In a 5-0 vote, California’s Senate Judiciary Committee passed a data privacy compromise bill, AB 375, which for the first time passes greater control of personal data and privacy to consumers. It’s expected to be signed into law later this week.
California is among the first states in the nation to tackle this issue. The bill lays out a citizens’ right to know what personal data is collected, who it is sold to as well as the right to take legal action against a company after a data breach. Also, it prevents price gouging; if a customer says “no” to a company’s sale of their data, they may not be refused service and any upcharge must be reasonable and “directly related to the value provided to the consumer by the consumer’s data.”
The Catalyst: California Consumer Privacy Act
This pushes the California Consumer Privacy Act off the ballot after it recently gained enough signatures to secure a spot. There are stark differences between the two. The CCPA initiative prohibited a change in pricing and/or quality of services if a customer wanted their data left unsold to another entity. The bill, AB 375, may not be as strong as the CCPA, but its popularity is widely acknowledged to have provided the leverage needed to push lawmakers to a compromise.
This isn’t the end of the road for AB 375. California’s Senate Appropriations Committee will have its turn, pushing it along for a planned vote on Thursday.
John M. Simpson, Consumer Watchdog Privacy and Technology Project Director, says that if lawmakers don’t make good time his organization will take action. “If the bill isn’t signed into law by Thursday, the initiative’s sponsors will move forward with their campaign and we will strongly support that effort,” he said in a statement.
Business Complaints Fall Short
As usual, legislation and regulation lag behind technology. This move by the Committee comes after years of data breaches and sales, putting Americans’ private data at risk. For example, Facebook sells it and credit scoring company Equifax just lost it, with millions of Americans suffering irreparable damage in the 2017 hack and subsequent coverup.
Industry groups, such as Google, Verizon, Facebook, and T-Mobile predictably cried foul on the landmark changes in a letter to lawmakers.
“Foundational concepts are lacking, including a clear definition of what businesses the bill covers,” the letter says. “The bill would also lead to recurring pop-ups to consumers that would be desensitizing and give opportunities to hackers.”
This isn’t just big news for Californians. The vote echoed through Washington as well. As tech watchers wait for the dominos to fall, some say it’ll lead all the way to the steps of the Supreme Court. “California will get the conversation started, but I think it then becomes an ‘unfair burden’ argument for the companies. And then what’ll happen is somebody will complain because they’ll say, “Well, we have to do this for California, and we can’t do it differently for all 50 states.” Then another state will want more regulation too, and it’ll be completely different,” said Morgan Wright an internationally recognized expert on cybersecurity cyberterrorism, identity theft, and privacy. His landmark testimony before Congress on Healthcare.gov changed how the government collected personally identifiable information. “There’ll be a lawsuit, it’ll get resolved at some level and hold up in the Supreme Court – the Supreme Court will say it’s a federal issue because it deals in interstate commerce. And there you go.”
Let’s not forget though, while AB 375 may be the ripple that creates a wave of data privacy laws starting from the western United States, Europe also has massive new right-to-privacy measures rolling in from the east. It’s a short matter of time before they both wash up on the shores of Washington.