California Passes Online Privacy Law

By Jerri-Lynn Scofield, who has worked as a securities lawyer and a derivatives trader. She now spends much of her time in Asia and is currently working on a book about textile artisans.

California’s state Senate and Assembly each unanimously passed the  California Consumer Privacy Act of 2018  last week. The measure will take effect on 1 January 2020 and provides consumers with a modicum of greater control over their personal data.

Ars Technica reports in California approves privacy rules opposed by ISPs and tech companies that tech companies– including broadband providers, tech companies, and advertising groups– lobbied hard to block a more wide-ranging November privacy rights ballot initiative. The Intercept provides further detail on these efforts in GOOGLE AND FACEBOOK ARE QUIETLY FIGHTING CALIFORNIA’S PRIVACY RIGHTS INITIATIVE, EMAILS REVEAL.

The new California law appears to be a victory for those who oppose efforts to hoover up and exploit their personal data– although the legislation is more limited than the ballot initiative it now forestalls, and would be easier to unwind, requiring only a legislative majority, rather than another ballot measure, and two-thirds vote, to overturn.

In Heading off a ballot fight, California lawmakers approve consumer privacy rules. the Los Angeles Times suggests that the California model could be adopted by other states:

Under the new rules, Californians would have a right to know what information a business has about them, and have the ability to prohibit companies from selling that information and to ask businesses to delete information they provided.

Consumers would be able to sue companies if a data breach leads to their unencrypted information being exposed or stolen.

“This will serve as an inspiration across the country,” said Sen. Bob Hertzberg (D-Van Nuys), a coauthor of the bill.

The bill is intended to avert a showdown on the November ballot over an initiative backed by Alastair Mactaggart, a San Francisco real estate developer. Mactaggart said he would pull his measure, which has qualified for the ballot, once the bill was passed and signed by the governor.

Wired analyzes at further length the tech industry’s lobbying efforts to derail the more far-reaching ballot initiative, CALIFORNIA UNANIMOUSLY PASSES HISTORIC PRIVACY BILL (bulding on The Intercept’s reporting):

The tech industry did throw the full weight of its lobbying might—and money—at the fight against the ballot initiative, spending millions of dollars to oppose it through a group called the Committee to Protect California Jobs. They argued that the measure would open them up to liability that would hurt their businesses and their ability to hire. [State senator Robert] Hertzberg envisioned the bill as a compromise, in part, because it leaves the task of enforcing the law to the attorney general and takes the right to private action by citizens off the table, except in the case of data breaches.

And yet, a report by The Intercept revealed that lobbyists affiliated with the group TechNet were working behind the scenes to change crucial parts of the bill, as well, including a stipulation that businesses must include a clear button on their websites giving people the ability to opt out of data collection.

Still, in a statement to WIRED just before Thursday’s vote, TechNet’s vice president of state policy and politics, Andrea Deveau, said, “We believe that the legislature​, not the ballot box,​​ is the correct venue to consider this important and compl​ex area of policy​.”

Robert Callahan, vice president of state government affairs at the Internet Association, which represents tech companies like Google and Facebook, struck much the same tone. In a statement to WIRED, he said that while the group opposes “many problematic provisions” within the bill, it at least “prevents the even worse ballot initiative from becoming law in California.”

Facebook initially supported the opposition initiative, but pulled out publicly in April, a month after news broke that a political consulting firm called Cambridge Analytica amassed data on tens of millions of American Facebook users for political purposes without their knowledge. “We took this step in order to focus our efforts on supporting common sense privacy measures in California,” the company said at the time.

Now, in a statement to WIRED, Facebook’s vice president of state and local public policy, Will Castleberry, said that while the bill is “not perfect,” the company supports it and looks forward to “working with policymakers on an approach that protects consumers and promotes responsible innovation.”

In a largely critical  account of the new California law, Businesses Blast California’s New Data-Privacy Law the WSJ implicitly acknowledges that these lobbying efforts may have had an impact. Facebook, as it happens, may actually already be compliant with the new legislation– a fact suggests that this measure does not represent the major victory for online privacy as it has elsewhere been touted:

Facebook, meanwhile, may already be compliant. Executives at the social network believe the changes to the platform in recent months to be more transparent about user data mean the company won’t need to make major additional adjustments as a result of the new law, according to a person familiar with the matter. Facebook Chief Operating Officer Sheryl Sandberg said Thursday that the company supported the bill.

Beyond Silicon Valley, most companies said they didn’t yet know what they would need to do to comply with the new law, and are waiting for the attorney general to hammer out enforcement details.

Picking up on that last point, the full impact of the measure is yet uncertain, as crucial enforcement details remain to be worked out, according to this CNET account, California’s new data privacy law the toughest in the US. 

