California has passed, and Governor Jerry Brown has signed, a privacy bill that established a consumer right of privacy, though one based on disclosure and the right to opt out of data collection or third-party sharing, and to have their data deleted if they chose.
Related: California Tees Up Privacy Bill
Privacy purists prefer that businesses be required to get opt-in consent before collection of sharing, but tech and internet groups were raising concerns, so the bill clearly had some teeth, if not as sharp as some privacy groups would have liked.
The bill does not go into effect until 2020, the Internet Association pointed out.
The California Data Privacy Protection Act was introduced by by a pair of Democrats--Sens. Robert Hertzberg and Assembly member Ed Chau--and pushed by Common Sense Media with en eye toward protecting kids info online.
In the mode of a consumer "bill of rights" for privacy, the legislation includes the rights 1) to know what data is being collected, the right to opt out of the data collection, and the right to delete all their private data--akin to the "eraser button" that Sen. Ed Markey (D-Mass.) has long advocated for in national legislation, though he favors an "opt in" approach to allowing data collection, rather than the other way around.
The bill has a separate kids rights section, which does require opt in parental consent for the sale of data from 'kids' under 16, allows for fines and lawsuits for data breaches.
The legislators are also billing it as "aligning" with the European Union's new GDPR data privacy framework that went into effect May 25.
The bill comes in the wake of data breaches, sharing controversies (Facebook/Cambridge Analytica), increased focus on tech platforms in Washington, and the FCC's deeding of online privacy issues to the Federal Trade Commission, whose primary authority is enforcement rather than rulemaking.
Reportedly in the wake of the bill's passage, the sponsor of a tougher data privacy initiative agreed to pull it off the November ballot.
"We appreciate the California legislature's efforts to address this important, complex policy area through the legislative process," said TechNet. "While this law adds a significant new layer of privacy protections for California consumers, even its authors have acknowledged it is far from perfect and will need revisions in the months ahead as its consequences and workability are better understood.
“Maintaining people’s privacy and security has always been and remains a top priority of internet platforms," said Internet Association VP Robert Callahan. "Trust with IA member products and services is essential to a thriving internet, and the internet industry is committed to providing people with information and tools to make informed choices about how their personal information is used, seen, and shared online.
“Data regulation policy is complex and impacts every sector of the economy, including the internet industry.
That makes the lack of public discussion and process surrounding this far-reaching bill even more concerning.
The circumstances of this bill are specific to California. It is critical going forward that policymakers work to correct the inevitable, negative policy and compliance ramifications this last-minute deal will create for California’s consumers and businesses alike.”
"California’s new privacy legislation will do less damage to the Internet economy than the proposed ballot initiative would have done," said information Technology & Innovation Foundation VP Daniel Castro. "But even so, the bill is flawed. Billions of users around the world share personal data—often anonymously—in exchange for access to free content and services. The system is not perfect, but it works."He said the bill "will undercut access to free content and services by prohibiting companies from penalizing consumers who opt out of sharing their personal data. This is like passing a law saying that consumers can opt out of paying for their meals, but restaurants can’t refuse them service."