SACRAMENTO – A landmark California law that will alter the way internet giants like Google and Facebook collect and deploy user data has survived heavy lobbying from industry groups and is set to take effect in January with most of its major consumer privacy protections intact.
In the final days of the California legislative session, lawmakers passed a series of bills that make slight alterations to the California Consumer Privacy Act, but the infrastructure of the act remains despite vociferous objections from groups like the Internet Association and the California Chamber of Commerce.
The sweeping bill signed in 2018 by former Gov. Jerry Brown will grant consumers privacy rights, including the right to ask that their personal information be deleted, the right to access it and the right to request their information not be sold.
Business groups introduced a horde of hostile amendments this year that would have greatly skewed the privacy act.
“Industry tried and failed this session to weaken or eliminate the key protections of the CCPA,” said Kevin Baker with ACLU of Northern California. “We applaud the Legislature for holding the line against big technology companies.”
One of the proposed changes was Senate Bill 753, which attempted to allow the collection of personal information for the purposes of targeted advertising.
Targeted advertising is one of the principal ways in which companies like Google and Facebook make their money. Businesses collect information from clients and then pass the data along to outside groups who look to refine their advertising techniques by appealing to customers that have expressed interest in a given sector.
Privacy advocates claim the data sharing practice is nefarious and that individuals should maintain control over how their personal information is used, including the right to access that data, request its deletion or preventing companies from selling it.
Senate Bill 753 never gained much traction and stalled in committee.
Civil liberty groups pulled out another victory toward the end of the legislative session when a Democratic lawmaker this week stashed his privacy act reform.
Assembly Bill 1281 would have required businesses to put up a sign in areas where facial recognition technology is in use. Violators would have been fined up to $75 per violation with a cap of $7,500 in fines per year, per business.
The ACLU and the Electronic Frontier Foundation opposed the measure by Assemblyman Ed Chau, D-Monterey Park, arguing that a simple warning sign didn’t give businesses the right to capture their customers’ biometric data and perhaps pass it on to marketers or law enforcement.
“Posting a sign is little or no protection against the use of this powerful and intrusive technology,” the groups said in a joint opposition letter. “Such signs would likely become as ubiquitous and ignored as Proposition 65 notices are now, particularly when consumers have no effective way to guard against the dangers. A physical sign – no matter how prominent – is no substitute for consent.”
While his measure cleared the Assembly in a bipartisan vote in April, Chau on Tuesday pulled AB 1281 from the Senate and won’t be able to take it up until January at the earliest.
Several amendments and carve-outs to the bill were passed however during the closing days of the session – including Assembly bills 25, 874, 1146, 1355, and 1564 – but most were unopposed and considered minor.
For instance, AB 25 exempts employee information retained by employers. AB 1146 allows car dealers to retain information necessary to perform ongoing automotive repairs.
All the rest of the passed bills are equally negligible in terms of overall impact. California’s law is expected to serve as a template for other states and possibly eventual federal legislation. Given the Golden State’s outsize leverage in the digital industry, it will create an immediate impact when takes effect in January.
But privacy advocates caution the industry will continue to seek loopholes and methods to weaken the law.
“Going forward, California must do everything possible to build on the CCPA and ensure that everyone has strong, enforceable privacy rights,” Baker said.
— By Matthew Renda and Nick Cahill