The 2018 California Consumer Privacy Act is a law that will require technology corporations, such as Google and Facebook, to drastically alter their business models regarding data collection and privacy regulations. The legislation was unanimously approved by the state legislature on June 28 and signed by Gov. Jerry Brown (D) the same day. The bill’s quick turn around resulted from pressures that legislators faced from an upcoming November ballot initiative, which would have created more stringent privacy rules. It will go into effect on January 1, 2020.
The California bill comes after the European Union’s General Data Protection Requirement, which enacted strict privacy regulations that cracked down on data collection practices. The legislation will require websites to reveal what types of data they collect, what the data is being used for and which third party platforms are using the data. The bill will also grant users the option of preventing companies from selling their data and request that their information be deleted. Additionally, children under 16 must opt into allowing companies to collect their data at all. This bill is one of the most comprehensive policy laws in the country and sets the precedent for other states to impose stricter consumer-privacy protections.
The legislation also allows California’s attorney general to fine businesses that are unable to secure a customer’s personal information against cyber attacks. Under the new law, consumers can also sue tech companies (depending on the circumstances) for up to $750 if they discover an unauthorized data breach.
Despite the bill’s strong language, it has many shortcomings. According to Tracy Rosenberg, who is the executive director of Media Alliance, the current text of the bill allows companies to increase fees if users opt out of selling their data. Privacy advocates argue that these “pay for privacy” deals violate privacy rights. One of the bill’s clauses reads that customers are not allowed to sue unless they can prove that their data was stolen. Consumers are unable to sue for differential pricing, unauthorized sales or for data breaches. Additionally, the California Attorney General has the authority to terminate a consumer lawsuit for any reason. Rosenberg says that in the narrow event of a consumer lawsuit, attorney fees or damages are not included, making it virtually impossible to retain an attorney. Another issue with the bill is while websites are restricted from selling data without user consent, they can still share the data amongst themselves.
The ACLU of Northern California claims that the hastily drafted bill falls short of its intended promise. The organization says that when the bill is amended next year, “effective privacy protections must be included that actually protect against rampant misuse of personal information, make sure that companies cannot retaliate against Californians who exercise their privacy rights, and ensure that Californians can actually enforce their personal privacy rights.” The organization argues that the bill fails to properly address privacy concerns following the aftermath of the Cambridge Analytica scandal, which involved the British political consulting firm obtaining the personal data of 87 million Facebook users.
Major tech companies (i.e Google, Amazon, Microsoft, and Uber) are staunchly opposed to the bill and have donated thousands of dollars to a counter campaign. They argue that the bill has problematic provisions that will affect the inner workings of the economy and the internet industry. The tech giants also argue that privacy laws should be addressed by Congress, not a state-by-state basis because these online companies serve the entire globe. However, opponents conceded that the recently-passed bill was better compared to the ballot initiative because it provides more options for refining the legislation in the future. Once the voters approve the ballot initiative, the language can only be reversed or altered through another ballot initiative, or a supermajority in the senate and assembly. The ballot measure was a campaign financed by Bay Area developer Alastair Mactaggart. Mactaggart donated $3 million of his own money into the campaign and along with former CIA analyst Mary Ross and finance industry executive Rick Arney, gathered 603,000 voter signatures to get a large measure on the ballot (443,000 votes were needed). The ballot initiative would’ve allowed California residents to ask companies what personal information is being collected and request that their data not be sold. The two houses and Gov. Brown made an agreement with privacy activists that they would pass a tentative set of consumer privacy regulations by June 28 in exchange for the initiative being removed from the November ballot. The legislation was similar enough to the ballot measure that it was withdrawn. Rosenberg says that she preferred the language mentioned in the ballot initiative compared to the bill because it prevented “pay for privacy” schemes and unwanted data sharing. Rosenberg asserts that extra language was put in the bill to weaken consumer protections. Rosenberg and other privacy advocates are disappointed that the ballot initiative was removed from the ballot because it provided other options for voters unsatisfied with the legislature’s bill. “If the initiative wasn’t passed, go back to the drawing board until 2019,” Rosenberg says. “It’s now more difficult to fix something that’s already in effect.”
According to Rosenberg, the bill is subject to change, with legislators using the upcoming year as a grace period to fix any issues. She states that privacy advocates will try to strengthen the legislation while tech corporations attempt to weaken it. She acknowledges that although privacy advocates are persistent and determined, tech companies have better financial access, which might make legal negotiations more arduous. “I’m certain it will change,” she says. “If it changes for better or worse I’m not sure.”
The bill offers some of the strongest privacy policies in the United States, although Rosenberg counters that the bill is only strong because it’s the only semi-comprehensive set of privacy regulations in the nation. Rosenberg says she did not like that legislators and Mactaggart made a backroom deal that was non inclusive to privacy advocates and voters. Rosenberg and other privacy advocates also state that they were disappointed in the legislature for failing to act on the initiative sooner and only making a decision after they were forced by the ballot deadline.
Rosenberg says that making amendments to the law should be a collaborative process between residents and legislators, one that she wishes to see in 2019. “I hope the 603,000 Californians who lose their right to vote on consumer privacy protections will raise their voices to demand a broad and inclusive process to restore some of the protections they lost when the ballot initiative was pulled,” she says. “It’s imperative upon the legislature to include the voices of ordinary people, not just industry lobbyists.”