In the absence of national privacy legislation that holds companies accountable when they misuse or mishandle consumer data, states are beginning to take the matter into their own hands.
California’s state legislature on Thursday is set to consider a bill that would require businesses to notify consumers what kind of data they’re collecting, and crucially, whether they have sold any of that data and to whom. The bill would also prevent businesses from charging consumers more for a product or service if the consumers ask for information about the company’s data collection practices or decline to allow their data to be sold. The California Consumer Privacy Act gives the state attorney general the power to bring civil actions and impose fines against companies that violate the act.
The bill is unique in many ways, not the least of which is that it was brought to life by private citizens. The privacy act is mainly the work of a private coalition called Californians for Consumer Privacy which has collected several hundred thousand signatures on a petition that would get the measure on the ballot in California in November’s election. That would give voters the ability to put the measure through themselves, but after it was approved as a ballot measure, state lawmakers are now pushing through a bill in the state assembly as a kind of compromise to prevent it from hitting the ballot.
“This initiative will give consumers a real choice about whether they want their private information bought and sold by companies they’ve never heard of, will help shine a light onto the business of data brokerage, and will empower California consumers to protect their sensitive personal information,” Alastair Mactaggart, the main financial backer of the privacy coalition, said in a statement.
The bill’s language is straightforward and would give consumers much more leverage in their dealings with companies that collect and attempt to monetize their personal data.
If it passes, the bill could set a precedent for other states.
"A consumer shall have the right to request that a business that sells the consumer's personal information, or that discloses it for a business purpose, disclose to that consumer: (1) the categories of personal information that the business sold about the consumer and the identity of the third parties to whom such personal information was sold, by category or categories of personal information for each third party to whom such personal information was sold; and (2) the categories of personal information that the business disclosed about the consumer for a business purpose and the identity of the persons to whom such personal information was disclosed for a business purpose, by category or categories of personal information for each person to whom such personal information was disclosed for a business purpose,” the bill says.
If it passes, the bill could set a precedent for other states, in much the same way that California’s original data-breach notification bill did 15 years ago. That law required any company that stored data belonging to a California resident and suffered a data breach to disclose the breach to the state attorney general and the affected consumers. The law was the first such state measure in the United States and became the model for many others that followed.
While the California Consumer Privacy Act would only apply to state citizens, it has drawn opposition from some of the larger technology providers in the industry. Facebook, Google, Verizon, and other vendors have voiced objections to the bill, although both Facebook and Verizon have recently withdrawn their opposition.
The California State Assembly will consider the privacy act Thursday afternoon in a joint session.