A major privacy bill on the table in California on Thursday could reshape how Silicon Valley does business. If the bill becomes law, people living in the Golden State can tell companies to stop collecting or selling their personal data.
The state's Senate and Assembly are both scheduled to vote on the bill Thursday in an effort to get it on Gov. Jerry Brown's desk by the end of the day. The tight deadline comes courtesy of an even stricter voter initiative that will appear on California ballots this November if lawmakers can't get the bill through by 5 p.m. PT Thursday.
The bill — AB 375, or the California Consumer Privacy Act — turns the tech world's business model on its head by letting regular internet users ask for the data a company has collected on them and who they've sold it to. That alone could be eye-opening for consumers. Most people understand their online activity is being tracked for targeted advertising, but we don't have a broad understanding of what data is being used.
Consumers could ask for a detailed list under the this bill, which is sponsored by Assembly member Ed Chou and Sen. Robert Hertzberg, both Democrats. Couple that with the ability to say, "Hey, stop that" and we could be on the brink of a major shift in how internet companies do business.
The push to pass a California privacy law comes as data privacy scandals have brought the anger of lawmakers and regulators down on Silicon Valley. Facebook CEO Mark Zuckerberg faced questioning from US lawmakers as well as the European Parliament in the wake of revelations that personal information from 87 million Facebook users leaked to UK political consultancy Cambridge Analytica. That raised questions about how freely tech companies share user data with third parties.
A strange path to regulation
Silicon Valley hasn't been eager for new privacy regulations, but in a strange twist, tech companies aren't fighting this bill — and some are openly supporting it. That's likely because a ballot measure, cleared for a vote in California this fall, is even harder on tech companies collecting personal information. The initiative is more detailed in what it forces companies to disclose and demands higher fines for law breakers.
Tech giants Google, Microsoft, Amazon, Uber and Facebook, as well as internet service providers Comcast, Cox, Verizon and AT&T, had already started lining up against ballot initiative. Some donated to the Committee to Protect California Jobs, an independent expenditure committee that opposes to the ballot initiative.
The campaign to get the initiative on the ballot was funded by Bay Area real estate developer Alastair MacTaggart, who donated $1.6 million to the effort. The campaign didn't respond to a request for comment, but MacTaggart has told lawmakers he'll withdraw the initiative if Brown signs the bill into law Thursday. Thursday is the state's deadline for withdrawing a ballot measure.
The Committee to Protect California Jobs hasn't put out a statement regarding the bill before state lawmakers Thursday. The group didn't respond to a request for comment.
A Facebook official said in a statement that the company supported the bill.
"People should be in control of their information online and companies should be held to high standards in explaining what data they have and how they use it, especially when they sell data," said Will Castleberry, Facebook's vice president of state and local public policy, emphasizing that the company doesn't sell user data. "In that spirit, while not perfect, we support AB375 and look forward to working with policymakers on an approach that protects consumers and promotes responsible innovation."
Not quite the GDPR
The rights in the bill are similar to some sections of the European Union's new privacy law, the General Data Privacy Regulation, or GDPR, minus some important provisions. For one thing, it doesn't enact any new rules about notifying consumers of a data breach, which the GDPR does.
What's more, the GDPR created the possibility of enormous fines — potentially exceeding 40 million euros — for companies found in violation, and called for a dedicated authority to enforce the law in each EU member state. The bill on the table in California does neither of those things.
Damages paid to consumers top out at $750 per person in each instance where the law is violated, and the highest penalty per violation that can be levied against companies is $7,500.
The California attorney general would be in charge of deciding whether to pursue legal action against companies for violating the law. Individual consumers can still sue under the law even if the attorney general doesn't pursue the case.
That means there could be investigations from the Attorney General's Office, as well as proposed class actions filed by lawyers against tech giants, if consumers believe companies are violating the rights in the law.
Security: Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.
Blockchain Decoded: CNET looks at the tech powering bitcoin — and soon, too, a myriad services that will change your life.