California lawmakers on Thursday passed the California Consumer Privacy Act of 2018, one of the toughest U.S. laws governing data privacy. The legislation specifically targets information companies, including Google, Facebook, Amazon, and AT&T–many of whom are headquartered in California.
The law also sets the stage for a national debate regarding digital privacy and whether consumers have the right to restrict the use of their personal data online.
Under the new law, consumers have the right to know what personal data information companies are collecting about them, why the companies are collecting the data, and with whom they are sharing it. Consumers also have the right to tell information companies to delete their data, as well as to not sell or share their information. The legislation requires businesses to give consumers who opt out of sharing or selling data the same quality of service. And it also provides stricter regulations on sharing or selling data from children under the age of 16.
This new legislation, along with the European Union’s General Data Protection Regulation, pushes the national debate on digital privacy forward.
“Well, between the Europeans and California, we’re starting to move towards having a universal privacy bill of rights, and I just think it’s going to create a precedent that ultimately is going to be a national standard,” said Sen. Ed Markey, D-Mass., to Axios on Thursday.
The bill raced through the state legislature due to pressure from an even stronger ballot measure up for a vote this November. It quickly passed without opposition and was signed into law by Gov. Jerry Brown mere hours before the deadline to pull the stricter measure from the November ballot.
Big industry players including Amazon and AT&T–which were strongly opposed to the ballot measure–voiced less opposition to the bill approved on Thursday.
The legislation, which doesn’t go into effect until January 2020, also gives consumers greater abilities to sue companies after a data breach. Additionally, it empowers the state’s attorney general to fine companies who don’t comply with new regulations.
Since the law doesn’t go into effect for a year and a half, lawmakers have time to work with the tech industry and digital privacy activists to revise the legislation and hammer out more details about its implementation–seemingly a good thing, since both industry groups and privacy activists have their own issues with the legislation.
“[This law] imposes sweeping novel obligations on thousands of large and small businesses around the world, across every industry,” said Google spokesperson Katherine Williams in a statement. “We appreciate that California legislators recognize these issues and we look forward to improvements to address the many unintended consequences of the law.”.
The American Civil Liberties Union (ACLU) also voiced its reservations about the impact of the legislation.
“This measure was hastily drafted and needs to be fixed,” the ACLU’s Nicole Ozer said in a statement. “Effective privacy protections must be included that actually protect against rampant misuse of personal information, make sure that companies cannot retaliate against Californians who exercise their privacy rights, and ensure that Californians can actually enforce their personal privacy rights.”
Facebook, which has been caught up in a months-long data privacy scandal, expressed support for the new law.
“While not perfect, we support (the law) and look forward to working with policymakers on an approach that protects consumers and promotes responsible innovation,” Will Castleberry, Facebook’s vice president of state and local public policy, said in a statement.