Companies should take California’s new data-privacy law seriously