The California Consumer Privacy Act of 2018 could have sweeping ramifications for tech companies when it takes effect in 2020.
“It’s a landmark development that everyone is still absorbing,” says David Keating, a partner at the Atlanta, Georgia-based law firm Alston & Bird who focuses on privacy, security and technology. “It remains to be seen whether the statute will work as drafted, but it’s certainly going to create some challenges and potentially impact innovation for companies.”
California lawmakers on Thursday passed the California Consumer Privacy Act of 2018, known as AB 375, a bill unanimously approved by the State Senate and Assembly and signed by Gov. Jerry Brown that gives residents of the state more control over the data businesses gather on them and imposes new penalties on businesses that don’t comply.
Among the rights granted to consumers: the right for individual consumers to request the information businesses have collected on them, the right for people to object to having their data sold, the right to receive their data in a portable format, and the right to ask businesses to delete their personal data.
Over the next 18 months, many tech companies — including Facebook (FB), Google (GOOG, GOOGL) and Apple (AAPL) — will have to work towards establishing protocols that meet all of AB 375’s requirements, many of which are a first for the U.S. but in some ways mirror the more expansive GDPR, or General Data Protection Regulation, which went into effect in the European Union in late May. Companies such as Facebook and Google already allow users to access and download copies of their information. But fewer companies allow their users the “right to opt out” of having their data sold to third-parties.
Keating contends that since companies like Facebook and Google already worked towards meeting GDPR requirements, they may not have to start from square one with AB 375.
Imperfections in the law
Still, even privacy advocates contend AB 375 isn’t without its shortcomings. The bill, which was first introduced over a week ago, was fast-tracked through the State Assembly and Senate as a sort of Hail Mary effort to defeat another privacy-focused ballot initiative, and it shows. Some language remains overly broad, and the law includes loopholes that enable companies to charge consumers higher prices if they’ve opted out of getting their data sold, for instance.
“While today’s law marks some improvements to an overly vague and broad ballot measure, it came together under extreme time pressure, and imposes sweeping novel obligations on thousands of large and small businesses around the world, across every industry,” Katherine Williams, a spokesperson for Google, told Yahoo Finance in a statement. “We appreciate that California legislators recognize these issues and we look forward to improvements to address the many unintended consequences of the law.”
Facebook expressed similar sentiments, while also reiterating it’s not in the business of actually selling people’s data.
“People should be in control of their information online and companies should be held to high standards in explaining what data they have and how they use it, especially when they sell data,” Facebook VP of State and Local Public Policy Will Castleberry told Yahoo Finance in a statement. “We are committed to being clear with people about how our services work, including the fact that we do not sell people’s data. In that spirit, while not perfect, we support AB 375 and look forward to working with policymakers on an approach that protects consumers and promotes responsible innovation.”
The social network faced intense scrutiny this spring, when revelations surfaced in mid-March that Cambridge Analytica, a now-defunct political consultancy, had harvested the Facebook data of up to 87 million users. The ensuing controversy ignited data privacy concerns on Capitol Hill, which summoned Facebook CEO Mark Zuckerberg to testify. That controversy may have helped paved the way for AB 375 just three months later.
More from JP: