California has passed a sweeping privacy law that gives consumers the right to demand that their data be deleted and to bar companies from selling their data without them losing access to services or being charged a higher price.
The bill, passed today by the state’s legislature and quickly signed by Gov. Jerry Brown, affects all companies that do business in the state and collect data. It requires those businesses to disclose information they store, what purpose it’s for, and with which third parties it’s shared.
For data breaches, consumers may be able to sue for up to $750 for each violation, while the state attorney general can sue for intentional violations of privacy at up to $7,500 each. For both consumer and state lawsuits, companies have to be given 30 days to fix the problem.
The act takes effect Jan. 1, 2020.
The legislature barreled the act through introduction to passage in a matter of days, as a stricter citizen’s initiative with a similar approach was destined for the November ballot. It let consumers sue for as much as five times as much per violation.
California often acts on technology, privacy, and environmental issues in advance of other states and the federal government, and this measure could serve as a catalyst for other states to pass similar or identical laws.
A number of tech giants strongly opposed the initiative and the legislative measure, although individual companies and groups representing them articulated few reasons. A Google executive said the act would have unintended consequences, but didn’t enumerate possibilities. A cellular operator trade group, the CTIA, said state-specific rules would confuse consumers and stifle innovation, especially if other states pile on.
Many technology companies have faced criticism over disclosures both about what data is collected and how, as well as their actions when they discover privacy flaws or data breaches.
However, the California act will affect any business that has customers in California that meet one or more of the following tests: gross at least $25 million annually; interact with information to 50,000 or more people, households, or devices; or make half its annual revenue from selling personal information.
The landmark bill has elements in common with the General Data Protection Regulation (GDPR) that the European Union imposed on its member states and some affiliates in late May. The GDPR roiled many websites and advertising networks, despite the long advance notice of its effective date, leading some media companies to block access to E.U. readers.
Unlike the GDPR, however, the California measure doesn’t require opt-in permission to collect information, nor any right to opt out short of complete deletion. Rather than a disclosure, the Consumer Privacy Act makes consumers act to request information, which then must be provided.
The ballot initiative that spurred the fast passage of this bill was the work of housing developer Alastair Mactaggart, who contributed $3 million as of June 23 for signature gatherers and other expenses. However, Amazon, Facebook, Google, Microsoft, Uber, and other tech companies planned to spend as much as $100 million opposing it if it had reached the ballot. Mactaggart said he’d withdraw the initiative if the legislature crafted a bill that had sufficiently similar protections as his.
The Consumer Protection Act gives businesses a loophole to coax consumers to share their data. But that loophole— providing consumers with financial incentives—may be costly.