A data privacy bill in California is just a signature away from becoming law over the strenuous objections of many tech companies that rely on surreptitious data collection for their livelihood. The California Consumer Privacy Act of 2018 has passed through the state legislative organs and will now head to the desk of Governor Jerry Brown to be enacted.
Update: The Governor has signed it and the bill will take effect at the end of next year:
The law puts in place a variety of powerful protections against consumers having their data collected and sold without their knowledge. You can read the full bill here, but the basic improvements are as follows:
- Businesses must disclose what information they collect, what business purpose they do so for and any third parties they share that data with.
- Businesses would be required to comply with official consumer requests to delete that data.
- Consumers can opt out of their data being sold, and businesses can’t retaliate by changing the price or level of service.
- Businesses can, however, offer “financial incentives” for being allowed to collect data.
- California authorities are empowered to fine companies for violations.
As you can imagine, that puts something of a damper on the businesses of Facebook and Google in particular, and indeed those companies have aligned with others in opposition to the law, either individually or via trade organizations.
Naturally, internet providers like AT&T and Verizon, which have for years made money from sharing the data of their customers with third parties, are also opposed.
It’s the kind of law one feels one could almost get behind without reading it, since it makes all the right people angry.
The bill heading to the governor’s desk is actually a slightly hasty alternative to one proposed by moneyed activist Alastair Mactaggart, who organized a ballot initiative to put it up for a vote in November. But he promised to withdraw the measure if legislators put together their own version by today — which they have done.
Mactaggart’s proposal would have been even more restrictive, so lawmakers were put in a bind. The vote isn’t a sure thing. But if they waited and the measure passed, they would look weak and be forced into creating a law not of their own devising. But if they did something now, they could exert more control and look responsive ahead of the midterms.
It may only be a state law, but California is of course a highly influential and populous state, not to mention the one where a great deal of tech companies are based. So the effect of this law will have more than merely a local effect. After the Broadband Privacy Rule got nixed consumers found themselves in a bind, and now net neutrality has been negated as well — but states are picking up where the feds let it drop and may prove to be a powerful deterrent to the types of behaviors enabled in this regulatory vacuum. That is, if their own legislators don’t sabotage themselves.
If the law passes the governor’s desk, the law still won’t take effect until January 1, 2020, giving companies time enough to both fight it and prepare for it.