By Jerri-Lynn Scofield, who has worked as a securities lawyer and a derivatives trader. She now spends much of her time in Asia and is currently working on a book about textile artisans.
California’s state Senate and Assembly each unanimously passed the California Consumer Privacy Act of 2018 last week. The measure will take effect on 1 January 2020 and provides consumers with a modicum of greater control over their personal data.
Ars Technica reports in California approves privacy rules opposed by ISPs and tech companies that tech companies– including broadband providers, tech companies, and advertising groups– lobbied hard to block a more wide-ranging November privacy rights ballot initiative. The Intercept provides further detail on these efforts in GOOGLE AND FACEBOOK ARE QUIETLY FIGHTING CALIFORNIA’S PRIVACY RIGHTS INITIATIVE, EMAILS REVEAL.
The new California law appears to be a victory for those who oppose efforts to hoover up and exploit their personal data– although the legislation is more limited than the ballot initiative it now forestalls, and would be easier to unwind, requiring only a legislative majority, rather than another ballot measure, and two-thirds vote, to overturn.
In Heading off a ballot fight, California lawmakers approve consumer privacy rules. the Los Angeles Times suggests that the California model could be adopted by other states:
Under the new rules, Californians would have a right to know what information a business has about them, and have the ability to prohibit companies from selling that information and to ask businesses to delete information they provided.
Consumers would be able to sue companies if a data breach leads to their unencrypted information being exposed or stolen.
“This will serve as an inspiration across the country,” said Sen. Bob Hertzberg (D-Van Nuys), a coauthor of the bill.
The bill is intended to avert a showdown on the November ballot over an initiative backed by Alastair Mactaggart, a San Francisco real estate developer. Mactaggart said he would pull his measure, which has qualified for the ballot, once the bill was passed and signed by the governor.
Wired analyzes at further length the tech industry’s lobbying efforts to derail the more far-reaching ballot initiative, CALIFORNIA UNANIMOUSLY PASSES HISTORIC PRIVACY BILL (bulding on The Intercept’s reporting):
The tech industry did throw the full weight of its lobbying might—and money—at the fight against the ballot initiative, spending millions of dollars to oppose it through a group called the Committee to Protect California Jobs. They argued that the measure would open them up to liability that would hurt their businesses and their ability to hire. [State senator Robert] Hertzberg envisioned the bill as a compromise, in part, because it leaves the task of enforcing the law to the attorney general and takes the right to private action by citizens off the table, except in the case of data breaches.
And yet, a report by The Intercept revealed that lobbyists affiliated with the group TechNet were working behind the scenes to change crucial parts of the bill, as well, including a stipulation that businesses must include a clear button on their websites giving people the ability to opt out of data collection.
Still, in a statement to WIRED just before Thursday’s vote, TechNet’s vice president of state policy and politics, Andrea Deveau, said, “We believe that the legislature, not the ballot box, is the correct venue to consider this important and complex area of policy.”
Robert Callahan, vice president of state government affairs at the Internet Association, which represents tech companies like Google and Facebook, struck much the same tone. In a statement to WIRED, he said that while the group opposes “many problematic provisions” within the bill, it at least “prevents the even worse ballot initiative from becoming law in California.”
Facebook initially supported the opposition initiative, but pulled out publicly in April, a month after news broke that a political consulting firm called Cambridge Analytica amassed data on tens of millions of American Facebook users for political purposes without their knowledge. “We took this step in order to focus our efforts on supporting common sense privacy measures in California,” the company said at the time.
Now, in a statement to WIRED, Facebook’s vice president of state and local public policy, Will Castleberry, said that while the bill is “not perfect,” the company supports it and looks forward to “working with policymakers on an approach that protects consumers and promotes responsible innovation.”
In a largely critical account of the new California law, Businesses Blast California’s New Data-Privacy Law the WSJ implicitly acknowledges that these lobbying efforts may have had an impact. Facebook, as it happens, may actually already be compliant with the new legislation– a fact suggests that this measure does not represent the major victory for online privacy as it has elsewhere been touted:
Facebook, meanwhile, may already be compliant. Executives at the social network believe the changes to the platform in recent months to be more transparent about user data mean the company won’t need to make major additional adjustments as a result of the new law, according to a person familiar with the matter. Facebook Chief Operating Officer Sheryl Sandberg said Thursday that the company supported the bill.
Beyond Silicon Valley, most companies said they didn’t yet know what they would need to do to comply with the new law, and are waiting for the attorney general to hammer out enforcement details.
Picking up on that last point, the full impact of the measure is yet uncertain, as crucial enforcement details remain to be worked out, according to this CNET account, California’s new data privacy law the toughest in the US.
Consumers could ask for a detailed list under the this bill, which is sponsored by Assembly member Ed Chau and Sen. Robert Hertzberg, both Democrats. Couple that with the ability to say, “Hey, stop that,” and we could be on the brink of a major shift in how internet companies do business. The bill will take effect at the beginning of 2020, and the bill’s sponsors say that in the meantime they’ll work with the attorney general’s office to develop a plan to enforce the law.
Until those crucial enforcement details are settled, I’m not sure just how stringent this measure will prove to be, especially once the tech industry’s lobbying muscle is brought to bear– despite the initial applause privacy advocates provided on the measure’s passage, again as reported by CNET:
Privacy advocates cheered the new law. Marc Rotenberg, executive director of the Electronic Privacy Information Center, said the law means privacy could become an issue that impacts the upcoming midterm elections.
“This is a milestone moment for privacy law in the United States,” Rotenberg said in a statement. “The California Privacy Act sends a powerful message that people care about privacy and that lawmakers will act.”
The Internet Association, a lobbying group representing major tech companies including Facebook, Google, Uber, Amazon and Microsoft, said in a statementthere wasn’t enough public debate about the bill.
“It is critical going forward that policymakers work to correct the inevitable, negative policy and compliance ramifications this last-minute deal will create for California’s consumers and businesses alike,” the group said in a statement.
That last paragraph is cause for concern, not celebration, as I’m sure the tech industry will do its utmost to see this measure neutered.