California lawmakers introduced legislation Friday that would strengthen consumers’ online data privacy and protection and head off a proposed November ballot measure to that effect that many in the technology industry had opposed.
The California Data Privacy Protection Act by state Senator Robert Hertzberg, D-Van Nuys, and Assemblymember Ed Chau, D-Monterey Park, would allow consumers to know what data companies collect on them, allow them to opt out and hold companies accountable for breaches.
“Privacy is a fundamental American value,” said Chau, who chairs the state’s Assembly Privacy Committee. “That California is able to lead the nation into an era of consumer-first protections is a boon to our democracy.”
The proposed legislation follows a steady drumbeat of data breaches and unauthorized disclosures that have left consumers vulnerable to identity theft and fraud or exposed personal information that they had assumed would be kept private.
Facebook CEO Mark Zuckerberg acknowledged in March that the social media giant had failed its users after reports that British political consulting firm Cambridge Analytica had harvested up to 87 million Facebook user profiles without their consent.
It was only the latest of a series of failures by various companies to protect consumers’ data. Other companies that acknowledged major data breaches include Uber in November affecting 57 million users, Yahoo in October affecting 3 billion users, Equifax in September affecting 148 million users, LinkedIn in 2016 affecting 100 million users, and Anthem in 2015 affecting 80 million users.
The bill is sponsored by advocacy group Common Sense and supported by privacy activist Alastair MacTaggart who launched the effort for a California Consumer Privacy Act ballot initiative. MacTaggart, a San Francisco real estate developer who has spent $1.65 million on the effort, said that he would withdraw the ballot measure if the Legislature passes the proposed bill by June 28 — the last date for the ballot measure to qualify or to be pulled from the ballot.
The initiative campaign submitted 629,000 signatures in May for the proposed ballot measure, which would need at least 365,880 to qualify. Robin Swanson, the campaign’s consultant and spokeswoman, said they expect to have enough signatures verified to qualify the measure as early as Monday, and acknowledged lawmakers don’t have much time to approve a substitute.
“They’ve got to do it real quick,” Swanson said. “It’s a take-it-or-leave-it proposition. We know our initiative not only will qualify, but it polls off the charts. It’s up to them to make that strategic decision.”
The bill mirrors three core components of the ballot initiative. It would guarantee consumers the right to know what data is being collected from them to opt out of that data collection. It also would hold companies liable for data breaches.
Industry leaders including the Silicon Valley Leadership Group, which represents major technology firms, opposed the ballot measure, arguing it went too far and was approved without industry input. Facebook was initially opposed, but dropped its opposition in April.
Peter Leroe-Muñoz, the leadership group’s vice president of technology and innovation, said Friday morning that data privacy and security “is a complex issue requiring continued conversation.”
“The Silicon Valley Leadership Group looks forward to actively bringing together our member companies and legislators to continue to find an approach that meets the needs of the technology sector,” Leroe-Muñoz said.
Swanson said the bill differs from the initiative in the way companies would be held accountable for breaches to address an industry concern. The bill would allow the attorney general to levy fines for data breaches, after which consumers could then sue over them. The ballot measure exposed companies to litigation regardless of the state attorney general’s action.
The bill also adds provisions that go beyond the ballot measure. It would require parental consent for companies to sell data on children younger than 16. And it would include provisions of Europe’s privacy laws such as consumers’ right to compel companies to delete all their private data.
“Consumers’ right to privacy is being undermined and people deserve to own, control, and secure their personal information,” MacTaggart said in a news release. “That the legislature was willing to step up and ensure these protections is a testament to the democratic process.”