用户被赋数据权，加州新法惹风波

2020年，许多美国人将被赋予一项有力的工具，用于保护他们在网络上的隐私。一项覆盖广泛的新法律将要求数百万的企业，向消费者告知其所收集的用户数据，并在用户要求下删除这些数据。

这条新法被称为加州消费者隐私保护法案（CCPA），它将会打击网络经济，因为如此多的公司——不论科技巨头还是普通零售商——都依赖定向广告。如果人们要求这些公司删除他们的数据，那么广告效果就差了。

拿沃尔玛来说，在新法下，它的在线广告不会像以往那样包含个性化推送，因而它的销售将会下滑。又比如谷歌，有可能损失一大块营收，因为普通广告与使用个人数据的定向广告相比，收费要低得多。

加州新法正在被其他二十多个州复制，因此其效应将是巨大的。但前提是在新法于2020年1月1日生效后，人们要使用他们被赋予的新权利——这就要打个大大的问号，因为欧洲自2018年开始实施类似的隐私保护法，称为通用数据保护条例（GDPR），但运用这一法律的人相对较少。

“这是件大事吗？数千人、数十万人或者数百万人会拿起法律来用吗？我们还不知道。” 咨询企业德勤公司专注于企业风险的克里斯·梅说。

但对于受隐私保护法影响的企业来说，遵守法律的负担却是实实在在的。法律要求企业为消费者提供两种询问方式，比如在线表格和免费电话号码，消费者籍此询问数据和要求删除个人数据。受加州司法部部长委托的一份超党派报告指出，加州企业将为此新法支付额外的550亿美元费用，包括法律咨询和设计费，对每家企业来说是额外的55000美元至200万美元。

由于CCPA是一项加州法律，在加州做生意的大多数公司都会受影响。而很少有企业会为此而撤离美国最大的市场。

In 2020, many Americans will get a powerful tool to protect their online privacy. A sweeping new law will require millions of businesses to tell consumers what data they have collected about them and, if asked, to delete it.

The law, known as the California Consumer Privacy Act (CCPA), could play havoc with the online economy, since so many companies—from tech giants to ordinary retailers—rely on targeted ads. If people demand that companies delete their data, those ads would be less effective.

Walmart, for example, could miss out on sales because its online ads wouldn’t be as personalized as before. Google, meanwhile, risks losing a big chunk of its revenue because generic ads command far lower prices than ones targeted using personal data.

The effect of California’s law, which is being copied in nearly two dozen other states, could therefore be enormous. But that’s only if people assert their new rights after the law goes into effect on Jan. 1—which is a big “if” considering that relatively few have taken advantage of a similar privacy law in Europe, called GDPR, that was implemented in 2018.

“Is this a big deal for thousands or hundreds of thousands or millions of people? We don’t know yet,” says Chris May, who focuses on corporate risk for consulting firm Deloitte.

For businesses affected by the privacy rules, however, the burden of complying is very real. Requirements include giving consumers two ways, such as an online form and a toll-free number, to ask for their data and to demand that it be deleted. A nonpartisan report commissioned by California’s attorney general says the state’s businesses will have to spend an extra $55 billion for upfront costs, such as legal advice and engineering, or an extra $55,000 to $2 million for individual firms.

While CCPA is a California law, most major companies do business in the state and, as a result, are impacted. Few of them can afford to pull out of the nation’s biggest market.

少数企业为了表达遵法好意，表示会自愿在全美50个州都遵守这一法律，这其中包括微软和一些小企业，比如位于波士顿的互联网服务提供商Starry。Starry的首席执行官洽特·卡诺加说，到目前为止，只有少数客户要求删除他们的个人数据，倒是有数十人写信称能有这样的选择权，要向公司表示感谢。

