Trend-setting California is leading the charge of consumer data privacy protection by unanimously passing the California Consumer Privacy Act of 2018. Passed and signed into law by Gov. Jerry Brown in late June, the act goes into effect January 2020.
In a perfect compromise, neither side of the issue is too happy with the act. Robert Callahan, speaking for the lobby group Internet Association (IA), said in a statement, “Maintaining people’s privacy and security has always been and remains a top priority of Internet platforms. Trust with IA member products and services is essential to a thriving Internet, and the Internet industry is committed to providing people with information and tools to make informed choices about how their personal information is used, seen and shared online.”
Meanwhile, proponents of more stringent data privacy are concerned that the law does not go far enough. Nicole Ozer, Technology and Civil Liberties Director for the ACLU of California, said, “This measure was hastily drafted and needs to be fixed. When that happens next year, effective privacy protections must be included that actually protect against rampant misuse of personal information, make sure that companies cannot retaliate against Californians who exercise their privacy rights, and ensure that Californians can actually enforce their personal privacy rights.”
About being “hastily drafted,” the act was indeed passed and signed at warp velocity. This was because an even tougher, less flexible initiative was set to go on the ballot in November. Funded by Alastair Mactaggart, a San Francisco real estate developer, the initiative California Consumer Privacy Act, the ballot initiative was going on the ballot unless California lawmakers passed a privacy law themselves by the deadline to withdraw the initiative June 28.
Assembly member Ed Chau and state Sen. Robert Hertzberg introduced the legislation June 21. It went through both the State Assembly and the Senate, landing on the governor’s desk by June 28.
It applies to all companies that conduct business in the state and collect data.
Requirements of the New Privacy Act
The California Consumer Privacy Act requires that companies that collect data notify consumers that they are collecting data, why they are collecting the data and what data they are collecting as well as with whom they are sharing the data collected. Consumers can bar a company from selling that data. Consumers can also demand that companies delete any data gathered on them. The law requires parents to opt-in for kids under 13. Kids between 13 and 16 must opt-in to data gathering activities.
Under the new law, data breaches will get costly for data collecting companies. It gives consumers the right to sue and collect up to $750 per violation. If the state attorney general steps in, intentional violations are up to $7,000 per violation. For individuals as well as state lawsuits, companies have up to 30 days to fix the problem, although it’s not clear yet how one fixes the cow from having gotten out of the barn.
In a perfect compromise, there is also something for everyone. The two years until the California Consumer Privacy Act goes into effect allows machinations from both sides of the issue. In the end, will it be a more strict law than it stands today or will Big Tech prevail? Stay tuned, because as California goes, so goes the rest of the nation.