California's new data privacy law the toughest in the US

Facebook and Google, take note.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
6 min read
Facade of the California State Capitol, Sacramento, California, USA
Getty images

A major privacy bill signed into law in California on Thursday is poised to reshape how Silicon Valley does business. When the law goes into effect, companies will face the country's toughest privacy requirements, including stopping the collection and sale of personal data upon request from consumers. 

The bill flew through the California statehouse Thursday, with the state's Senate and Assembly each voting to pass it unanimously. Gov. Jerry Brown then signed it within a matter of hours. The rush to pass the bill comes courtesy of an even stricter voter initiative that would've appeared on California ballots this November if lawmakers hadn't gotten the bill through by 5 p.m. PT Thursday.

Tech companies like Google and Facebook were prepared to fight against the voter initiative, so far funded by one concerned and wealthy California resident, up until the election this fall. Thursday was the state's deadline for withdrawing a ballot measure for the November election.

Privacy advocates cheered the new law. Marc Rotenberg, executive director of the Electronic Privacy Information Center, said the law means privacy could become an issue that impacts the upcoming midterm elections. 

"This is a milestone moment for privacy law in the United States," Rotenberg said in a statement. "The California Privacy Act sends a powerful message that people care about privacy and that lawmakers will act."

The Internet Association, a lobbying group representing major tech companies including Facebook, Google, Uber, Amazon and Microsoft, said in a statement there wasn't enough public debate about the bill.

"It is critical going forward that policymakers work to correct the inevitable, negative policy and compliance ramifications this last-minute deal will create for California's consumers and businesses alike," the group said in a statement.

The bill -- AB 375, or the California Consumer Privacy Act -- turns the tech world's business model on its head by letting regular internet users ask for the data a company has collected on them and whom the data has been sold to. That alone could be eye-opening for consumers. Most people understand their online activity is being tracked for targeted advertising, but we don't have a broad understanding of what data's being used.

Watch this: Apple's Tim Cook talks privacy at Fortune's 2018 CEO initiative

Consumers could ask for a detailed list under the this bill, which is sponsored by Assembly member Ed Chau and Sen. Robert Hertzberg, both Democrats. Couple that with the ability to say, "Hey, stop that," and we could be on the brink of a major shift in how internet companies do business. The bill will take effect at the beginning of 2020, and the bill's sponsors say that in the meantime they'll work with the attorney general's office to develop a plan to enforce the law.

Sen. Bill Dodd, a Democrat from Napa, co-authored the bill and said Thursday that he was proud of the legislature's quick action to get it passed. He's especially happy with a provision that requires companies to get opt-in agreements to collect data on anyone younger than 16. 

The push to pass a California privacy law comes as data privacy scandals have brought the anger of lawmakers and regulators down on Silicon Valley. Facebook CEO Mark Zuckerberg faced questioning from US lawmakers as well as the European Parliament in the wake of revelations that personal information from 87 million Facebook users leaked to UK political consultancy Cambridge Analytica. Other privacy scandals, including the revelation last year that email organizing service Unroll.Me was collecting and selling user information, as well as news Wednesday of a leak of 340 million records from marketing firm Exactis, have shown just how easily user data can spread across the marketplace in ways consumers don't expect.

Questions about how new laws and regulations could better protect consumers from these kinds of situations emerged just as the European Union rolled out new privacy regulations for its citizens. The US doesn't have a similar law at the federal level. Not even the new California law matches the protections the EU put in place in May, but it does include some of the same rights.

Dodd said in a statement that the law puts California at the forefront of improving privacy rights in the US, adding, "My hope is other states will follow, ensuring privacy and safeguarding personal information in a way the federal government has so far been unwilling to do."

A strange path to regulation

Silicon Valley hasn't been eager for new privacy regulations, but in a strange twist, tech companies didn't fight this bill -- and some openly supported it. That's likely because a ballot measure, cleared for a vote in California this fall, would've been even harder on tech companies collecting personal information. The initiative was more detailed in what it forces companies to disclose, and it demanded higher fines for law breakers.

Tech giants Google, Microsoft, Amazon, Uber and Facebook, as well as internet service providers Comcast, Cox, Verizon and AT&T, had already started lining up against the ballot initiative. Some donated to the Committee to Protect California Jobs, an independent expenditure committee that opposes the ballot initiative.

The campaign to get the initiative on the ballot was funded by Bay Area real estate developer Alastair MacTaggart, who donated $1.6 million to the effort. MacTaggart said at a press conference after the bill's signing that the campaign spoke with several experts, including people from the ACLU, Electronic Frontier Foundation and UC Berkeley, in developing the ballot measure. He also said his campaign had been ready to support the ballot measure through the November election if necessary.

The Committee to Protect California Jobs declined to comment on the law passed Thursday. 

Before Thursday's votes, a Facebook official said in a statement that the company supported the bill.

"People should be in control of their information online and companies should be held to high standards in explaining what data they have and how they use it, especially when they sell data," said Will Castleberry, Facebook's vice president of state and local public policy, who emphasized that the company doesn't sell user data. "In that spirit, while not perfect, we support AB375 and look forward to working with policymakers on an approach that protects consumers and promotes responsible innovation."

Watch this: GDPR: Here's what you need to know

After the vote, tech industry lobbying group TechNet offered a more tentative level of support for the bill. The group also counts Google, Facebook, Uber, Amazon and Microsoft among its members. "While this law adds a significant new layer of privacy protections for California consumers, even its authors have acknowledged it is far from perfect and will need revisions in the months ahead as its consequences and workability are better understood," said Linda Moore, president and CEO of Technet, in a statement.

Not quite the GDPR

The rights in the new law are similar to some sections of the European Union's new privacy law, the General Data Privacy Regulation, or GDPR, minus some important provisions. For one thing, it doesn't enact a set deadline for notifying consumers of a data breach, which the GDPR does.

What's more, the GDPR creates the possibility of enormous fines -- potentially exceeding 40 million euros ($46.26 million) -- for companies found in violation, and calls for a dedicated authority to enforce the law in each EU member state. The law passed in California does neither of those things.

Damages paid to consumers top out at $750 per person in each instance where the law is violated, and the highest penalty per violation that can be levied against companies is $7,500.

The California attorney general would be in charge of deciding whether to pursue legal action against companies for violating the law. Individual consumers can still sue under the law even if the attorney general doesn't pursue the case.

That means there could be investigations from the attorney general's office, as well as proposed class actions filed by lawyers against tech giants, if consumers believe companies are violating the rights in the law.

At the press conference after the bill's signing, MacTaggart said California's new law was only the beginning. "I feel like we have made a great stride forward for the country," he said. "If it happened here, it will happen in the rest of the country."

First published June 28 at 5:30 a.m. PT
Updates, 1:00 p.m.:
Adds information about the bill passing the California Senate and Assembly; 3:10 p.m.: Adds information about Gov. Brown signing the bill into law.
Update, June 29 at 1:57 p.m.: Adds statement from TechNet.

Correction, June 29 at 8:55 a.m. PT:  This story originally misspelled the name of California State Assembly member Ed Chau.

Security: Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.

Blockchain Decoded: CNET looks at the tech powering bitcoin -- and soon, too, a myriad services that will change your life.