The California law came after years of inaction not just in Congress, but in Sacramento as well, where lawmakers were equally reticent to take on the complicated regulation of a huge, powerful player: the tech industry. California lawmakers’ were forced to the table after an even more sweeping initiative than the CCPA, authored by real estate developer Alastair Mactaggart, qualified for the November ballot.
After negotiating with Mactaggart and others, California came up with legislation that will allow state residents to ask large businesses what personal information has been collected by a company about them and let consumers tell the company to erase that information. If they don’t comply, the attorney general can take civil action.
Mactaggart, who heads a group called Californians for Consumer Privacy, said he’s glad the Legislature took up the issue because they can now easily tweak the law as public debate and technology progresses. A ballot can only be changed by another vote of the electorate.
“This is a fast-moving and complicated area,” he said. “I think we’re in good shape right now. There are a couple of cleanup items that do need to get addressed … and I’ve never been someone who said this is the last word, because we’re in an ongoing relationship between we the people and this new technology that’s come along.”
Lawmakers think there’s more to be done than Mactaggart, however. The new bills proposed in Sacramento run the gamut, from minor technical amendments to more sweeping changes. One would let consumers sue companies for violating the law. Another would require data brokers to register with the state.
And a package of four bills authored by a group of Republican assemblymen would tackle a number of hot-button issues. One bill would require social media companies to fully delete someone’s data when they close an account; another would require minors under the age of 16 to get consent from their parents before they create a social media account; a third would mandate that data breach victims are notified within 72 hours of a company discovering the breach; and a fourth would bar smart-speaker companies from storing or data mining voice recordings.
In California, at least, the issue is a squarely bipartisan one, said Assemblyman Jordan Cunningham, R-San Luis Obispo.
“When I talk to my constituents about it, they are overwhelmingly supportive of the notion of individual privacy and the importance of passing laws that make sure that the individual consumer doesn’t get lost in this rush to new technologies,” he said. “I think the CCPA was a great step. I think it’s been widely hailed as the strongest digital privacy law in the country. And I think that’s right. But I think we need action in a couple other areas.”