California just passed the country’s toughest online privacy law

By Sean Captain

June 28, 2018

While all eyes were on California’s foundering net neutrality bill, state legislators were scrambling to create an at least equally important and powerful online privacy law by combining efforts from several politicians and advocates.

In marathon legislative sessions today, it passed both the state’s Senate and Assembly unanimously. Governor Jerry Brown quickly signed the legislation. Originally known as AB375 for its origins in the state Assembly, the new law, called the California Consumer Privacy Act, goes into effect in January 2020–leaving plenty time for further haggling over specifics.

AB375 is rooted in the right of privacy added to the California constitution in 1972. In essence, it provides all California residents the right to know what data is being collected on them, for what purpose, and with whom it’s being shared. The legislation further requires companies that collect this data to delete all of it upon request.

If these terms sound familiar, it may be due to the flood of emails you got from online companies about their compliance with the European Union’s GDPR, which took effect in May. That’s no coincidence. “It would closely track the European privacy legislation GDPR,” said AB375’s co-sponsor, Assembly member Ed Chau, during the floor debate.

In addition, AB375 would prevent companies from charging more to, or otherwise discriminating against, consumers who ask to have their data deleted (although companies can pay people extra for data). The big caveat to the last provision: “except if the difference is reasonably related to value provided by the consumer’s data.” Many online products are “free,” in that users “pay” with their data, and Silicon Valley companies wanted to preserve their right to deny or restrict those services for people who don’t share.

As if all those privacy provisions weren’t enough, AB375 requires companies to notify California consumers if any of their data has been stolen in a security breach. It also allows consumers to sue companies over breaches for an amount between $100 and $750 dollars, or for monetary damages–whichever amount is greater. These provisions can from a separate bill, SB-1121, by Senator Bill Dodd, who became a cosponsor of today’s giant legislation.

The rush to pass the bill came in response to a ballot initiative effort: the California Consumer Privacy Act, which would have enshrined online privacy protections in the state Constitution. Supporters agreed to pull the initiative if the legislation passed, and June 28 was the deadline for actions on ballot initiatives.

 

Quick reminder why what California does is so important: It has outsize influence on the entire country as the biggest state by population and as the home of many global tech companies affected by these laws.

Tech companies played some role in AB375, in that they didn’t oppose it as vigorously as the loathed, stricter ballot initiative. Concessions are seen, for instance, in an extensive list of exceptions to the requirements–although many appear reasonable. For instance, companies don’t have to delete data from customers if they need it to detect security incidents, prevent fraudulent or illegal activity, or comply with requests from law enforcement.

The rushed nature of the bill is clear in its wordy, sometimes redundant text. The rapid creation of AB375 ensures that the debate over its details is far from over. Assembly member Chau conceded in his final floor speech that the law is not perfect, adding, “I will work with all stakeholders to see how we can fine-tune this law before its implementation date of January 2020.”

Stay tuned.

CORRECTION: This article has been updated to better reflect the role of tech companies in the legislation.

 

(18)