California has passed an expansive digital privacy law that gives consumers greater control over their personal information, but the tech industry is now decrying the new rules, saying lawmakers rushed in.
After introducing the California Consumer Privacy Act of 2018 on June 21, legislators pushed it forward until it was passed with no dissenting votes on Thursday. Gov. Jerry Brown signed the bill just hours before a deadline to pull an even stricter initiative from the November ballot that many feared would be difficult to change if passed.
The law grants consumers the right to know what information companies like Google and Facebook are collecting and with which third parties they are sharing it. It also gives consumers the right to opt out of such data collection and subsequent sale — with no financial or service penalty — and even allows consumers to request the deletion of previously collected personal information.
Businesses are also prohibited from collecting the personal information of children under the age of 16 unless they specifically opt in to having their data collected.
After the law becomes active in 2020, companies that break compliance can be fined by the attorney general.
But industry groups say the law will hurt consumers in ways that weren’t considered as legislators rammed it through to avoid an internet-privacy ballot initiative being voted on by the public in November. The initiative’s backer, a real estate developer named Alastair Mactaggart, agreed to pull his initiative, on which he spent $3.5 million and gathered more than 600,000 signatures for, on the condition that the Consumer Privacy Act be enacted before the ballot deadline Friday.
Google, Facebook, Verizon, Comcast and AT&T each contributed $200,000 to a committee opposing the ballot measure, and the New York Times reports that the industry would spent up to $100 million to campaign against it.
The Internet Association, an industry group that includes companies like Google and Facebook, said the law was passed without public discussion, but the group did not attempt to stop the bill for fear of the ballot measure.
“It is critical going forward that policymakers work to correct the inevitable, negative policy and compliance ramifications this last-minute deal will create for California’s consumers and businesses alike,” the group said in a press release.
The law is not as sweeping as the European Union’s new General Data Protection Regulation, but it’s still gained strong support from privacy advocates for offering more consumer protection against an economy built around selling personal information than any other state law.
James Steyer, the founder and chief executive of Common Sense Media, a San Francisco-based nonprofit that advocates for safe media and technology for children and families, said in a statement that California could become a model for other states to follow.
“Today was a huge win and gives consumer privacy advocates a blueprint for success,” Steyer said. “We look forward to working together with lawmakers across the nation to ensure robust data privacy protections for all Americans.”
Lawmakers have said they plan to pass “cleanup bills” to fix the law in the coming months.
While the new law includes provisions prohibiting companies from penalizing consumers who opt out of data collection, industry groups argue that might be counterproductive.
“This legislation will undercut access to free content and services by prohibiting companies from penalizing consumers who opt out of sharing their personal data,” Daniel Castro, vice president of the Information Technology and Innovation Foundation, said in a statement. “California has just created a classic free-rider problem, and anyone who has studied economics knows it will not end well.”
Castro says internet users in other states will end up underwriting the the costs companies face in complying with the new California law.
The law bars companies from selling users’ data, but some detractors argue that companies can still “share” the data and that loopholes in the law will allow companies to penalize consumers who seek more privacy.
“For the first time California is explicitly allowing ‘pay for privacy’ deals that are in direct contradiction to our privacy rights,” said Emily Rusch, executive director of the nonprofit California Public Interest Research Group.
California’s lawmakers are not alone in their push to protect consumer data. Many states have passed restrictions less stringent than California’s regarding personal data collection, and now states are beginning to place restrictions on the companies that broker personal data.
Vermont enacted a first-of-its kind bill in May that requires data brokers — companies that aggregate and sell data about consumers without a direct relationship to those consumers — to register with the state and disclose their practices.
The Vermont law provides that the state can exercise its “traditional police powers” in protecting disclosure of personal information that could potentially harm consumers. It also requires that registered data brokers meet “adequate security standards” so as to protect consumers from potential data breaches.
A similar bill failed to pass in Washington state, but Republican Rep. Norma Smith told StateScoop she plans to revisit the bill in the next legislative session. Data brokering, which Smith characterizes as companies “monetizing your personhood,” has captured the attention of both parties in her state.
“That is not free enterprise,” Smith said of data brokering. “Free enterprise, which is the cornerstone of our economy, is based on a voluntary relationship. … If someone is profiting from their ability to collect data about me without my knowledge and I am their product but I have no say in their product, I don’t want their product, I have no say in whether or not it’s accurate — I believe that is a serious issue.”