California legislators on Thursday adopted sweeping new rules that restrict the data-harvesting practices of Amazon.com, Facebook, Google and Uber, a move that soon could spur other states and Congress to take aim at the tech industry.
The California Consumer Privacy Act is one of the toughest U.S. regulations targeting Silicon Valley, where recent privacy mishaps — many involving Facebook — have left consumers clamoring for greater protections online. The law requires tech giants to disclose the kind of data they collect about consumers and allows Web users to opt out of having their information sold to third parties, including advertisers.
The new privacy rules, which are slated to come into effect in 2020, apply only to residents in the Golden State. That leaves time for corporate critics such as AT&T, Comcast, Facebook and Google to resume lobbying aggressively to revise it over the next year.
Going forward, though, California’s privacy protections could force tech companies to change their business practices nationwide, rather than maintaining two systems: one in California, and another for everyone else. Apple, Facebook and Google took a similar approach in May after European regulators began implementing new privacy rules, known as General Data Protection Regulation, or GDPR.
“I think it’s going to set the standard across the country that legislatures across the country will look to adopt in their own states,” state Sen. Bob Hertzberg (D), one of the law’s authors, said before it passed Thursday.
Under the new rules, California’s attorney general will play a starring role monitoring Silicon Valley’s privacy practices — and bringing cases, along with potential fines, when a company such as Amazon or Microsoft fails to honor consumers' privacy choices or safeguard their data from cybercriminals. (Amazon chief executive Jeffrey P. Bezos owns The Washington Post.) To that end, Hertzberg said that the state’s attorney general would soon become “the chief privacy officer of the United States.”
Legislators raced at unprecedented speed — less than a week — to introduce, amend and pass their new privacy law to head off a ballot proposition slated to come before California voters this November. The initiative spearheaded by local real estate developer Alastair Mactaggart would have been tougher on the tech industry, even opening the door for consumers to sue if their data had been misused. But Mactaggart agreed over the weekend to withdraw it if lawmakers passed a bill, and the governor signed it by Thursday, the deadline to finalize ballot measures.
Throughout the process, tech giants such as Facebook, Google and Uber had expressed opposition to the measure, even donating to a coalition that sought to undermine it. Reluctantly, though, they came to accept the compromise bill. The Internet Association, a group that represents companies such as Amazon, Facebook, Google and Uber, said ahead of the vote that it would not “obstruct or block” the legislative proposal but would work to “correct the inevitable, negative policy and compliance ramifications this last-minute deal will create.”
If the rules don’t change, they will grant consumers new rights that include the ability to see the kinds of sources from which companies collect data about them. Businesses could not sell personal data from Web users younger than 16.
But there are many elements of the new law that privacy advocates see as potential trouble spots. For example, California’s rules would prevent tech companies from offering consumers a lower level of service if they chose to opt out of having their data sold to third parties. Yet a tech company or an Internet service provider, such as AT&T or Comcast, could charge a higher fee for consumers who chose to limit sharing of their personal data — though only equal to the "value provided by the consumer’s data,” the rules stipulate.
“I believe this path to pay for privacy is a dangerous and slippery slope,” said state Sen. Hannah-Beth Jackson (D), even though she supported it.
James Steyer, the founder of Common Sense Media and one of the proposal’s chief backers, acknowledged that the bill isn’t “perfect.” But on Thursday he said advocates would look to refine it over the coming year while “working all around the United States” trying to pass similar, model legislation. The goal, he said, is to prod Congress “to get their act together.”
In the nation’s capital — where lawmakers have failed for decades to advance an overarching federal privacy law — some members of Congress expressed hope that California would force their hand.
“My hope is just that it will initiate a real conversation that gets us to adopting some principles by November,” said Rep. Ro Khanna (D-Calif.), who represents a slice of Silicon Valley. He said lawmakers had been “derelict in our duty” on privacy issues.