California has become the first state in the US to pass a data privacy law – with governor Jerry Brown signing the California Consumer Privacy Act of 2018 into law on Thursday.
The legislation will give new rights to the state’s 40 million inhabitants, including the ability to view the data that companies hold on them and, critically, request that it be deleted and not sold to third parties. It’s not too far off Europe’s GDPR.
Any company that holds data on more than 50,000 people is subject to the law, and each violation carries a hefty $7,500 fine. Needless to say, the corporations that make a big chunk of their profits from selling their users’ information are not overly excited about the new law.
“We think there’s a set of ramifications that’s really difficult to understand,” said a Google spokesperson, adding: “User privacy needs to be thoughtfully balanced against legitimate business needs.”
Likewise tech industry association the Internet Association complained that “policymakers work to correct the inevitable, negative policy and compliance ramifications this last-minute deal will create.”
So far no word from Facebook, which put 1.5 billion users on a boat to California back in April in order to avoid Europe’s similar data privacy regulations.
Don’t worry if you are surprised by the sudden news that California, the home of Silicon Valley, has passed a new information privacy law – because everyone else is too. And this being the US political system there is, of course, an entirely depressing reason for that.
Another part of the statement by the Internet Association put some light on the issue: “Data regulation policy is complex and impacts every sector of the economy, including the internet industry,” it argues. “That makes the lack of public discussion and process surrounding this far-reaching bill even more concerning. The circumstances of this bill are specific to California.”
So this bill was rushed through?
Yes, it was. And what’s more it was signed in law on Thursday by Governor Brown just hours after it was passed, unanimously, by both houses in Sacramento. What led lawmakers to push through privacy legislation at almost unheard-of speed? A ballot measure.
That’s right, since early 2016, a number of dedicated individuals with the funds and legislative know-how to make data privacy a reality worked together on a ballot initiative in order to give Californians the opportunity to give themselves their own privacy rights after every other effort in Sacramento and Washington DC has been shot down by the extremely well-funded lobbyists of Big Tech and Big Cable.
GDPR forgive us, it’s been one month since you were enforced…
Real estate developer Alastair Mactaggart put about $2m of his own money into the initiative following a chance conversation with a Google engineer in his home town of Oakland in which the engineer told him: “If people just understood how much we knew about them, they’d be really worried.”
Mactaggart then spoke with a fellow dad at his kid’s school, a finance guy called Rick Arney who had previously worked in the California State Senate, about it. And Arney walked him through California’s unusual ballot measure system where anyone in the state can put forward an initiative and if it gets sufficient support will be put on the ballot paper at the next election.
If a ballot initiative gets enough votes, it becomes law. There have been some good and some bad outcomes from this exercise in direct democracy over the years but given the fact that both Mactaggart and Arney felt that there was no way a data privacy law would make its way through the corridors of power in Sacramento in the normal way, given the enormous influence of Silicon Valley, they decided a ballot measure was the way to go.
Beware the policy wonk
One other individual is worth mentioning: Mary Stone Ross was a former CIA employee and had been legal counsel for the House of Representatives Intelligence Committee and she also lives in Oakland. Mactaggart persuaded her to join the team to craft the actual policy and make sure it could make it through the system.
Together the three of them then spend the next year talking to relevant people, from lawyers to tech experts to academics to ordinary citizens to arrive at their overall approach and draft the initiative.
And it is at that point that, to be put in bluntly, the shit hit the fan. Because the truth is that consumers – and especially Californians who tend to be more tech-savvy than the rest of the country given the concentration of tech companies in the state – understand the issues around data privacy rules and they want more rights over it.
With the initiative well structured and the policy process run professionally, the ballot measure gained the required number of supporters to get it on the ballot. And thanks to the focus groups and polls the group carried out, they were confident that come November it would pass and data privacy become law through direct democracy.
At which point, it is fair to say, Big Internet freaked out and made lots of visits to lawmakers in Sacramento who also freaked out.
The following months have seen a scurry of activity but if you want to know why the bill became law in almost record time and was signed by Governor Brown on Thursday all you need to know is this single fact: the deadline for pulling the initiative from November’s ballot as last night – Thursday evening – and Mactaggart said publicly that if the bill was signed, he would do exactly that and pull his ballot measure.
You may be wondering why Sacramento was able to get it through unanimously without dozens of Google and Facebook-funded lawmakers continually derailing the effort, especially since it was still a ballot measure. After all, the tech giants could have spent millions campaigning against the measure in a bid to make sure people didn’t vote for it.
And the truth is that they had already lined up millions of dollars to do exactly that. Except they were going to lose because, thanks to massively increased public awareness of data privacy given the recent Facebook Russian election fake news scandal and the European GDPR legislation, it was going to be very hard to push back against the issue. And it has been structured extremely well – it was, frankly, good law.
There is another critical component: laws passed through the ballot initiative are much, much harder for lawmakers to change, especially if they are well structured.
So suddenly Big Tech and Sacramento were faced with a choice: pass data privacy legislation at record speed and persuade Mactaggart to pull his ballot initiative with the chance to change it later through normal legislative procedures; or play politics as usual and be faced with the same law but one that would be much harder to change in future.
And, of course, they went with the law. And Mactaggart, to his eternal credit, agreed to pull his ballot measure in order to allow the “normal” legislative approach to achieve the same goal.
And so the California Consumer Privacy Act of 2018 is now law and today is the first day that most Californians will have heard of it. Sausage making at its finest.
Of course, Google, Facebook et al are going to spend the next decade doing everything they can trying to unravel it. And as we saw just last week, lawmakers are only too willing to do the bidding of large corporate donors. But it is much harder to put a genie back in the bottle than it is to stop it getting out. ®