California just passed a law that is going to cause a lot of binge-drinking (and possibly mass resignations) at US tech companies in the near future.
Assembly Bill AB-375, appropriately referred to GDPR-Lite, was signed by the governor of California Thursday. (You can read the text of the bill here.) It is intended to forestall a ballot initiative that would have given consumers even more control over the data collected by tech companies.
It's too early to say how this bill will play out in practice, but according to the bill's intro, its goals include:
- grant a consumer a right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of 3rd parties with which the information is shared.
- require a business to make disclosures about the information and the purposes for which it is used.
- grant a consumer the right to request deletion of personal information and would require the business to delete upon receipt of a verified request, as specified.
- grant a consumer a right to request that a business that sells the consumer’s personal information, or discloses it for a business purpose, disclose the categories of information that it collects and categories of information and the identity of 3rd parties to which the information was sold or disclosed.
- require a business to provide this information in response to a verifiable consumer request.
- authorize a consumer to opt out of the sale of personal information by a business and would prohibit the business from discriminating against the consumer for exercising this right, including by charging the consumer who opts out a different price or providing the consumer a different quality of goods or services, except if the difference is reasonably related to value provided by the consumer’s data.
- authorize businesses to offer financial incentives for collection of personal information.
- prohibit a business from selling the personal information of a consumer under 16 years of age, unless affirmatively authorized, as specified, to be referred to as the right to opt in.
- prohibit the provisions described above from restricting the ability of the business to comply with federal, state, or local laws, among other things.
The bill was passed last night as a last minute effort to forestall a popular ballot initiative that would have gone further and given consumers more protection. It's not clear whether that ballot initiative was withdrawn yesterday; I expect the state government to soften the bill with amendments that remove consumer rights, and I rather hope that the group behind the ballot initiative, Californians for Consumer Privacy, continues to press forward.
Either way, this is going to cause huge problems for tech companies and online publishers, many of which are still struggling to comply with the GDPR.
Some companies like Instapaper have cut off service in Europe until they can comply with the law, and others such as Tronc and the Twitter service Unroll.me have said they were never going to be able/willing to reverse that decision. Then there's USA Today, which has stripped out all the trackers and ads before showing its site to its European audience.
We're going to see a similar wave of shut downs as we get closer to this bill taking effect on 1 January 2020.
What's even better is that once it takes effect we will be able to use it to track down each of the data aggregators who trade in our personal info and make them delete it all.
That's the dream, anyway; whether the reality lives up to the dream is another question.
image by wuestenigel