Lawmakers in California have introduced a sweeping privacy bill to the state legislature that would give Californians unprecedented control over their data and rein in the power of their Silicon Valley neighbors.
Introduced by State Assembly member Ed Chau and state senator Robert Hertzberg, the bill would allow California residents to find out what information businesses and data brokers collect about them, where that information comes from, and how it’s shared. It would give people the power to ask for their data to be deleted and to order businesses to stop selling their personal information. It places limits on selling data on users younger than 16 years of age, and prohibits businesses from denying service to users for exercising their rights under the bill.
“All these new technologies are able to gather information about where you are, when you are, what your heart rate is,” Hertzberg tells WIRED. “It’s critical that government is on its toes.”
Concerns about data privacy grew louder this year after news broke that Facebook had allowed a political firm called Cambridge Analytica to amass data on as many as 87 million Americans without their knowledge in advance of the 2016 election. Facebook CEO Mark Zuckerberg was called before Congress and the EU Parliament to answer for the scandal, but what has become abundantly clear in the months since is that Facebook is hardly alone in hoovering up user data and spreading it around liberally to app developers and advertisers.
The California bill joins a wave of international interest in privacy legislation, most notably the passage of the General Data Protection Regulation in the European Union, which requires companies to clearly articulate what data they’re collecting, obtain user consent, and give users a portable copy of their record if requested, among other things. With this legislation, Chau and Hertzberg are hoping to give Californians some of the same rights and protections that Europeans now enjoy.
The bill has already received praise from the advocacy group Californians for Consumer Privacy, which has sponsored a separate ballot initiative called the California Consumer Privacy Act of 2018. That initiative would include some of the same provisions as the current bill. The group had gathered roughly 625,000 signatures to get the initiative on the ballot in November, but now, according to a statement from its chair, Alastair Mactaggart, it will withdraw the initiative if the bill passes before next week’s withdrawal deadline.
“This legislation, like the initiative, would provide simple, powerful rights to Californians: Tell me what you know about me. Stop selling it. Keep it safe,” Mactaggart said in a statement.
Tech companies rallied in opposition to the ballot initiative through a group called the Committee to Protect California Jobs, which argued that the task of enforcing a state-specific rule would place an undue burden on businesses. “It makes no sense to attempt to wall off our state cutting off Californians from convenient services,” the committee said in a statement in May. “The only real beneficiaries of this measure will be trial lawyers, who will be allowed to sue businesses for violation of the measure even if they cannot prove anyone has been harmed.”
Hertzberg’s office spent hours negotiating with Mactaggart, in hopes of finding a legislative compromise that would eliminate the need for a ballot initiative and make the law more amenable to businesses. “The biggest issue, everyone will tell you, is liability,” Hertzberg says. “One of the great concerns by the big companies is that they’re targets.”
The bill attempts to alleviate that concern by giving the state attorney general the power to enforce the law, eliminating the right to private action by citizens, except in the case of a data breach. This provision will likely subsume an earlier bill that passed the state legislature, which aimed to make it easier for California citizens to sue companies for data breaches. That bill also elicited fierce opposition from the business community and the Chamber of Commerce. The new bill also funnels a portion of penalties from companies that violate these rules to a so-called Consumer Privacy Fund, which would be used to offset the costs to the state of enforcing the law.
Hertzberg acknowledges that the tech industry “still hates” what he’s putting forward, but he says their only options are either waiting out the results of the ballot initiative in November or backing this, more moderate bill. “As we like to say: Door number one or door number two?”
Some companies have already overhauled their privacy permissions in preparation for GDPR. Facebook, for one, is launching a product called Clear History that will enable users to see which apps and advertisers they’ve interacted with and clear that record. They can also opt to turn off having that information stored in the future. “It’s something privacy advocates have been asking for—and we will work with them to make sure we get it right,” Zuckerberg wrote in a Facebook post announcing the feature.
Hertzberg hopes that if the bill passes, it will pressure businesses to apply the new California rules to users across the country. He points to California’s history of setting industry standards in automotive fuel emissions and energy standards for refrigerators as evidence that’s possible.
For now, the legislation applies only to California residents. But as long as congressional gridlock stifles any efforts to develop nationwide privacy rules in Washington, Hertzberg expects this bill to serve as a model for other state governments.
“Once this is done, you’ll see a copy of this bill passed in all 50 capitals, because we don’t have confidence in the federal government,” he says. “There’s been a real resurgence in states being the incubators of democracy.”