California is hurtling toward the adoption of a new online privacy law that would govern how tech giants like Amazon, Facebook, Google and Uber collect and monetize consumers' personal data – a set of changes that could ripple throughout the country.
And the proposal comes with some teeth: California’s attorney general would be empowered to fine companies that fail to secure consumers' sensitive details against cyber threats.
If it passes, California’s proposed privacy rules would apply to only its citizens. But it still could force companies like Facebook and Google to change some of their practices across the country, given the difficulty in maintaining two sets of privacy protections – one in California, the most populous state in the country, and a second for everyone else. Many tech giants in Silicon Valley took precisely that approach in May, adapting their data-collection practices worldwide when Europe began implementing its own strict privacy rules.
California’s new regulations also could add to the pressure on other regulators, including federal lawmakers in Congress, to follow suit and adopt fresh data-collection protections, responding to web users who have grown furious with a series of recent privacy mishaps, particularly at Facebook.
"These corporations make billions of dollars selling people's privacy without people having any visibility into what they're doing," said Alastair Mactaggart, a real-estate developer and driving force behind California’s new privacy push.
State policymakers have moved at an unprecedented pace to introduce, tweak and advance the bill -- all in a matter of days -- as they seek to avoid a November ballot initiative spearheaded by Mactaggart that would impose even tougher privacy rules on the tech industry. It would have allowed local consumers, for example, to sue companies in almost any case where their privacy or security had been compromised.
The ballot initiative had garnered more than 600,000 signatures, almost double what it needed to qualify for consideration in the upcoming election. But Mactaggart announced this week he would withdraw his measure if lawmakers passed a compromise bill by California’s June 28 deadline for finalizing ballot propositions, setting up a last-minute blitz in the state’s Assembly and Senate after years of slow progress on privacy reform.
Major technology companies like Amazon, Facebook, Google and Twitter had strongly opposed the ballot measure, chiefly through their lobbying group, the Internet Association. Tech giants like Facebook, Google, Microsoft and Uber, and Internet providers like AT&T and Verizon, also donated $200,000 each to a California coalition assembled in March to defeat it, according to local campaign finance records, though Facebook has maintained it is not actively fighting the ballot initiative.
Two of those companies, Facebook and Uber, have been the subjects of recent federal investigations into their privacy and data security practices. AT&T and Verizon, meanwhile, lobbied last year to defeat federal rules governing the way they handle customers' web-browsing information.
But some tech companies have come to stomach the compromise bill now advancing in the legislature, believing that even if it does become law they can train their political firepower on trying to change it before it takes effect on Jan. 1, 2020. Robert Callahan, the vice president of state government affairs at the Internet Association, said the group opposes “many problematic provisions” in the bill and the “unprecedented lack of debate or full legislative process.” But he stressed that the “Internet industry will not obstruct or block [the measure] from moving forward, because it prevents the even worse ballot initiative from becoming law in California.”
In the past, California’s regulations have spurred other states – and even the federal government – to adopt laws in areas as wide ranging as email spam and climate change. This time, privacy experts hope Congress steps in to do the same in response to major privacy mishaps, including Facebook’s entanglement with Cambridge Analytica, a political consultancy that improperly accessed personal data on roughly 87 million of the site’s users.
"We haven't done much since [Mark] Zuckerberg's hearing," Rep. Ro Khanna, a Democrat who represents a slice of Silicon Valley in Congress, said this week about the Facebook executive's appearance on Capitol Hill in April, which was prompted by the Cambridge Analytica scandal. "The people are looking to Congress and saying, we need you to act."
For some, like Facebook, the California bill might not actually result in major revisions to its business practices. The social giant maintains it doesn’t sell data, though it does allow advertisers to tailor their campaigns on the site to narrow categories of users, which isn’t prohibited by California’s proposed law.
“People should be in control of their information online and companies should be held to high standards in explaining what data they have and how they use it, especially when they sell data,” Will Castleberry, the vice president of state and local public policy at Facebook said in a statement. He said Facebook supports the bill, “while not perfect,” and would work with “policymakers on an approach that protects consumers and promotes responsible innovation.”
If California’s bill does not pass, however, Mactaggart has promised to forge ahead with his ballot initiative – setting up another high-stakes showdown come November. He also warned companies against trying to weaken those privacy protections in the future. “If they totally screw us, we’ll do this again; I’ll do this again,” he said.