businesses like this one navigate the law. (Parker asked CR not to name his client.)

“It’s surprising how many businesses have no idea how much personal information they have,” says EPIC’s Ross. “It shouldn’t be that way. One of the purposes of privacy regulation is to force a business into self-reflection: Do I really need this piece of information to perform a business function?”

That introspection is driving some firms to just delete sensitive data—or avoid gathering it altogether. “Businesses are actually better served if they collect less data and prove to customers that they’re treating their data with a higher level of care,” says Arlo Gilbert, co-founder of Osano, a data privacy startup.

Several privacy experts and lawyers tell CR that many companies in various industries are making these changes. But firms are extremely tight-lipped about their efforts, in part to avoid drawing the California attorney general’s attention. Of the two dozen companies CR contacted for this article, only three agreed to speak on the record about what they’re doing.

In one example, Personal Capital, an online investment service, says it has begun automatically deleting user data when a customer closes an account, after a government-mandated waiting period expires. “In all the places we could, we looked at it from the perspective of, ‘Okay, is this data that we don’t need anymore? Are we done with this? Then let’s just get rid of it,’” says Maxime Rousseau, the company’s chief information security officer.

Blackboard, a leading educational tech platform, says it didn't need to do much to adjust to California’s new law because it was already complying worldwide with the much more stringent European law, the General Data Privacy Regulation. The company shared examples of tweaks it made ahead of GDPR that probably mirror smaller companies’ moves ahead of the CCPA. In one product, for example, it stopped asking students and teachers for several types of personal information, including their birthday and mailing address.

Trickle-Down Privacy

The California law covers companies that bring in more than $25 million in revenue annually, deal with the personal information of more than 50,000 Californians, or make at least half of their money selling personal information. That would seem to spare smaller firms—but the scramble to shore up data privacy has begun to trickle down.

Big companies worried about painful penalties are asking their vendors far more questions than before about the information they collect and store about users, or baking privacy and security requirements into contracts, says Christina Cacioppo of Vanta, a data security company that works mainly with startups.

That’s because a large company can be punished even if its vendors fumble customers’ personal data. “A company subject to the CCPA must now be more vigilant in vetting, contracting, and overseeing its vendors,” says Stuart Kupinsky, Blackboard’s chief legal officer.

The scrutiny is much more intense during investment rounds or mergers and acquisitions, too, says Dominique Shelton Leipzig, a partner at the law firm Perkins Coie. Leipzig says she has seen deals fall through because of a company’s bad privacy practices.

“Founders now see it incumbent upon themselves [to make sure] if there’s any data being collected about people that the proper disclosures are being made,” says Shahin Farschi, a partner at the venture capital firm Lux Capital. “It is a question they will certainly be asked by investors, customers, partners, and potential future employees, acquirers, and the public markets.”

Kaveh Waddell

Kaveh Waddell is an investigative reporter who worked at Consumer Reports from 2020 to 2023, focusing on digital rights and environmental justice. Before that, he reported on emerging technology at Axios and covered digital privacy and surveillance at The Atlantic.