California enacted a data privacy law less than two months ago, and business groups already are urging the legislature to gut some of its most important protections. EFF and our privacy allies are fighting back.
On June 28, California enacted the Consumer Privacy Act (S.B. 375). It seeks to protect the data privacy of technology users and others by imposing new rules on companies that gather, use, and share personal data. As we have explained, while this law is a step forward, it also has important flaws that must be fixed. The law does not go into effect until January 2020, which means privacy advocates like EFF have 18 months to fix those flaws and strengthen it.
However, some are attempting to use this window of time to undermine the privacy protections in the law. Already, dozens of business groups, led by the California Chamber of Commerce, have asked legislators for immediate and far-reaching changes that would terminate many of the law’s critical safeguards.
The privacy and social justice communities quickly pushed back, urging legislators to reject the Chamber’s ill-considered proposals.
Most importantly, many of the Chamber’s proposals would harm the data privacy of 40 million Californians. For example, the Act creates a “right to know,” meaning a right for users to learn the “specific pieces” of personal information that a company has collected about them. The Chamber would delete this term, leaving users with a far weaker right to learn what general “categories” of information a company collected about them. This is not enough. For example, users should be able to learn exactly what information about their browsing history was harvested by a company—not just that the company monitored their browsing history.
Moreover, the Chamber seeks to delete the law’s “data portability” provision, meaning the right of users in certain circumstances to obtain a copy of their personal data in a portable form. This enables users to self-publish their data, to better understand their relationship with the companies that gather and monetize their data, and to transfer their data to a competitor company. It is a critical measure that should not be repealed.
The Chamber’s demands also contradict the sensible legislative timetable preferred by some California lawmakers. These legislators want to limit the dwindling 2018 legislative session to technical corrections to the law, and defer consideration of any substantive changes (including proposals to strengthen or weaken the law) until the full legislative session in 2019. Yet most of the Chamber’s proposals are substantive. Rushing such proposals through this legislative term would limit opportunities for debate and review, and diminish legislators’ opportunity to seek input from experts and the public.
In the months and years to come, EFF will not just play defense: we will also work to strengthen the law. Among other things, we want to limit companies from collecting users’ personal information absent their prior opt-in consent, strengthen the existing consent requirement for data sales, delete a provision allowing companies to charge more from customers who exercise their privacy rights, and ensure that users can sue companies that violate their privacy rights. We must improve the law, not undermine it.
Our allies in this coalition effort are Common Sense Kids Action, ACLU of California, Access Humboldt, Berkeley Media Studies Group, CalPIRG, Campaign for a Commercial-Free Childhood, Center for Digital Democracy, Center for Media Justice, Color of Change, Consumer Action, Consumer Federation of America, Consumer Federation of California, Consumer Watchdog, Consumers Union, Digital Privacy Alliance, Media Alliance, National Consumer League, Privacy Rights Clearinghouse, and Public Knowledge.