California passes privacy laws in wake of fear of stricter regulations under November initiative
By Pawan Naidu
On June 21, California passed legislation that will bring the toughest data protection laws in the United States. The groundbreaking law is set up to reshape how Silicon Valley does business and it requires companies to stop the collection and selling of user’s personal data upon requests from consumers. The California Consumer Privacy Act will come into effect in 2020.
There wasn’t much controversy surrounding the bill, because the state’s Senate and Assembly each voted to pass it unanimously, and it was signed into law a few hours later by Gov. Jerry Brown. There is speculation that this bill was rushed because a bill with even stricter data protection policies would have been on the November ballot if the current law wasn’t passed before 5 p.m. on June 21.
Companies like Facebook and Google were prepared to fight against the potentially stricter initiative. However, all that was avoided by the last minute passing of the current law.
Advocates for consumer privacy cheered the new law. Marc Rotenberg, executive director of the Electronic Privacy Information Center, said the law means privacy will be a big issue impacting elections going forward.
“This is a milestone moment for privacy law in the United States,” Rotenberg said in a statement. “The California Privacy Act sends a powerful message that people care about privacy and that lawmakers will act.”
The Internet Association, a lobbying group representing major tech companies including Facebook, Google, Uber, Amazon, and Microsoft, said in a statement they wanted more public debate about the bill.
“It is critical going forward that policymakers work to correct the inevitable, negative policy and compliance ramifications this last-minute deal will create for California’s consumers and businesses alike,” the group said.
AB 375, or the California Consumer Privacy Act, is going to change the business model for the tech world because it gives internet users the ability to ask companies for their personal data and whom it was sold to. That by itself could be a revelation for consumers. Most people understand their online history is being tracked to give to advertisers, but most people don’t have a good understanding of what or how much of their data is being used.
The bill was sponsored by Assemblymember Ed Chau and State Sen. Robert Hertzberg, who are both Democrats. Along with requesting to see how a person’s data is being used, users can also request that companies stop recording their data, which can quite possibly change how internet companies do business as a whole.
For companies accustomed to gathering and dealing with large volumes of data, the regulation will involve establishing a new way of interacting with their customers when it comes to personal data. The new law requires companies to make fundamental and wide-reaching changes such as the way they organize personal data.
In the future, this could potentially lead to many internet companies moving to a less inclusive model. People could not be allowed to browse a site unless they give consent for the company to use their data.
Companies also have to make new investments to make sure they can adapt to the changing laws. When the General Data Privacy Regulation (GDPR) went into effect in the European Union, Spanish organizations are estimated to have to invest €140 million in 2018 to modify their processes and systems, 44 percent more than in 2017.
Companies and lawmakers have time to adjust to the new law because the bill will take effect at the beginning of 2020. The sponsors will work with the attorney general to develop a plan to enforce the law.
According to the California Consumer Privacy Act, the most a company would have to pay to consumers, to repay for damages for mishandling their personal data, would be $750 per person in each separate case. The highest penalty that can be levied against a company is capped at $7,500.
The decision whether to pursue legal action against companies for violating the law would fall under the jurisdiction of the California attorney general. Under the new law, individual consumers have the right to pursue private lawsuits even if the attorney general doesn’t take the case.
This means there is the potential for investigations from the attorney general’s office, as well as proposed class action suits filed by lawyers against tech giants if consumers believe companies are violating their rights in the law.
Sen. Bill Dodd, a Democrat from Napa, who co-authored the bill, said that he was pleased with the state government’s swiftness to get it passed. He’s especially happy with a provision that requires companies to get opt-in agreements to collect data on anyone younger than 16.
The new law puts California at the forefront of protecting citizens privacy rights in the US, according to Dodd.
“My hope is other states will follow, ensuring privacy and safeguarding personal information in a way the federal government has so far been unwilling to do,” he said.
Silicon Valley hasn’t been too eager for new data protection laws, but in a strange twist, tech companies didn’t fight this bill, with some evenly openly supporting it. The most likely reason is because a ballot measure, cleared for a vote in California this fall, would’ve been even harder on tech companies’ handling of personal data. The initiative was more detailed in what it forces companies to disclose and it demanded higher fines for lawbreakers.
However, the new law does leave the door open for stricter restrictions in the future so, tech companies may still have to lobby against stricter data protection laws.
Tech giants like Google, Microsoft, Amazon, Uber, and Facebook, and internet providers like Comcast, Cox, Verizon, and AT&T, were prepared to lobby against the ballot initiative. Some of them donated to the Committee to Protect Jobs, an independent expenditure committee that opposes the ballot initiative.
Bay Area real estate developer Alastair MacTaggart funded the campaign to get the initiative on the ballot and donated $1.6 million to the effort. After the current bill was signed, MacTaggart said at a press conference that experts, like people from the ACLU, Electronic Frontier Foundation, and UC Berkeley, were consulted in developing the ballot measure. He also added the campaign was prepared to support the ballot measure through the November election if necessary.
A representative from Facebook made a statement that the company supported the bill before the vote on June 21.
“People should be in control of their information online and companies should be held to high standards in explaining what data they have and how they use it, especially when they sell data,” said Will Castleberry, Facebook’s vice president of state and local public policy, while emphasizing that the company doesn’t sell user data. “In that spirit, while not perfect, we support AB375 and look forward to working with policymakers on an approach that protects consumers and promotes responsible innovation.”
TechNet, who is a tech industry lobby, offered a more modest level of support for the bill after the vote. The group also counts Google, Facebook, Uber, Amazon, and Microsoft among its members.
“While this law adds a significant new layer of privacy protections for California consumers, even its authors have acknowledged it is far from perfect and will need revisions in the months ahead as its consequences and workability are better understood,” said Linda Moore, president and CEO of TechNet, in a statement.
The call to pass data protection laws from the public and lawmakers have ramped up as data protection scandals have come down on Silicon Valley. Facebook CEO Mark Zuckerberg faced questions from US lawmakers and the European Parliament stemming from the revelation that personal information from 87 million of the social media company’s users was leaked to the UK political consultancy firm, Cambridge Analytica.
Other scandals, like, the email organizing service Unroll.Me was collecting and selling user information, and a leak of 340 million records from marketing firm Exactis, show how easy data can spread through the marketplace in ways consumers aren’t aware of.
Questions about how new laws and regulations could better protect consumer’s data from these kinds of scenarios were answered somewhat when the European Union implemented new privacy regulations for its citizens. The US doesn’t have this kind of regulations on the federal level, and not even California’s new law doesn’t match the protections the EU implemented in May, but some of the same rights are included.
A lot of people are looking to the European Union’s new privacy law, the GDPR, to compare how the law will be implemented. The laws are similar, but there are some important differences. For example, the California law doesn’t require companies meet a deadline for notifying consumers of a data breach, but the GDPR does.
In addition, the GDPR could potentially lead to companies too much larger fines that have been found to violate the law than the California law. The GDPR also calls for a dedicated authority to enforce the law in each EU member state. The law passed in California does none of these things.
MacTaggart said California’s new law is just the beginning, and other state governments are going to follow.
“I feel like we have made a great stride forward for the country,” he said. “If it happened here, it will happen in the rest of the country.”