California’s consumer privacy law is expected to have a significant impact on companies that deal in personal data — and especially those operating in the digital space. The California Consumer Privacy Act, A.B. 375, affords California residents an array of new rights, starting with the right to be informed about what kinds of personal data companies have collected and why it was collected.
The law stipulates that consumers have the right to request the deletion of their personal information, opt out of the sale of personal information, and access the personal information in a “readily useable format” that enables its transfer to third parties without hindrance.
The law’s requirements could threaten established business models far beyond California and throughout the digital sector.
Much of the political impetus behind the law’s passage came from some major privacy scandals that have come to light in recent months, including the Cambridge Analytica incident involving Facebook user data. This and other news drove public support for a privacy ballot initiative that would have instituted an even stricter data protection regime on companies that deal in consumer data if the state’s residents voted to pass it in November. But after intense negotiation, especially from leading internet companies and internet service providers, the backers of the ballot initiative agreed to drop the initiative and instead support the passage of the law.
The bill gives consumers the right to have their personal data deleted; the right to know the commercial purpose for collecting their data; and the categories of sources from which the data are collected. It also prohibits a business from selling the personal data of anybody under the age of 16 unless that child agrees.
The bill gives companies the ability to offer discounts to customers who allow their data to be sold and charge those who opt out a reasonable amount based on how much the company makes selling the information.
Lawmakers say they will likely make alterations to improve the policy before it takes effect. Some privacy advocates are worried that lobbyists for business and technology groups will use that time to water it down.
TechNet, a technology lobbying group, urged lawmakers to improve the law before it takes effect “so it provides meaningful privacy protections for Californians while also allowing all the benefits and opportunities consumers expect from U.S. technology to continue.”
Policymakers around the country looking at what California has done on this issue should understand that the California Legislature’s work is far from finished and that this law remains a work in progress.
The California law is not as expansive as Europe’s General Data Protection Regulation, or G.D.P.R., a new set of laws restricting how tech companies collect, store and use personal data.
Google, Facebook, Verizon, Comcast and AT&T each contributed $200,000 to a committee opposing the proposed ballot measure, and lobbyists had estimated that businesses would spend $100 million to campaign against it before the November election.