IE 11 is not supported. For an optimal experience visit our site on another browser.

California passes digital privacy bill that could have impact across U.S.

The bill requires companies like Google, Facebook and Amazon to tell users what data they collect and who they share it with.
Image: Jerry Brown
California Gov. Jerry Brown will need to sign the state's new data privacy bill for it to go into action.Jae C. Hong / AP

SAN FRANCISCO — California enacted the nation’s strongest data privacy law on Thursday that could presage national changes to how big tech companies, including Facebook, Google and Amazon, collect and use personal data.

The law, passed by the state legislature on Tuesday and signed by Gov. Jerry Brown, requires companies to disclose the types of data they collect about consumers and with whom they share that information. Companies will be forced to let consumers opt-out of having their data sold. The law will also prohibit companies from charging a consumer or treating them differently because they opted out of having their data sold.

Companies will also be required to secure customer data or risk being fined by California’s attorney general, according to the legislation.

The protections won’t take effect until 2020, meaning the fight between lawmakers, advocates and tech companies to further shape the regulations, or water them down, is still far from over.

Still, California’s new privacy protections have been heralded as the strongest consumer privacy measure in decades and are part of a growing movement to give people more control over their data. While the spirit of the law is similar to Europe’s General Data Protection Regulation, which went into effect last month, it doesn’t go as far as GDPR, which is now considered the strongest data privacy law in the world.

In response to GDPR, which took effect last month, many large tech companies, even those based in the U.S., revamped their privacy policies and created tools to give users more control over the types of data that is collected.

James Steyer, founder and CEO of nonprofit tech watchdog Common Sense, said the passage of the bill is a “huge victory” but isn’t perfect.

“I would like to see even more aspects of privacy opt-in versus opt-out, but this is a huge improvement,” Steyer said.

The vote wasn’t without a bit of last-minute drama. Lawmakers had until Thursday afternoon to pass the bill, entitled the California Consumer Privacy Act of 2018. If they did, Alastair Mactaggart, a wealthy real estate developer, said he would pull an even tougher measure that had secured a spot on the state’s November ballot. Mactaggart’s Californians for Consumer Privacy bill would give consumers even more power over their data, such as the ability to sue companies that may have mishandled their privacy and security.

The Internet Association, the lobbying force representing many large technology companies, had expressed its disapproval for the ballot measure. Sheryl Sandberg, Facebook’s chief operating officer, told reporters at an event held at Facebook headquarters on Thursday morning that the social network supported the legislative action.

Once signed, the bill will provide California residents with the strongest consumer privacy protections in the United States. It is also expected to have wide-ranging implications for everyone in the United States.

The California legislation is a beacon to privacy rights activists who have said they believe the next steps could be instituting stronger privacy protections at the federal level. Regardless of whether Congress acts, Steyer said California’s law will have a ripple effect and be a positive for all Americans.

“California’s law will become the law of the land,” he said. “Waiting for Congress and this current executive breach to be functional is like a joke."