After a unanimous (and hurried) vote, California lawmakers have passed a new data privacy bill which aims to give residents of California more control over the information collected about them by businesses, and introduce penalties for those businesses that do not comply. The Act has been described as the toughest privacy laws to be passed in the country, as it will require companies holding large amounts of personal information to disclose the type of data they collect, and provide consumers with the right to opt out of their information being sold.

The “California Consumer Privacy Act of 2018 (AB 375)” (the Act) was introduced by state senators Rob Hertzberg and Bill Dodd and the assembly member Ed Chauto to defeat a much tougher data privacy backed by over 600,000 Californians. The ballot was put forward by “Californians for Consumer Privacy”, a consumer lobbying group, who said that they would withdraw the ballot motion if the Act was passed.

The ballot initiative represented an extreme reinterpretation of the EU’s General Data Protection Regulation (which came into force on 25 May 2018) and posed a serious threat to Silicon Valley as it called for:

  • The right for Californians to sue companies directly for data misuse and rule infringement;
  • The inclusion of a highly visible “Don’t Sell My Data” homepage button and the right for Californians to still receive services at the same price and quality after clicking said button (directly impacting freemium services like Spotify); and
  • Restrictions on how personal data could be used for ads.

However, the real issue giving lawmakers and Silicon Valley a headache was that the ballot initiative contained a rider that made it tough to modify or overturn, as if passed, it could only be repealed by two-thirds of the popular vote (or else modified by a 70% vote from both state houses).

The new Act takes effect in 2020 and provides that:

  • Consumers will have the right to request a record of their personal data that companies are holding, as well as find out what the organisation that holds their data is doing with it, and details about any third-parties that they have shared it with;
  • Any business storing personal data of their consumers will have to now disclose the details of any third parties that they are selling the data to. Consumers will have to opt-in to having their data shared, so businesses will have to ensure that consent is given; and
  • Consumers will now have the right to have any personal data stored by a company erased from their system, and companies will have to comply with their request.

Mark Rotenberg, executive director of the Electronic Privacy Information Centre said in a statement that “this is a milestone moment for privacy law. The California Privacy Act sends a powerful message that people care about privacy and that lawmakers will act.”

Passing the Act as legislation thus avoiding the restrictions on modifications and amendments had it been a ballot motion means the Act should be flexible and allow it to be adapted to the needs of consumers as the technology industry continues to develop. However, Facebook, Google, Comcast, AT&T and Verizon all donated $200,000 to create a $1m fund to oppose the Act and Silicon Valley will not doubt spend the interim period before it comes into effect lobbying to dilute its impact.

The Internet Association, a lobbying group representing the likes of Uber, Google, Microsoft and Amazon, said that there was not enough public debate around the bill, suggesting that it will create a “last minute deal for California’s consumers”as a result.

Senator Hertzberg believes the Act will act as somewhat of a compromise for consumers and companies, since the California Attorney General will be responsible for enforcing the law, rather than relying on private actions by citizens. Companies can be penalised up to $7,500 for each violation of the Act which many commentators view as an insignificant deterrent (though if that were applied to each user of an online service, the fines could quickly add up).