![](\"https:\/\/media.wired.com\/photos\/5e1d183a5bb9560008af8a41\/master\/pass\/Biz_B8ta_4N9A3623.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Tom Simonite| Date: Wed, 15 Jan 2020 12:00:00 +0000<\/strong><\/p>\n Tom Simonite<\/span><\/a><\/span> <\/span><\/p>\n California's new privacy law has spurred a torrent of online notices. But the law is also forcing changes offline, in traditional stores.<\/p>\n To anyone with eyes in their kneecaps, the notice outside gadget retailer B8ta\u2019s glossy store next to San Francisco\u2019s new NBA arena is obvious. \u201cWe care about your privacy<\/a>,\u201d the small plaque proclaims, offering a web address and QR code.<\/p>\n Anyone curious and limber enough to bend down and follow these pointers is taken to the retailer\u2019s online privacy policy<\/a>, which discloses that stepping inside the store puts you in range of technology that automatically collects personal information. That includes \u201csmartphone detectors\u201d and Wi-Fi routers that note the location and unique identifiers of your phone, and cameras equipped with software that estimates your age and gender.<\/p>\n B8ta added the signage to its six California stores and expanded its online privacy policy late last year as it prepared to comply with a new state law that took effect this month called the California Consumer Privacy Act<\/a>. The law requires businesses to disclose what personal information they collect from consumers at or before the time it is collected. It gives state residents the right to request data collected about them be deleted and to forbid a business from selling it.<\/p>\n CCPA\u2019s most visible effect has been a plague of website popups on California residents. But the law also applies to offline data collection. B8ta\u2019s new signs and disclosures show how the CCPA might shed more light on the way brick and mortar businesses use Wi-Fi routers and other in-store sensors<\/a> to try and match the customer analytics and tracking of online retailers and ad networks.<\/p>\n California legislators rushed to pass<\/a> CCPA in 2018 to head off a stricter ballot initiative on privacy whose sponsors had collected more than 600,000 signatures. In the process, a provision allowing citizens to sue for violations was removed, leaving the state attorney general as the sole enforcer. But CCPA is in some ways broader than GDPR<\/a>, the influential European Union privacy law that came into force in 2018<\/a>.<\/p>\n The notice required by the California Consumer Privacy Act, at knee height, at a B8ta outlet in San Francisco.<\/p>\n California\u2019s law defines personal information more liberally, to include data about a household, which GDPR does not, for example. CCPA also requires companies to disclose details of how they sell personal data and allow consumers to opt out of any sales, using a broad definition of \u201csell\u201d that includes trading data for anything of value.<\/p>\n Mary Stone Ross, a lawyer and former CIA analyst who coauthored the initiative that led to CCPA, says it was partly inspired by research on use of in-store tracking by retailers. \u201cIt was very clear that in order for the CCPA to be effective, it had to cover all<\/em> collection of all<\/em> information, not just online collection,\u201d she says.<\/p>\n The law that took effect January 1 says businesses must \u201cinform\u201d consumers that they are collecting personal information \u201cat or before the point of collection.\u201d The attorney general\u2019s draft regulations<\/a>, due to be finalized in time for enforcement to begin in July, suggests physical premises distribute paper notices or display \u201cprominent signage\u201d with a web link.<\/p>\n B8ta declined to explain how it reasoned that knee-high notices might inform customers or count as \u201cprominent.\u201d The company\u2019s stores, which resemble Apple stores, feature quirky consumer gadgets such as an e-ink typewriter<\/a> alongside products from names like Asus and Google. The retailer\u2019s pitch to lure new partners cites<\/a> its stores\u2019 ability to provide live data on how customers engage or linger near products on display.<\/p>\n Other companies collecting data from customers in stores have taken different approaches to disclosure.<\/p>\n One patron of Brazilian steakhouse Fogo De Ch\u00e3o received a printed CCPA notice when he visited the chain\u2019s San Francisco restaurant in early January. It informed him that the company collects personal information during purchases and reservations, uses security cameras, and mentions the restaurant\u2019s guest Wi-Fi. That, too, according to the company\u2019s updated online policy<\/a>, collects personal information.<\/p>\n https:\/\/twitter.com\/secplusplus\/status\/1213556610871676928<\/a><\/p>\n When department store Macy\u2019s updated its privacy policy<\/a> to comply with CCPA, it added a surprising disclosure\u2014facial recognition<\/a> may be used on customers for \u201csecurity and fraud detection purposes.\u201d The company also said that it uses Wi-Fi routers to track where shoppers linger and beacons that \u201cmap nearby Bluetooth-enabled devices, much in the same way radar works,\u201d and sells consumer data, including device and network information.<\/p>\n Inside the Macy\u2019s store in San Francisco\u2019s Union Square this week, the cameras\u2014potentially using facial recognition\u2014were obvious, but no privacy notices were visible, even at knee level. The company did not respond to multiple requests for comment before publication. After this article was published, Macy's said in a statement, "Macy\u2019s is committed to our customers\u2019 privacy. We are taking the steps necessary to meet the new CCPA privacy law."<\/p>\n California\u2019s new privacy regime could help reveal how use of facial recognition is spreading in stores and other semipublic places as the technology becomes more accessible. Lowe\u2019s says it previously tested the technology in three stores, but ultimately decided not to use it.<\/p>\n Peter Trepp, CEO of facial recognition provider FaceFirst, declined to say whether he is telling retail customers to post notices in California informing shoppers their faces might be analyzed. The company claims to work with airports, sports teams, and Fortune 500 retailers, who use the software to alert staff when shoplifters known to a store return.<\/p>\n \u201cIt\u2019s still a new law and hasn\u2019t really been tested yet,\u201d Trepp says of CCPA. The company or its customers already post notices in places where local laws require it, he says, but declines to specify them. \u201cWe err on the side of providing notification if we need to,\u201d Trepp says.<\/p>\n Joseph Turow, a professor at the University of Pennsylvania, welcomes the idea of making in-store data collection more transparent. His 2017 book on the topic, The Aisles Have Eyes<\/a><\/em>, helped convince Ross that California\u2019s privacy law should apply to offline as well as online data collection.<\/p>\n But Turow questions whether paper slips or notices with QR codes will spur much response from consumers. In national surveys of attitudes to privacy and marketing he has carried out, Americans say they want more control over data collected on them, but also believe that they don\u2019t have any control.<\/p>\n \u201cThere\u2019s a feeling of resignation about data collection,\u201d Turow says. \u201cPeople think it\u2019s just the way of the world in the 21st century.\u201d CCPA warnings, he says, could end up like California\u2019s ubiquitous Prop 65 notices, affixed to buildings, cars, phone chargers, and countless other products to warn that they contain chemicals \u201cknown to the State of California to cause cancer.\u201d<\/p>\n Ross, who coauthored the initiative that became CCPA, laughs a little nervously at the comparison\u2014it\u2019s something she has worried about. But she argues that the fact CCPA allows consumers to tell companies to delete, or not to sell, their data makes notices prompted by the law more actionable. \u201cWe didn't want to just freak people out. We wanted to give people tools to do something about collection,\u201d she says. \u201cThey can\u2019t stop the collection of data, but maybe the next law will.\u201d<\/p>\n