California’s new Consumer Privacy Act gives consumers the nation’s strongest protections for their personal data, backers contend.
But business interests, including the California Chamber of Commerce, and tech associations call the law a “serious threat to the economy” that will result in a barrage of class-action lawsuits without providing benefits to consumers.
“It does everything the initiative would have done. I have essentially no complaints.” — Alastair Mactaggart
The new law, which was approved by Gov. Jerry Brown in June and goes into effect in 2020, gives consumers the right to access their personal information collected by big businesses. It gives them the right to delete it, the right to know what information is being sold and the right to stop businesses from selling their information. It also prohibits businesses from selling the personal information of youth under 16 unless they opt in.
The law was approved at the eleventh hour to stop a similar initiative from going to voters in November. The California Chamber of Commerce said it preferred the law to the initiative because it could be amended through the legislative process, while an initiative would be difficult to change.
Alastair Mactaggart, the San Francisco housing developer who spearheaded the initiative, said he is pleased with the law. “It does everything the initiative would have done,” he said. “I have essentially no complaints.”
He denied that the new law will prompt a flood of lawsuits, and he said businesses should be easily able to comply with its requirements.
The law only applies to businesses that meet at least one of three criteria: generate annual gross revenues of $25 million or more, collect the personal information of at least 50,000 consumers or derive 50 percent or more of their annual revenue from selling consumers’ personal information.
“If people just understood how much we knew about them, they’d be really worried.” — Google engineer
Those businesses must provide a link on their internet homepages that is clear and conspicuous titled “Do Not Sell My Personal Information.” They must wait at least 12 months to ask consumers who choose that option to authorize the sale of their personal information.
The businesses may offer financial incentives to consumers to collect their information, and they may charge higher prices to those who opt out of having their information sold if the cost is directly related to the value of the consumers’ data.
Mactaggart believes that if businesses do try to charge higher prices to consumers who don’t want their data sold, they will find a revolt on their hands.
The developer became interested in consumer privacy a few years ago when he asked an engineer working for Google how much people should be worried about the use of their personal data.
“His reply was chilling: ‘If people just understood how much we knew about them, they’d be really worried,’” Mactaggart wrote on the initiative’s website.
The situation now is that businesses know how many children you have, what church you attend, what purchasing habits you have and much more. “It’s almost like having a surveillance camera over your shoulder 24/7,” said Assemblyman Ed Chau, D-Monterey, who co-authored the law.
“All of the sudden, the issue of privacy became front and center.” — Ed Chau
The law gives consumers the right to sue businesses for data breaches only. The state attorney general will enforce other provisions of the law.
Chau said he took up the issue because he has always believed consumers should be given control over their own data. He started to work on a privacy bill but faced strong opposition from AT&T, Comcast, Verizon and other companies. The tide turned in March after news broke about how Cambridge Analytica, a political firm hired by President Trump’s campaign, wrongly gained access to private information of tens of millions of Facebook users.
“All of the sudden, the issue of privacy became front and center,” Chau said.
Mactaggart said the new statute is the first time where a violation of privacy is considered a harm in the law. In the past, he said people who had privacy violations had to prove their damages and show, as an example, that the loss of their data from Equifax, caused certain damages. “It was impossible,” he said. “No one ever did.”
With this new law, the violation is the harm. “It’s like a speeding ticket,” he said. “It doesn’t matter why you were doing it. You’re speeding. No excuses. That’s what it’s going to be like here.”
At the same time, Mactaggart said that he knows the law will face a fight. “I am a realist,” he said. “I understand tech’s job is to weaken the heck out of this all next year. Our job is to mobilize forces to make sure they don’t weaken it too much.”