Last week, California's legislature quickly introduced and passed new privacy legislation that sees the state implementing the strongest privacy controls of any state in the U.S. The new law gives a raft of new rights to consumers, aiming to bring more transparency to the murky trade in people's personal data.
The law, AB 375, gives consumers the right to ask businesses for the types and categories of personal information being collected. It also requires businesses to disclose the purpose for collecting or selling the information as well as the identity of the third-party organizations receiving the data. Consumers can also request data be deleted and initiate civil action if they believe that an organization has failed to protect their personal data.
"AB 375 responds to the recent data breaches that have affected millions of people - those experienced by Target, Equifax, Cambridge Analytica, and many more," Assemblymember Ed Chau and fellow co-authors of the bill say in a press release. "The collection of our information combined with data breaches has raised concerns from internet users worldwide."
California Governor Jerry Brown signed the bill into law on Thursday.
Parts of AB 375 closely mirror Europe's General Data Protection Regulation, which has been enforced by the EU's privacy watchdogs since May 25. The passage of GDPR was driven in part by European regulators' scrutiny of companies such as Google and Facebook and increasing worries over the buying and selling of people's personally identifiable information.
Some companies, including Microsoft, have promised to comply with GDPR's everywhere in the world that they do business, meaning the European regulation is already having a global impact. Some other organizations, however, appear to have responded differently. In April, Facebook moved 1.5 billion users' data out of Ireland.
The passage of the new California law was spurred by the actions of the Californians for Consumer Privacy, a group largely funded by Alastair Mactaggart, a real estate developer, which was set to field a ballot initiative in November called the California Consumer Privacy Act of 2018.
According to NPR, Mactaggart embraced privacy issues after speaking to a Google engineer, who indicated that consumers have no grasp of the breadth of data collected by online companies. Californians for Consumer Privacy
Californians for Consumer Privacy, which promised to pull its ballot initiative if the legislature passed a new law, hailed AB 375's passage. "We took on the richest and most powerful companies the world has ever seen and today we wake up with a law, AB 375, that gives Californians the most sweeping, comprehensive and empowering consumer privacy rights in the country," the group says in a statement.
"This outcome is a win for both industry and consumers. The initiative was well-intentioned but deeply flawed in many ways, and it would have hurt both consumers and industry," say BakerHostetler privacy attorneys Alan L. Friel and Niloufar Massachi in a blog post.
Squeezing Tech Giants
The data collected by online companies is immensely valuable for targeted advertising, third-party marketing efforts and efforts to predict consumer behavior, such as political messaging.
Privacy activists have warned for years that the trade in this data poses risks if it is sold, lost, stolen or abused. But the issue has taken on new urgency following the Facebook data scandal, which revealed that profile data on millions of users had been transferred to the now-defunct data-profiling firm, Cambridge Analytica, which reportedly assisted President Donald Trump in his election campaign (see Facebook: 87M Accounts May Have Been Sent To Cambridge Analytica).
Although the technology industry has resisted regulation, Californians for Consumer Privacy put it in a squeeze. The group gained more than 629,000 signatures to put an initiative called California Consumer Privacy Act on the ballot in November.
California has a process by which voters can directly approve legislation, and Mactaggart spent $3.5 million of his own money to get the initiative rolling.
Despite the passage of AB 375, however, it's not yet a done deal. The law doesn't go into effect until Jan. 1, 2020, and until then, it can be amended.
There are signs that the technology industry isn't going to stand by. The Internet Association, composed of Amazon, Facebook, Google, Uber and many other billion-dollar technology firms, has dubbed AB 375 a "last-minute" deal that needs to be corrected.
"It is critical going forward that policymakers work to correct the inevitable, negative policy and compliance ramifications this last-minute deal will create for California's consumers and businesses alike."
"Data regulation policy is complex and impacts every sector of the economy, including the internet industry," the Internet Association says. "That makes the lack of public discussion and process surrounding this far-reaching bill even more concerning.
"The circumstances of this bill are specific to California," it continues. "It is critical going forward that policymakers work to correct the inevitable, negative policy and compliance ramifications this last-minute deal will create for California's consumers and businesses alike."
Privacy Power To The People
In many ways, AB 375, which will be enforced by the state Attorney General's Office, reshapes the balance of power between services and their users in California.
Companies are required to inform consumers about what types of data they're collecting prior to the data being collected, as well as its commercial purpose.
The law as it now stands also lets consumers opt out from the sale of their personal information. If a consumer selects that option, businesses cannot charge those people differently or offer a poorer quality of service. There is an exception, however, "if the difference is reasonably related to value provided by the consumer's data," the text of the law states.
If people consent to their personal data being collected, they can still request the categories of information under which that data will be classified, as well as "the identity of third parties to which the information was sold or disclosed," the law reads.
The law also touches on children's data. Specifically, AB 375 prohibits the sale of personal data for individuals between the ages of 13 and 16 years unless they specifically opt in. For anyone under the age of 13, a parent or guardian must provide consent, which is referred to in the law as the "right to opt in."
As in Europe under GDPR, California consumers have the right to request a copy of any data that a U.S. organization might be storing on them, as well as the right to request that it be deleted.
In certain circumstances, consumers have the right to undertake civil actions against a service in the event of a data breach or exposure. That includes if data has been stolen via unauthorized access or exposed without having been encrypted or redacted.
Damages range from $100 to $750 per consumer per incident, or based on "actual damages, whichever is greater," AB 375 states.