California Lawmakers Pass Sweeping Online Privacy Legislation

It goes into effect in 2020

State lawmakers on Thursday passed the California Consumer Privacy Act. Getty Images
Headshot of Marty Swant

California has passed a new law that will give state residents the most sweeping online privacy rights in the nation—and hand tech companies some of the strictest rules in the process.

State lawmakers on Thursday passed the California Consumer Privacy Act, which will allow consumers to ask companies what data they collect and also give them the option to opt out of having their information collected. The bill was signed into law by Gov. Jerry Brown on Thursday afternoon—just hours before the deadline for an even stricter proposal that would have been on the state’s November ballot, one which voters needed to approve.

“Something of this magnitude getting passed through unanimously in both chambers is really astounding,” said Omer Tene, chief knowledge officer of the International Association of Privacy Professionals, in an interview with Adweek. “If you compare it to GDPR [General Data Protection Regulations], which was negotiated over a period of five [or] six years with thousands of amendments and endless debate in the European Parliament and Commission.”

The law, which goes into effect in 2020, is seen by many as the first effort in the United States to answer the sweeping privacy rules recently enacted in the European Union last month called the General Data Protection Regulations. It’s also seen as a possible gateway to national legislation in the near future—or at least something that other states might mirror as well.

“Once again California is taking the lead in protecting consumers and holding bad actors accountable,” California Sen. Bill Dodd, D-Napa, said in a statement. “My hope is other states will follow, ensuring privacy and safeguarding personal information in a way the federal government has so far been unwilling to do.”

While California had failed to pass privacy legislation in the past—state lawmakers had considered another bill in 2017—growing momentum for the ballot initiative drove the need to come up with what’s seen as a compromise between privacy advocates and tech companies that rely on massive amounts of consumer data.

While the initiative would have allowed consumers to more easily sue companies for data breaches, the version passed into law shifts much of that responsibility to California’s attorney general. The legislation also allows for companies to still provide some incentives to consumers who give up their data—such as in the form of online discounts in exchange for an email address—while the referendum would have banned any type of different treatment between those who share data and those that don’t.

Passage of the legislation was met with mixed reactions from tech companies and consumer watchdogs alike. Organizers of the ballot initiative, along with some companies such as Facebook, praised the legislation. Others such as Google criticized the bill for moving too quickly, while the American Civil Liberties Union suggested that “nobody should be fooled” into thinking the bill will protect California residents.

“This measure was hastily drafted and needs to be fixed,” Nicole Ozer, technology and civil liberties director for ACLU of California, said in a statement. “When that happens next year, effective privacy protections must be included that actually protect against rampant misuse of personal information, make sure that companies cannot retaliate against Californians who exercise their privacy rights, and ensure that Californians can actually enforce their personal privacy rights.”

Indeed, lawmakers do have some time to make changes to the legislation before it goes into effect. That’s something that would have been more difficult had it been approved in November by residents, which would have then required a 70-percent supermajority for any changes. This way, stakeholders on both sides of the issue will be able to work with lawmakers to debug some of the ambiguity around issues such as how to define personal identity and or how to value data.

The timing also provides time for Congress to pre-empt the state law with national legislation by passing privacy legislation of its own. That could also give the tech industry’s lobbying arm another way to dilute anything it doesn’t like about California’s law. But whether tech companies will or won’t go that route is something that even Silicon Valley’s best algorithms might not be able to predict.

“People should be in control of their information online and companies should be held to high standards in explaining what data they have and how they use it, especially when they sell data,” Will Castleberry, Facebook’s vp of state and local public policy, said in a statement. “We are committed to being clear with people about how our services work, including the fact that we do not sell people’s data. In that spirit, while not perfect, we support AB375 and look forward to working with policymakers on an approach that protects consumers and promotes responsible innovation.”

@martyswant Marty Swant is a former technology staff writer for Adweek.