In a last-ditch effort to head off a November ballot initiative, California’s state legislature passed what are arguably the strongest privacy laws in the country this week. The new rules broadly resemble Europe’s GDPR, in that they give Californians the right to know what data a business has on them, and the ability to prevent the sale of that information and to compel its deletion. It also gives consumers the right to sue in the event of a data breach. Consumers who opt out must receive the same quality of service.
That the law comes from California might come as a surprise, given that it serves as the headquarters for most of the largest tech companies and the world’s largest tech hub, San Francisco. But the reason it went from bill to law in the course of a week is that those same companies preferred this legislation to the proposal that would have been on the ballot in November. According to the Los Angeles Times, that’s because the new legislation “narrowed the circumstances under which consumers could sue companies” compared to the ballot initiative.
“If we didn’t have the initiative process in California, we wouldn’t be here today,” Alastair Mactaggart, the real-estate developer pushing the ballot initiative, told the New York Times. More than 600,000 people signed the necessary petition to get it certified.
The new law goes into effect at the start of 2020, giving companies time to get ready for the changeover. Other state legislatures might adopt similar regulations, an increasing tactic given the federal government’s hands-off approach to digital rights. Though the bill only technically applies to one state, you can expect a cascading effect similar to GDPR. Though only a subset of users fall under its purview, the privacy controls and policies necessitated by the rules were applied worldwide by most large platforms.