Privacy law —

California approves privacy rules opposed by ISPs and tech companies

Law will give people some control over collection and sale of private data.

Illustration of a lock and keyhole surrounded by data bits.

California is imposing a privacy law giving consumers more control over how their personal data is collected, used, and sold by corporations. Broadband providers, tech companies, and advertising groups had been fighting against a ballot initiative that contained consumer protections similar to what's in the new law.

The California Consumer Privacy Act of 2018 was approved unanimously by the state Senate and Assembly today and was signed by Gov. Jerry Brown.

A legislative bill summary says the law will give Californians "the right to know what PI [personal information] is being collected about them and whether their PI is being sold and to whom; the right to access their PI; the right to delete PI collected from them; the right to opt-out or opt-in to the sale of their PI, depending on age of the consumer; and the right to equal service and price, even if they exercise such rights."

The bill is set to take effect on January 1, 2020. Businesses could be penalized up to $7,500 for each violation.

Personal information is defined as anything that is "capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." This includes Internet browsing and search history, biometric data, geolocation data, job and education information, and various types of identifiers such as names, aliases, postal addresses, Internet Protocol addresses, email addresses, account names, Social Security number, driver's license numbers, and passport numbers.

Anything that is otherwise publicly available would not be protected by the law.

Consumers would have the right to request all the data collected about them from a business up to twice a year, and businesses would be required to disclose the information free of charge. Consumers would have "the right to request that a business delete any PI about the consumer which the business has collected from the consumer."

Businesses that sell consumers' personal information to third parties would have to let people opt out of those sales at any time. The rule is stricter for children, as businesses would not be allowed to sell personal information related to people under the age of 16 unless they receive an "opt-in" from the child or child's parent or guardian. The parent or guardian's consent would be needed for children under the age of 13.

Businesses would also be prohibited "from discriminating against a consumer because the consumer exercised any of the consumer's rights under this bill, such as by charging different prices or rates, or providing a different level or quality of goods or services."

"Google executives have warned that the measure could have unintended consequences but have not said what those might be," Reuters wrote. "The Internet Association, which also represents Facebook and Amazon, has also opposed the bill, as have the California Chamber of Commerce and the Association of National Advertisers."

Law spurred by ballot question

The law was spurred by an ongoing ballot initiative that was on track to hit the state ballot in November.

Ballot question sponsor Alastair Mactaggart agreed to pull the question if the state passes the bill by June 28, the last day in which the question could be pulled from the ballot.

"This legislation, like the initiative, would provide simple, powerful rights to Californians: tell me what you know about me. Stop selling it. Keep it safe," Mactaggart, a real estate developer and privacy activist, said last week. "We are content either way, as we feel that both the legislative solution and our initiative, provide tremendously increased privacy rights to Californians."

The ballot question was opposed by Amazon, Facebook, Google, Microsoft, Uber, Comcast, AT&T, Cox, Verizon, and several advertising lobby groups, all of whom donated to a campaign against the initiative.

ISPs successfully lobbied Congress to prevent implementation of broadband privacy rules last year. At the time, ISPs argued that they shouldn't have to face different rules than Google and Facebook. But they opposed the California rules even though they apply equally to ISPs and other tech companies.

"State-specific laws will stifle American innovation and confuse consumers," said CTIA, the mobile broadband industry's lobby group, according to Reuters.

There are some differences between the ballot question and the bill, The Mercury News explained today:

The bill differs from the initiative in the way that companies would be held accountable for breaches to address an industry concern. The ballot measure exposed companies to litigation regardless of the state attorney general's action. The bill would allow the attorney general to levy fines for data breaches, after which consumers could then sue over them.

The bill also adds provisions that go beyond the ballot measure, like requiring parental consent for companies to sell data on children younger than 16. And it would include provisions of Europe's privacy laws such as consumers' right to compel companies to delete all their private data.

Mactaggart said in an interview last week that "they both accomplish the same goals broadly."

Legislators preferred enacting the bill themselves because it allows them to make changes later without another statewide ballot question. This "mak[es] it easier to tweak the law to fix unintended consequences," The Mercury News wrote.

Channel Ars Technica