其他一些人士，比如美国商会的高级副总裁蒂姆·戴，则对CCPA新法表示不那么乐观。他警告说，新法将会使数以千计的小企业陷入困境，比如花店和酒厂。

加州新法豁免了大多数营业收入少于2500万美元的公司，但对于拥有至少5万人数据的公司——收集客户信息比如电邮地址的企业，很容易达到这一门槛——则需要遵守新法。

“大企业有能力应对，但对于小企业来说，这是个极重的负担，而小企业是国家经济的支柱。”蒂姆·戴说。

德勤的克里斯·梅预测，到后来许多中小企业不会遵守新法，要么出于侥幸逃避受罚的盘算，或者遵法成本大过处罚金额。加州司法部负责从7月1日开始执行新法，给了新法生效6个月过渡期，克里斯·梅认为小型花店和酒厂不会成为主要的执法目标。司法部拒绝向《财富》杂志透露执法策略的细节。

“我们被赋予了执法责任，因而我们将有所作为，尽可能地让消费者和企业都遵守法律要求。”加州司法部部长哈维·贝赛拉在一份电子邮件中说。

但这些还没有最终算数，因为商会正在游说国会通过一项法律地位优先于CCPA的联邦法律。此前科技企业也曾经试图这么做，但失败了，蒂姆·戴说商会的努力或许结果会不同，因为商会想要保存该法律的主要原则，即要求获取和删除个人数据的权利，同时商会又侧重于豁免小企业的遵法义务。

在国会，很不寻常的是两党一致同意通过这样一项法律，当然民主党和共和党在谁负责执行法律，以及该法律是否应该优先于州隐私保护法方面，是有争议的。许多人认为在2020年美国总统大选前，不会制定新的法律，但布鲁金斯学会的隐私保护专家卡梅伦·克里则相信，美国对于隐私保护的态度已经发生了剧烈的变化，总统大选前出台新法是有可能的。

克里说，“有这么一种转变，更多的国会成员花费更多时间在网络上，并担心数据隐私的复杂性，会牵涉到他们的孩子和孙辈。” （财富中文网）

本文另一版本登载于《财富》杂志2020年1月刊，标题为《加州隐私新法惹风波》。

译者：宣峰

To create goodwill, a handful of big companies, like Microsoft, and small ones, including Boston-based Internet service provider Starry, have said they would voluntarily comply with the new law in all 50 states. So far, Starry CEO Chet Kanojia says, only a handful of customers have asked for their data to be deleted, while several dozen more have written to thank the company for giving them the option to do so.

Others, like Tim Day, a senior vice president at the U.S. Chamber of Commerce, are less sanguine about CCPA. He warns that the law will ensnare thousands of smaller enterprises, such as florists and wineries.

California’s law exempts most firms with less than $25 million in sales. But companies that have data for at least 50,000 people—a threshold that’s easily reached for businesses that collect customer email addresses, for instance—are subject to new rules.

“Large businesses have the capacity to figure this out, but it’s an extreme burden for small ones, which are the backbone of this nation’s economy,” says Day.

As a result, Deloitte’s May predicts that many small and midsize companies may not comply with the law, calculating that they won’t be punished or that any penalty will be cheaper than jumping through CCPA’s hoops. California’s Justice Department is tasked with enforcing the law, starting July 1, following a six-month grace period, and May suggests it’s unlikely that small florists and wineries will be top targets. The agency declined to provide details about its enforcement strategy to Fortune.

“We were given the responsibility to enforce, and so that’s what we’re going to do, working as much as we can with consumers and businesses to make sure they’re complying with the law,” California Attorney General Xavier Becerra says in an email.

This may not be the final word, however, because the Chamber of Commerce is lobbying Congress to pass a federal law to preempt CCPA. An earlier attempt by the tech industry fell short, but Day says the Chamber’s push is different in that the organization wants to preserve the law’s broad principles, notably the right to demand and delete most personal data, while doing more to spare smaller businesses.

In Congress, there has been unusual bipartisan agreement to pass such a law, although Democrats and Republicans disagree about who should enforce it and whether it should preempt state privacy laws. While many think new legislation is unlikely until after the 2020 presidential election, Cameron Kerry, a privacy expert at the Brookings Institution, believes U.S. attitudes about privacy have changed so dramatically that a law may pass before then.

Says Kerry: “There’s been a shift as more members of Congress spend more time online and worry about the implications of data privacy for their children and grandchildren.”

A version of this article appears in the January 2020 issue of Fortune with the headline “California Sets Off Privacy Scramble.”