California’s Sweeping New Privacy Laws

California state legislators passed a sweeping digital privacy law at the end of June, giving consumers increased control over their online data. The legislation also gives internet users in the state greater insight into how their information is collected and spread by technology companies. The bill, which evolved from draft into law in less than a week, passed through the California State Legislature without opposition. It was signed into law by Governor Jerry Brown in advance of a deadline that would have seen an even tougher measure placed on November’s ballot.

The new law is the latest in a growing number of privacy laws passed around the world, seeking to give users more control over – and knowledge about – the proliferation of their personal information online. In this post we’ll take a closer look at what the new law accomplishes, why opponents were against the bill, how it compares to key legislation elsewhere in the world, and what this might mean going forward.

What does this new law do?

The new law, which goes into effect in January 2020, requires companies to disclose the types of data they collect about consumers, why they are collecting the data, and the parties they are sharing that data with. Consumers have the right to opt out of having their data sold, as well as the ability to tell companies to delete their information. The legislation prevents companies from giving lesser service to consumers who opt out and places restrictions on sharing or selling data on children under 16 years of age. Failure to comply will result in fines from California’s attorney general.

How does it compare to the GDPR?

The California law is expansive by United States standards, but not nearly as stringent as Europe’s General Data Protection Regulation, or GDPR. While the two laws differ in level of detail, they are similar in spirit. The GDPR requires businesses to clearly detail how an individual’s data is being used and makes it more difficult to target advertising via personal information. Users can reduce the amount of data made available through their browsing activity, request that companies release data for them to review, and even call for it to be deleted. Non-compliance can result in fines upwards of $1 billion.

Privacy laws limiting what companies can do with consumer data have been few and far between in the United States. While the California legislation may not be as comprehensive as its European counterpart, it is an important victory for American privacy advocates. Aleecia M. McDonald, an incoming assistant professor at Carnegie Mellon University who specializes in privacy policy, told the New York Times that California’s privacy measure was “a step forward, and it should be appreciated as a step forward when it’s been a long time since there were any steps.”

Opposition

Technology and business lobbyists, whose power and influence in California politics quashed a similar measure from last year, were against the law, with power players Google, Facebook, Verizon, Comcast and AT&T each contributing $200,000 to an opposition committee. But opponents were ultimately pleased that this law passed, as opposed to the ballot initiative spearheaded by $3 million in funding from real estate developer Alastair Mactaggart.

Robert Callahan, vice president of state government affairs at the Internet Association (which counts Google, Facebook, and Amazon among its members), stated that, despite the “problematic provisions” of the law, the group was pleased “it prevents the even worse ballot initiative from becoming law in California.” He added that the Internet Association would “work to correct the inevitable, negative policy and compliance ramifications this last-minute deal will create.”

The ballot initiative represented a significant liability risk to the industry, to the point that companies were prepared to contribute up to $100 million to campaign against it had it made it to the ballot in November. That initiative would have removed barriers that prevent private citizens from suing companies that do not adhere to its privacy requirements – industry groups expressed concern about the massive potential liability risk.

What does it mean going forward?

While Mactaggart was pleased with the passage of a “sensible” privacy law regardless of how it got done, some legislative proponents were disappointed that the law passed so quickly (motivated in part by public backlash from the Cambridge Analytica scandal). Some lawmakers felt pressured to vote for the law because the ballot measure would have limited the ability to make future changes to the legislation; numerous privacy advocates were disappointed the bill did not go far enough and expressed concern that lobbyists will use the window between passage and when the law goes into effect to weaken its provisions. Mactaggart discounted those concerns, stating that “having gotten this right, [the privacy law] will be very hard to take away.”

State senators were championing the law despite lingering discontentment. “This is a huge step forward to people all across the country dealing with this very challenging issue,” said Bob Hertzberg, a Democrat and a co-author of the bill. Additional “cleanup bills” are expected between now and 2020 to further refine the law. Whether other states follow suit with their own privacy legislation is an open question, but growing awareness about consumer data and how companies use it means this is likely not the last piece of privacy legislation in the United States.