California, home to many of the world’s top tech companies, has become the first state in the nation to enact a law that, in large part, mirrors the data protection and privacy standards of the European Union’s General Data Protection Regulation.
On Thursday night, after a whirlwind day of activity in the state legislature, Gov. Jerry Brown signed the bill, the California Consumer Privacy Act of 2018, into law. It empowers consumers to control how companies use, sell, or share their personal data. Similar to the recently passed EU standards, California customers will also have the right to demand that specific data be deleted from an online enterprise’s databases.
The legislation builds upon longstanding privacy protections in the state.
In 1972, California voters amended the California Constitution to include the right of privacy among the “inalienable” rights of all people. “Fundamental to this right of privacy is the ability of individuals to control the use, including the sale, of their personal information,” it says.
Subsequently, the California legislature adopted specific measures to safeguard resident’s privacy, including the Online Privacy Protection Act, the Privacy Rights for California Minors in the Digital World Act, and Shine the Light, a California law intended to provide residents the “who, what, where, and when’ of how businesses handle consumers’ personal information.’
California, a prologue to the 2018 bill explains, “is one of the world’s leaders in the development of new technologies and related industries.”
“Yet the proliferation of personal information has limited Californians’ ability to properly protect and safeguard their privacy,” it adds. “It is almost impossible to apply for a job, raise a child, drive a car, or make an appointment without sharing personal information. As the role of technology and data in the daily lives of consumers increases, there is an increase in the amount of personal information shared by consumers with businesses. California law has not kept pace with these developments and the personal privacy implications surrounding the collection, use, and protection of personal information.”
Inside the California Consumer Privacy Act
Beginning January 1, 2020, the legislation will:
Grant a consumer the right to request deletion of personal information and require the business to delete that data upon receipt of a verified request;
Grant a consumer a right to request that a business that sells the consumer’s personal information, or discloses it for a business purpose, disclose the categories of information that it collects and categories of information and the identity of third parties to which the information was sold or disclosed;
Authorize a consumer to opt out of the sale of personal information by a business and prohibit a company from discriminating against consumers for exercising this right, including by charging a different price or providing the consumer a different quality of goods or services;
Authorize businesses to offer financial incentives in exchange for the collection of personal information;
Prohibit a business from selling the personal information of a consumer under 16 years of age, unless affirmatively authorized;
Provide for its enforcement by the Attorney General and would provide a private right of action in connection with certain unauthorized access and exfiltration, theft, or disclosure of a consumer’s nonencrypted or nonredacted personal information;
Create a Consumer Privacy Fund funded by fines and penalties; and
Authorize a business, service provider, or third party to seek the Attorney General’s opinion on how to comply with its provisions.
Among the personal data companies collect and profit from, it notes: where a consumer lives and how many children a consumer has, how fast a consumer drives, their personality, sleep habits, biometric and health information, financial information, and precise geolocation information.
To drive the need for legislative action home, the bill reminded legislators of March revelations that, through Facebook, tens of millions of people had their personal data misused by the data-mining firm Cambridge Analytica. The list of other data breaches keeps growing with high-profile data leaks at Uber, Yahoo, Equifax, and, most recently, Exactis, a Florida-based marketing and data-aggregation firm, that exposed information on individuals and businesses involving as many as 340 million records.
A covered "business" is defined in the law as any for-profit entity that either does $24 million in annual revenue; holds the personal data of 50,000 people, households, or devices; or does at least half of its revenue in the sale of personal data. Consumers, for purposes of the law, are defined as California residents, specifically “every individual who is in the state for other than a temporary or transitory purpose,” and “every individual who is domiciled in the state who is outside the state for a temporary or transitory purpose.”
The law would be enforced by the state attorney general and create a private right of action for unauthorized access to a consumer's personal information. Failure to address an alleged violation within 30 days could lead to a $7,500 fine per violation, which could be per record or customer file.
California’s legislation will supersede a proposed ballot initiative, the California Consumer Privacy Act, financed by real estate mogul Alastair Mactaggart and a coalition he founded—Californians for Consumer Privacy. His efforts raised more than $3 million and collected more than 625,000 signatures to put their proposal up to a statewide vote. The initiative was slated to appear on November ballots.
The proponents, however, agreed to withdraw their ballot initiative if state legislators met a June 28 deadline for passing their own bill. That date was also the state’s deadline for removing items from the November ballot.
Against that backdrop, Assembly Bill 375 was pulled from the legislative backlog in response and resubmitted to both chambers of the state legislature by Democrats Sen. Bob Hertzberg and Assembly Member Ed Chau.
“[This] will be the best privacy law in the country,” Hertzberg said. “It integrates many of the elements of the initiative and provides Californians with significantly more control over personal information alongside an explicit protection of those rights.”
“At a time when federal regulators are rolling back protections, we’re moving forward here in California,” said California Senator Bill Dodd. “This bill will be the strongest of its kind in the nation and enact safeguards we need in the 21st Century. Big Data is Big Business. It’s time we regulate it appropriately and hold bad actors accountable.”
Throughout the legislative process, some of California’s largest tech companies had lobbied, typically behind-the-scenes, to either kill or rewrite any legislative effort spawned by the ballot initiative.
According to records on file with California’s Secretary of State, among the donors to a coalition, the Committee to Protect California Jobs, fighting the ballot initiative, prior to the new legislation were: Alliance of Automobile Manufacturers (donating $200,000 towards lobbying costs); AT&T ($200,000), Comcast (C$200,000), Facebook ($200,000) Google ($200,000), Verizon ($200,000), Amazon ($195,000), and Microsoft ($195,000).
Facebook later announced in April, after a series of tense data privacy hearings before Congress, that it was dropping its opposition.
“Now that they have seen the error of their ways, we hope they will work with us proactively to protect the personal information of all Californians, and support us publicly and financially,” Mactaggart said at the time. "We call on the remaining corporations who have contributed to the Super PAC opposing this common-sense measure to drop their opposition. Google, AT&T, Verizon and Comcast: if you are not selling our personal information, why are you spending a million dollars to oppose us? Voters overwhelmingly support this measure, and protecting consumers is not only a good business decision, but the right thing to do.”
The Internet Association, whose membership includes many of California’s tech companies, would later announce that, despite lingering concerns, it would step away from any effort to derail a data privacy bill.
“Maintaining people’s privacy and security has always been and remains a top priority of internet platforms,” Vice President of State Government Affairs Robert Callahan said in a statement on Thursday evening after the bill’s passage and gubernatorial enactment. “Trust with IA member products and services is essential to a thriving internet, and the internet industry is committed to providing people with information and tools to make informed choices about how their personal information is used, seen, and shared online.”
“Data regulation policy is complex and impacts every sector of the economy, including the internet industry,” he added. “That makes the lack of public discussion and process surrounding this far-reaching bill even more concerning. The circumstances of this bill are specific to California. It is critical going forward that policymakers work to correct the inevitable, negative policy and compliance ramifications this last-minute deal will create for California’s consumers and businesses alike.”
Chau, for his part, conceded that the legislation he helped draft will likely need to be closely reviewed.
“The attorney general may have some issues that we need to fine tune,” he said during a press conference on Thursday. “There also may need to be some immediate technical clean-up we must work on.”