California legislators on Thursday adopted sweeping new rules that restrict the data-harvesting practices of Amazon.com, Facebook, Google and Uber, a move that soon could spur other states, and even Congress, to take aim at the tech industry.
The California Consumer Privacy Act is one of the toughest U.S. regulations targeting Silicon Valley, where recent privacy mishaps — many involving Facebook — have left consumers clamoring for greater protections online. The proposal would require tech giants to disclose the kind of data they collect about consumers, and it would allow Web users to opt out of having their information sold to third parties, including advertisers.
The new privacy rules would apply only to residents in the Golden State, and they would not take effect until 2020, opening the door for corporate critics such as AT&T, Comcast, Facebook and Google to resume lobbying aggressively to revise it over the next year. The governor has yet to sign the measure.
Going forward, though, California’s privacy protections could force tech companies to change their business practices nationwide, rather than maintaining two systems: one in California, the country’s most populous state; and another for everyone else. Apple, Facebook and Google took a similar approach in May after European regulators began implementing new privacy rules, known as General Data Protection Regulation, or GDPR.
“I think it’s going to set the standard across the country that legislatures across the country will look to adopt in their own states,” state Sen. Bob Hertzberg (D), one of the law’s authors, said before it passed Thursday.
Under the new rules, California’s attorney general would play a starring role monitoring Silicon Valley’s privacy practices — and bringing cases, along with potential fines, when a company such as Amazon or Microsoft fails to honor consumers’ privacy choices or safeguard their data from cybercriminals. (Amazon chief executive Jeffrey P. Bezos owns The Washington Post.) To that end, Hertzberg said that the state’s attorney general would soon become “the chief privacy officer of the United States.”
Legislators raced at unprecedented speed — less than a week — to introduce, amend and pass their new privacy law to head off a ballot proposition slated to come before California voters this November. The initiative spearheaded by local real estate developer Alastair Mactaggart would have been tougher on the tech industry, even opening the door for consumers to sue if their data had been misused. But Mactaggart agreed over the weekend to withdraw it if lawmakers passed a bill, and the governor signed it, by Thursday, the deadline to finalize ballot measures.
Throughout the process, tech giants such as Facebook, Google and Uber had expressed opposition to the measure, even donating to a coalition that sought to undermine it. Reluctantly, though, they came to accept the compromise bill. The Internet Association, a group that represents companies such as Amazon, Facebook, Google and Uber, said ahead of the vote that it would not “obstruct or block” the legislative proposal but would work to “correct the inevitable, negative policy and compliance ramifications this last-minute deal will create.”
If the rules don’t change, they will grant consumer new rights that include the ability to see the kinds of sources from which companies collect data about them. The law would also put in place new protections for teenagers: Businesses could not sell personal data from Web users younger than 16.
But there are many elements of the bill that privacy advocates, and even the measure’s supporters, see as potential trouble spots. For example, California’s new rules would prevent tech companies from offering consumers a lower level of service if they chose to opt out of having their data sold to third parties. Yet a tech company or an Internet service provider, such as AT&T or Comcast, could charge a higher fee for consumers who chose to limit sharing of their personal data — though only equal to the “value provided by the consumer’s data,” the rules stipulate.
“I believe this path to pay for privacy is a dangerous and slippery slope,” said state Sen. Hannah-Beth Jackson (D), even as she supported it.
James Steyer, the founder of Common Sense Media and one of the proposal’s chief backers, acknowledged that the bill isn’t “perfect.” But on Thursday he said advocates would look to refine it over the coming year while “working all around the United States” trying to pass similar, model legislation. The goal, he said, is to prod Congress “to get their act together.”
In the nation’s capital — where lawmakers have failed for decades to advance an overarching federal privacy law — some members of Congress expressed hope that California would force their hand.
“My hope is just that it will initiate a real conversation that gets us to adopting some principles by November,” said Rep. Ro Khanna (D-Calif.), who represents a slice of Silicon Valley. He said lawmakers had been “derelict in our duty” on privacy issues.