California has passed one of the toughest data privacy laws in the United States designed to significantly change how businesses handle user data in the state. The California Consumer Privacy Act of 2018 comes after the General Data Protection Regulation (GDPR) went live in Europe attracting much-needed attention to user privacy and data protection policies around the world.
In a historic move, the populous state passed the bill unanimously, setting an important precedent for the rest of the country. The bill will take effect on January 1, 2020, and the relevant stakeholders are expected to fine-tune the legislation's details by that time. Under the current laws, if user data has been leaked or stolen as a result of a company's lack of proper security procedures, it could be penalized up to $750 per consumer per incident.
"Today the California Legislature made history by passing the most comprehensive privacy law in the country," state senator Robert Hertzberg said. "We in California are continuing to push the envelope on technology and privacy issues by enacting robust consumer protections - without stifling innovation."
California privacy bill sounds similar to GDPR, but not as strict
The so-called California Consumer Privacy Act 2018 appears to be similar to Europe's GDPR. However, considering the millions of dollars that the broadband and tech companies in the US pour into lobbying, it is unlikely to be as strict.
"California is one of the world’s leaders in the development of new technologies and related industries," the bill reads. "Yet the proliferation of personal information has limited Californians’ ability to properly protect and safeguard their privacy. It is almost impossible to apply for a job, raise a child, drive a car, or make an appointment without sharing personal information."
People desire privacy and more control over their information. California consumers should be able to exercise control over their personal information, and they want to be certain that there are safeguards against misuse of their personal information. It is possible for businesses both to respect consumers’ privacy and provide a high level transparency to their business practices.
The bill will require businesses, small and large, to disclose to users what kind of data they are collecting and storing on them, ability to get that deleted, details if the business has sold that data to third party companies, and other similar requirements.
Some of the highlights include (emphasis is ours):
- The right of Californians to know what personal information is being collected about them.
- The right of Californians to know whether their personal information is sold or disclosed and to whom.
- The right of Californians to say no to the sale of personal information.
- The right of Californians to access their personal information.
- The right of Californians to equal service and price, even if they exercise their privacy rights.
The last one is particularly important because right now it's more like a "my way or the highway," where users are railroaded into giving their consent to be able to use a certain product, service or feature.
According to reports, some of the big players like AT&T, Amazon, Google, and Uber spent millions of dollars to block the ballot measure in the state that was proposing even stronger privacy rules. The last-minute bill was passed to defeat the stricter ballot initiative, as the group behind it had said it would withdraw if the bill passed since the legislation is close enough and gives the industry time to make their own changes.
"The senate can vote on amendments and the special interests can lobby on these amendments,” Ashkan Soltani, former chief technology officer of the Federal Trade Commission told Wired. “The reason why we haven’t been able to do anything in privacy for 20 years is because the special interests are so powerful.”
Gov. Jerry Brown has signed the bill into law after it passed both the chambers unanimously.