Now Stores Must Tell You How They're Tracking Your Every Move

To anyone with eyes in their kneecaps, the notice outside gadget retailer B8ta’s glossy store next to San Francisco’s new NBA arena is obvious. “We care about your privacy,” the small plaque proclaims, offering a web address and QR code.Anyone curious and limber enough to bend down and follow these pointers is taken to the retailer’s online privacy policy, which discloses that stepping inside the store puts you in range of technology that automatically collects personal information. That includes “smartphone detectors” and Wi-Fi routers that note the location and unique identifiers of your phone, and cameras equipped with software that estimates your age and gender.B8ta added the signage to its six California stores and expanded its online privacy policy late last year as it prepared to comply with a new state law that took effect this month called the California Consumer Privacy Act. The law requires businesses to disclose what personal information they collect from consumers at or before the time it is collected. It gives state residents the right to request data collected about them be deleted and to forbid a business from selling it.
CCPA’s most visible effect has been a plague of website popups on California residents. But the law also applies to offline data collection. B8ta’s new signs and disclosures show how the CCPA might shed more light on the way brick and mortar businesses use Wi-Fi routers and other in-store sensors to try and match the customer analytics and tracking of online retailers and ad networks.California legislators rushed to pass CCPA in 2018 to head off a stricter ballot initiative on privacy whose sponsors had collected more than 600,000 signatures. In the process, a provision allowing citizens to sue for violations was removed, leaving the state attorney general as the sole enforcer. But CCPA is in some ways broader than GDPR, the influential European Union privacy law that came into force in 2018.

The notice required by the California Consumer Privacy Act, at knee height, at a B8ta outlet in San Francisco. Photograph: Lauryn Hill
California’s law defines personal information more liberally, to include data about a household, which GDPR does not, for example. CCPA also requires companies to disclose details of how they sell personal data and allow consumers to opt out of any sales, using a broad definition of “sell” that includes trading data for anything of value.
Mary Stone Ross, a lawyer and former CIA analyst who coauthored the initiative that led to CCPA, says it was partly inspired by research on use of in-store tracking by retailers. “It was very clear that in order for the CCPA to be effective, it had to cover all collection of all information, not just online collection,” she says.

Similar Articles:

New Year, New Rights: What to know about California’s new privacy law

New Year, New Rights: What to know about California’s new privacy law

Tech Lobbyists Push to Defang California's Landmark Privacy Law

Tech Lobbyists Push to Defang California's Landmark Privacy Law

A Nevada Law That Fines Companies for Selling Private Data Is About to Go Into Effect

A Nevada Law That Fines Companies for Selling Private Data Is About to Go Into Effect

Microsoft says it will follow California's digital privacy law in U.S.

Microsoft says it will follow California's digital privacy law in U.S.