New York Times
California Passes Sweeping Law to Protect Online Privacy
SAN FRANCISCO — California has passed a digital privacy law granting consumers more control over and insight into the spread of their personal information online, creating one of the most significant regulations overseeing the data-collection practices of technology companies in the United States.
The bill raced through the State Legislature without opposition on Thursday and was signed into law by Gov. Jerry Brown, just hours before a deadline to pull from the November ballot an initiative seeking even tougher oversight over technology companies.
The new law grants consumers the right to know what information companies are collecting about them, why they are collecting that data and with whom they are sharing it. It gives consumers the right to tell companies to delete their information as well as to not sell or share their data. Businesses must still give consumers who opt out the same quality of service.
It also makes it more difficult to share or sell data on children younger than 16.
The legislation, which goes into effect in January 2020, makes it easier for consumers to sue companies after a data breach. And it gives the state’s attorney general more authority to fine companies that don’t adhere to the new regulations.
The California law is not as expansive as Europe’s General Data Protection Regulation, or G.D.P.R., a new set of laws restricting how tech companies collect, store and use personal data.
“It’s a step forward, and it should be appreciated as a step forward when it’s been a long time since there were any steps,” Ms. McDonald said.
The legislation is modeled closely on the ballot initiative, which a real estate developer, Alastair Mactaggart, spent $3 million and secured more than 600,000 signatures to get certified. With the ballot proposal hanging over legislators’ heads, the push for an alternative gained grudging support.
If the bill had failed to pass before the deadline, the proponents of the ballot initiative would have taken their case straight to voters in November, they said.
The state’s technology and business lobbies were opposed to the measure that was passed on Thursday, but they didn’t try to derail it because they thought the ballot initiative was worse.
Even legislators who voted for the bill complained that they had little choice because a ballot measure would provide less flexibility to make changes in the future. And some privacy advocates said the bill did not go as far as the ballot initiative in allowing individuals to sue for not complying.
Mr. Mactaggart said he wanted a sensible privacy law, whether through a ballot measure or the legislative process. He said that the Legislature was the right place to debate such a policy, but that it had been hard to get legislators to address privacy.
“If we didn’t have the initiative process in California, we wouldn’t be here today,” Mr. Mactaggart said in an interview.
One of the authors of the new law, Assemblyman Ed Chau, a Democrat, tried last year to pass a bill that would have required internet service providers to seek permission from customers before accessing, selling or sharing their browser activity. The bill never made it out of committee — an example of the influence of telecommunications and technology companies in California.
But with the ballot measure looming and a growing awareness of how technology companies are gobbling up user information — highlighted by revelations that the voter profiling firm Cambridge Analytica gained access to the personal data of millions of Facebook users — the legislation went from draft to law in one week.
“This is a huge step forward to people all across the country dealing with this very challenging issue,” State Senator Bob Hertzberg, a Democrat and a co-author of the bill, said at a news conference after it was signed.
The ballot initiative, which would have made it easier for private individuals to sue companies for not adhering to its privacy requirements, had drawn vocal opposition from industry groups that worried about the potential liability risk.
The measure included a provision that would have required a 70 percent majority in both houses of the Legislature to approve any changes after it became law.
Google, Facebook, Verizon, Comcast and AT&T each contributed $200,000 to a committee opposing the proposed ballot measure, and lobbyists had estimated that businesses would spend $100 million to campaign against it before the November election.
Robert Callahan, a vice president of state government affairs for the Internet Association, an industry group that includes Google, Facebook and Amazon, said in a statement that the new law contained many “problematic provisions.” But the group did not try to obstruct it, he added, because “it prevents the even worse ballot initiative from becoming law in California.”
Mr. Callahan said the group would “work to correct the inevitable, negative policy and compliance ramifications this last-minute deal will create.”
Legislators said they expected to pass “cleanup bills” to make any fixes to the law in the 18 months before it takes effect. Some privacy advocates are worried that lobbyists for business and technology groups will use that time to water it down.
Mr. Mactaggart said those concerns are “overblown.”
“Having gotten this right, it’ll be very hard to take it away,” he said, noting that the ballot measure had been polling at around 80 percent approval. “They can’t rewrite the law.”