California lawmakers unanimously passed a new privacy bill on Thursday that would give residents of the state more control over the information businesses collect on them and impose new penalties on businesses that don’t comply. It is the first law of its kind in the United States.
The so-called California Consumer Privacy Act of 2018 (AB 375) was introduced late last week by state assemblymember Ed Chau and state senator Robert Hertzberg, in a rush to defeat a stricter privacy-focused ballot initiative that had garnered more than 600,000 signatures from Californians. The group behind that initiative, Californians for Consumer Privacy, said it would withdraw it if the bill passed. The deadline to withdraw was Thursday, forcing the state legislature to fast-track the bill through the State Senate and Assembly and get it to Governor Jerry Brown’s desk by the end of the day. The law takes effect in 2020, but in some ways, Thursday’s vote is only the beginning, as business interest groups work to tinker with the legislation’s details before then.
In a statement to WIRED following landslide votes in both state houses, Hertzberg said, “Today the California Legislature made history by passing the most comprehensive privacy law in the country. We in California are continuing to push the envelope on technology and privacy issues by enacting robust consumer protections—without stifling innovation.”
The new legislation gives Californians the right to see what information businesses collect on them, request that it be deleted, get access to information on the types of companies their data has been sold to, and direct businesses to stop selling that information to third parties. It’s similar to the General Data Protection Regulation that went into effect in the European Union last month, but adds to it in crucial ways. Under the GDPR, businesses are required to get users’ permission before collecting and storing their data. But the way most companies have designed those opt-in pop-ups, “you really don’t have a choice,” says Ashkan Soltani, former chief technology officer of the Federal Trade Commission who helped author the ballot initiative.
The ballot initiative would have prevented businesses from denying service to consumers if they opt out of having their data tracked and stored. The law contains similar language, though it creates what Hertzberg calls the “Spotify exception,” which allows companies to offer different services or rates to consumers based on the information they provide—for instance, a free product based on advertising. But, the bill states, the difference must be “reasonably related to the value provided to the consumer by the consumer’s data.”
Had the bill failed, it would have been up to voters to decide whether to support the proposal on the ballot in November. Prior to Thursday’s vote, Alastair Mactaggart, the real estate mogul behind the ballot initiative sounded optimistic about his options. “We’re heartened by the momentum behind these endeavors, and the protections that both efforts seek to provide for consumers and our children,” he said in a statement.
But ballot initiatives are far more difficult to change once they’re passed, because amendments require yet another two-thirds majority vote on the ballot. That may be one reason why opponents within the tech industry reluctantly supported the passage of the bill, says Soltani: It’s easier to change.
“The senate can vote on amendments and the special interests can lobby on these amendments,” he says. “The reason why we haven’t been able to do anything in privacy for 20 years is because the special interests are so powerful.”
The tech industry did throw the full weight of its lobbying might—and money—at the fight against the ballot initiative, spending millions of dollars to oppose it through a group called the Committee to Protect California Jobs. They argued that the measure would open them up to liability that would hurt their businesses and their ability to hire. Hertzberg envisioned the bill as a compromise, in part, because it leaves the task of enforcing the law to the attorney general and takes the right to private action by citizens off the table, except in the case of data breaches.
And yet, a report by The Intercept revealed that lobbyists affiliated with the group TechNet were working behind the scenes to change crucial parts of the bill, as well, including a stipulation that businesses must include a clear button on their websites giving people the ability to opt out of data collection.
Still, in a statement to WIRED just before Thursday’s vote, TechNet’s vice president of state policy and politics, Andrea Deveau, said, “We believe that the legislature, not the ballot box, is the correct venue to consider this important and complex area of policy.”
Robert Callahan, vice president of state government affairs at the Internet Association, which represents tech companies like Google and Facebook, struck much the same tone. In a statement to WIRED, he said that while the group opposes “many problematic provisions” within the bill, it at least “prevents the even worse ballot initiative from becoming law in California.”
Facebook initially supported the opposition initiative, but pulled out publicly in April, a month after news broke that a political consulting firm called Cambridge Analytica amassed data on tens of millions of American Facebook users for political purposes without their knowledge. “We took this step in order to focus our efforts on supporting common sense privacy measures in California,” the company said at the time.
Now, in a statement to WIRED, Facebook’s vice president of state and local public policy, Will Castleberry, said that while the bill is “not perfect,” the company supports it and looks forward to “working with policymakers on an approach that protects consumers and promotes responsible innovation.”
The law goes into effect on January 1, 2020. The Internet Association has already hinted at efforts to modify the legislation before implementation. “It is critical going forward that policymakers and industry work to correct the inevitable, negative policy and compliance ramifications this last-minute deal will create,” Callahan said.
Since the bill was introduced last week, some of those changes have already been made. One key difference: The bill initially required businesses to share “accurate names and contact information” for third parties that bought user data over the prior year. That language has since changed, requiring businesses to merely disclose the “categories of third parties” that bought the data.
The industry’s argument, Soltani says, is that it would be too difficult for businesses to track which third parties have access to the data. “I argue the other side. If they’re sharing data with third parties, they might want to have a mechanism to keep track of who they’re sharing with,” he says.
Still, Soltani believes the law as it stands will have a tremendous impact and could set the standard for states across the country, whose citizens can press their own governments to adopt something similar. “Once people see this is possible and once companies start complying,” he says, “I think other states’ citizens will say, ‘Why can’t we have this too?’”