Map of California on a digital background, to represent new California privacy law.

Privacy experts believe a new California law that changes the way companies handle customer data could affect consumers nationwide. The law, signed Thursday by Gov. Jerry Brown, imposes some of the toughest privacy protections in the country, but privacy experts are concerned that the law stops short of tougher measures California was considering.

The law, which takes effect in 2020, mandates a wide variety of new protections for consumers, including the right to be informed about data collection, the right to know how that data will be shared with third parties, and the right to opt out of data collection and demand that companies delete data that has already been collected.

“Today, California took a historic step in enacting legislation to protect children and consumers by giving them control over their own personal data,” Assembly member Ed Chau, a chief sponsor of the legislation, said in a statement. “Consumers should have a right to choose how their personal information is collected and used by businesses. It is your data, your privacy, your choice.”

The new law, called the California Consumer Privacy Act, heads off a planned November ballot initiative supported by privacy groups including Consumers Union, the advocacy division of Consumer Reports.

The Internet Association, a trade group whose members include tech giants such as Amazon, AT&T, Google, Microsoft, and Uber, opposed the ballot measure, as did internet service providers such as AT&T, Comcast, and Verizon.

Privacy Protections

The law is less comprehensive—and less consumer-friendly—than the ballot proposal, according to some advocacy groups, including Consumers Union.

“We appreciate that this law advances consumer protections in several ways, but we have serious concerns about how this legislation introduces very troubling concepts into law,” says Justin Brookman, the director of consumer privacy and technology policy for Consumers Union. “We oppose a provision in the law that allows companies to charge higher prices to consumers who decline to have their information sold to third parties.”

(Consumer Reports shares some member data in accordance with our privacy policy and provides members with the opportunity to opt out.)

Even with a less restrictive law in place, industry groups aren’t ready to give up the fight, and they say they hope to modify the law before it goes into effect. “It is critical going forward that policymakers work to correct the inevitable, negative policy and compliance ramifications this last-minute deal will create for California’s consumers and businesses alike,” Robert Callahan, vice president of state government affairs for the Internet Association, said in a statement.

Consumer groups are concerned that these efforts could water down the bill. “We want this bill to be a floor, not a ceiling,” Brookman says.

What Does the Law Do?

The new law is  broadly similar to Europe’s new General Data Protection Regulation (GDPR), granting consumers the right to know what sort of data is being collected about them and how it’s being used, and gives them more control over the data. The law:

  • requires companies to tell California consumers in advance what information is being collected.
  • makes companies inform consumers if the companies are selling, sharing, or disclosing personal information.
  • allows consumers to opt out of the sale of their personal information.
  • gives users the right to demand that a company delete their data.
  • prevents companies from collecting data about users younger than 13 without parental permission, and data about users between 13 and 16 without the teen’s permission.
  • allows individuals to access to their data in a computer-readable form that they could take to other companies twice a year without charge. (Some consumer advocates and privacy lawyers consider data portability to be one of the most important aspects of the GDPR for consumers because it can encourage competition and innovation among providers.)
“Businesses that are covered are going to have to have a button right on their home page that says Do Not Sell My Personal Information, and when you click that button it will opt you out of all third-party sales,” says Emory Roane, policy counsel for the Privacy Rights Clearinghouse, a San Diego-based advocacy group that supports the legislation.

The most controversial provision of the new law allows companies to provide a discount in exchange for the right to sell or share some kinds of data. According to Consumers Union’s Brookman, this provision is tantamount to a pay-for-privacy plan.
 
Advocates note that the new California law falls short of both the GDPR and the ballot proposal in that it requires businesses to share only the category of the third parties getting consumer information, such as data brokers or payment processors, but not the actual identity of those third parties.
 
How much the law helps California consumers will depend on how it’s enforced. Brookman notes that many provisions of the law mandate few penalties, which might encourage companies to take their chances flouting the new law. “There's legitimate concern about the enforceability of this law,” Brookman says. “There’s a possibility that companies don’t comply until the California attorney general makes them.” 

What If You Don't Live in California?

While the law applies to California residents, it’s likely to have a ripple effect throughout the U.S., according to consumer advocates.

Companies affected by the law may also decide that it’s most efficient to follow the practices mandated by California throughout the country, in much the same way that some GDPR protections seem to be trickling down to U.S. citizens. “A lot of companies are likely to make the California protections available to consumers around the country,” Brookman says. “If they build a privacy tool, I’d be surprised if they don’t just use it for everyone.” 

Second, the law’s passage could provide an impetus for other states to pass their own laws. Calfornia’s passage of a data breach notification law in 2002 led to similar legislation in all 50 states.

And additional laws at the state level could provide a catalyst for federal privacy legislation, Brookman says. “Because companies don’t want to see 50 different states regulating privacy in 50 different ways, they’re likely to push for a federal bill to offer universal privacy protections,” he says.

If further legislation does come, some consumer advocates say they would like to see it go further than the California law. “I don’t think the California Consumer Privacy Act is quite polished enough to serve as model legislation,” says Roane of the Privacy Rights Clearinghouse. “But it can be appreciated as an acknowledgment that consumers need and demand more control over their personal information.”