The world’s fifth largest economy, the state of California, will soon enforce strict new electronic privacy laws that give consumers vastly increased authority over the collection and use of their personal information.
Starting January 1, California’s Consumer Privacy Act (CCPA), AB 375 of 2018, will require all state for-profit businesses to disclose to consumers upon request the specific pieces of their personal information it collects and the sources of that information. Consumers can also require companies to delete personal information, refrain from selling it, and pursue legal action if businesses fail to comply.
“Many businesses collect personal information from California consumers,” the law states. “They may know where a consumer lives and how many children a consumer has, how fast a consumer drives, a consumer’s personality, sleep habits, biometric and health information, financial information, precise geolocation information, and social networks, to name a few categories.”
As the start date for the law looms, tech giants like Google (GOOG, GOOGL), Amazon (AMZN), Facebook (FB), Microsoft (MSFT), Uber (UBER), and Lyft (LYFT) are working to help push through amendments they say will make the law fairer to businesses.
America’s version of Europe’s data-privacy law
Absent federal regulation, California is the first government in the U.S. to regulate how businesses retain and use electronic consumer data. Some see the legislation as a cousin to the European Union’s GDPR, enacted last year to give the EU enforcement power to fine companies that violate its consumer privacy protections. The European regulatory body has already slapped Google with a $57 million fine for failing to disclose data collection tactics to consumers.
California’s law has drawn opposition from the world’s most powerful technology companies, including members of the Internet Association, many of which enjoy revenue streams dependent on amassing user data.
“Internet companies support an economy-wide, federal privacy law that provides all Americans with meaningful transparency and full control over how the data they provide to companies across all industries is collected, shared, and protected,” Kevin McKinley, internet association director for California Government Affairs, told Yahoo Finance. “The CCPA has many flaws that resulted from the abbreviated legislative process last year.”
McKinley said the group has no objection to the major tenets of CCPA, but that in an attempt to rush the law through before the end of last year’s legislative session, the California legislature failed to tailor it in a way that ensures businesses can efficiently comply. That, he said, prompted at least eight proposed amendments, currently under consideration.
One, for example, aims to exclude employees from CCPA’s definition of “consumers.” Businesses say the change is necessary so they do not risk breaking the law by collecting personal information from employees, contractors, agents, and job applicants. Another, would allow businesses to collect and maintain certain user data on people who voluntarily agree to such use in exchange for participation in loyalty or rewards programs. The amendment bills also include an effort to redefine “publicly available” information as information lawfully made available from federal, state, or local records.
“The internet industry is encouraged by the California Legislature’s effort to address the workability of the law through very narrow and targeted measures. It is critical to ensure this historic law provides California’s with strong privacy protections and is workable for businesses looking to comply,” McKinley said.
Big implications for tech and media companies
With or without adoption of the proposed amendments, AB 375 will have major implications for technology and media companies, which will extend beyond the state’s borders.
The law acknowledges California’s generally slow reaction to aggressive data collection and misuse, and without naming Facebook, alludes to the company’s decision to share user data with third-party U.K. data mining firm Cambridge Analytica. Along with Silicon Valley-based Facebook and other major technology companies, AT&T (T), Verizon (VZ) and Cox Communications joined a lobbying effort against the law.
Assembly member Ed Chau and his co-authors said in a June 28, 2018, press release, "AB 375 responds to the recent data breaches that have affected millions of people — those experienced by Target, Equifax, Cambridge Analytica, and many more.”
As written, personal information protected by CCPA includes search and browsing history, geolocation data, IP addresses, email addresses, purchase records, records on consumption histories and tendencies, professional and employment information, educational information, and audio, visual and thermal information. Fines of $7,500 per violation may be assessed for companies that fail to cure alleged violations within 30 days.
As efforts to pass federal privacy legislation in Congress have languished, states have stepped up their pace. According to the National Law Review, five other states — Hawaii, Maryland, Massachusetts, Mississippi, and New Mexico — have introduced CCPA-like privacy bills as of March 2019. Another three states — New York, North Dakota and Washington — have put forth consumer privacy bills to protect personal data.
A federal bill introduced in the Senate in December, The Data Act of 2018, remains in committee. As proposed, among other protections, the legislation would prevent “online service providers” from using individual identifying data in any way that would benefit the online service provider to the detriment of an end user.
Note: Verizon Media is the parent company of Yahoo Finance.
Alexis Keenan is a New York-based reporter for Yahoo Finance. She previously produced and reported for CNN and is a former litigation attorney. Follow on Twitter @alexiskweed.