Consumers could ask for a detailed list under the this bill, which is sponsored by Assembly member Ed Chau and Sen. Robert Hertzberg, both Democrats. Couple that with the ability to say, “Hey, stop that,” and we could be on the brink of a major shift in how internet companies do business. The bill will take effect at the beginning of 2020, and the bill’s sponsors say that in the meantime they’ll work with the attorney general’s office to develop a plan to enforce the law.

Bottom Line

Until those crucial enforcement details are settled, I’m not sure just how stringent this measure will prove to be, especially once the tech industry’s lobbying muscle is brought to bear– despite the initial applause privacy advocates provided on the measure’s passage, again as reported by CNET:

Privacy advocates cheered the new law. Marc Rotenberg, executive director of the Electronic Privacy Information Center, said the law means privacy could become an issue that impacts the upcoming midterm elections.

“This is a milestone moment for privacy law in the United States,” Rotenberg said in a statement. “The California Privacy Act sends a powerful message that people care about privacy and that lawmakers will act.”

The Internet Association, a lobbying group representing major tech companies including Facebook, Google, Uber, Amazon and Microsoft, said in a statementthere wasn’t enough public debate about the bill.

“It is critical going forward that policymakers work to correct the inevitable, negative policy and compliance ramifications this last-minute deal will create for California’s consumers and businesses alike,” the group said in a statement.

That last paragraph is cause for concern, not celebration, as I’m sure the tech industry will do its utmost to see this measure neutered.

Print Friendly, PDF & Email


  1. tegnost

    Andrea Deveau, said, “We believe that the legislature​, not the ballot box,​​ is the correct venue to consider this important and compl​ex area of policy​.”….
    Andrea Deveau, said, “We believe that the {bought and paid for} legislature​, not the ballot box,​​ is the correct venue to consider this important and compl​ex area of policy​.” there, fixed it

    I’m filing complex with smart from now on
    needless to say it’s just more get in front of a riot and call it a parade

  2. Fazal Majid

    The initiative process, along with referendum and recall, was introduced by governor Hiram Johnson who ran in 1911 on an explicitly anti Southern Pacific Railroad platform. The goal was to curb a venal legislature in hock to special interests, and that’s why California has the closest thing to direct democracy of any state in the US.

    Of course special interests adapted and learned to leverage initiatives for their own ends, as with the sugary beverages industry’s effort to preempt soda taxes.

    1. Scramjett

      Of course special interests adapted and learned to leverage initiatives for their own ends…

      Do you think we’ll ever find away to break the back of special (wealthy/corporate) interests? I have to tell you that I’m pessimistic about that possibility.

      In any case, I fully expect that this new “law” will be another case of reformist incrementalism that appears to make a difference but, in reality, does nothing.

  3. The Rev Kev

    Facebook, Google, Uber, Amazon and Microsoft may be having a hissy fit about this but could this law be designed to align with the new European Union’s General Data Protection Regulation? Certainly California is a power house of a State and if this was on the books, other States will probably want to follow. I am guessing that this Privacy Act is in fact a knock-on effect of the General Data Protection Regulation when I think about it.
    Not the first time that I have seen a law passed for the EU end up changing laws and regulations in the US if so. A coupla years ago the EU passed laws about what metals and the like could go into computers that were being imported into the EU because of the problem of getting rid of toxic waste in the EU. Silicon Valley groaned and moaned about this and asked about non-starters such as exemptions and delays but in the end had to follow those laws as the European market was too valuable to ignore or give up.

  4. lyman alpha blob

    I suppose it’s an improvement as far as it goes.

    Better would be to make it illegal to collect the data at all – if your business is dependent on being a creep and selling the info of your customers behind their back to everybody else then you shouldn’t be in business. I’m still not sure why Fleecebook and the like are allowed to follow people all over the internet whether they have a FB account or not. In meatspace, people like that are called stalkers and they get thrown in prison if they don’t knock it off – why should it be any different just because it’s done on the internet?

    I’m so old I remember being able to find and purchase anything I wanted without all these tech companies collecting my personal info in order to ‘help’ me. I cannot comprehend why these companies are valued in the billions of dollars when most of what they do is data collection. The US of A seemed quite capable of buying billions worth of cheap crap from China that they didn’t need in the first place well before the likes of FB, Amazon and Google came along.

    1. Scramjett

      Haven’t you heard that if a person breaks the law, it’s a crime, but if a company breaks the law, it’s just good business?

  5. akaPaul LaFargue

    SF had a pretty feisty free paper some years back (advocating public ownership of utilities e.g.). It went under, BUT the editor continued its tradition online with 48hills. And today it published this story about the so-called legislative “protections.”

    1. Scramjett

      Thank you for the link. I’ll add 48hills to my list of independent news sources. I’ve also listed the names of the a**hole politicians mentioned. I’d heard of Dems being ALEC stooges before, but didn’t know Nunez was one of them. It’s really depressing how corrupt the state is.

Comments are closed.