SAN FRANCISCO – California on Thursday passed a strict new law aimed at protecting people’s privacy online, a move that promised to shift the terrain on which internet firms operate in the wake of recent scandals.
The bill, signed into law by Gov. Jerry Brown, followed in the spirit of Europe’s new General Data Protection Regulation.
The legislation cut off an initiative that is heading for the ballot in this state in the fall.
Laws originating in the legislature instead of from ballot initiatives are easier to amend if issues arise. Even the bill’s opponents in the business community characterized the legislature’s version as the lesser of two evils.
The law was crafted to ensure rights that include knowing what personal information is collected by companies on the internet and whether it is sold, and to whom.
Alastair Mactaggart, a California real estate developer who spent about $1.4 million earlier this year to qualify the measure for the ballot, had until Thursday evening to pull his initiative before state officials set the ballot. Mactaggart had agreed to do so if Brown signed the bill.
He described the compromise on Thursday as a “landmark accomplishment, which is the strictest privacy bill ever achieved in this country.”
The measure would affect nearly every major business, but large technology firms that play an ever-increasing role in online communications and commerce are a big target. Data breaches affecting Facebook, Uber and other companies have generated increased public pressure for regulators to step in.
Under the proposal, large companies, such as those with data on more than 50,000 people, would be required starting in 2020 to let consumers view the data they have collected on them, request deletion of data, and opt out of having the data sold to third parties.
Each violation would carry a $7,500 fine. The law applies to users in California.
The law also calls for people to be treated the same as anyone else online if they opt to restrict use of their data.
Internet businesses that receive “verifiable” requests by people to have their data deleted will be required to do so, with a list of exceptions that include keeping what is needed to complete transactions, detect security breaches, or protect against illegal activity.
“A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information,” the legislation said.
“This right may be referred to as the right to opt out.”
Business home pages will be required to provide “clear and conspicuous” links titled “Do not sell my personal information” that take people to opt-out pages.
People whose personal information is stored unencrypted and not sufficiently protected were also give the right to pursue civil claims.
The shift both in Europe and California came after the harvesting of Facebook users’ data by Cambridge Analytica, a U.S.-British political research firm, for the 2016 U.S. presidential election.
The nonprofit advocacy group Consumer Watchdog called the California legislation “landmark reform” and branded it the toughest state privacy law in the U.S.
“Silicon Valley companies will very likely implement many of these reforms across their entire customer base, not just for Californians,” said Consumer Watchdog President Jamie Court.
“California has led the way, and Californians must be ever-vigilant in the next year that the legislature does not undermine these protections at the behest of tech lobbyists and moguls.”
State Sen. Bob Hertzberg, a Democrat, said during a live-streamed news conference Thursday: “This is a huge step forward for California. This is a huge step forward for people across the country.”
The Internet Association, an industry lobbying group, expressed concerns about the law, saying there was a lack of public input while it was hurried through the legislative process.
“Data regulation policy is complex and impacts every sector of the economy, including the internet industry,” the association’s vice president of state government affairs, Robert Callahan, said in a statement posted on its website.
“That makes the lack of public discussion and process surrounding this far-reaching bill even more concerning.”
Callahan contended that California policymakers will need to “correct the inevitable negative policy and compliance ramifications this last-minute deal will create for California’s consumers and businesses alike.”
The list of Internet Association members includes titans such as Amazon, Facebook, Google, Microsoft, Netflix and Twitter.
During a meeting Thursday with reporters at Facebook’s headquarters in Silicon Valley, chief operating officer Sheryl Sandberg said the leading social network supported the California legislation.
Executives at Google had warned that the measure could have unintended consequences but have not said what those might be. “We think there’s a set of ramifications that’s really difficult to understand,” Google Senior Vice President Sridhar Ramaswamy told reporters on Tuesday. “User privacy needs to be thoughtfully balanced against legitimate business needs.”
CTIA, a wireless industry trade group, called on the U.S. Congress to pass legislation instead. “State-specific laws will stifle American innovation and confuse consumers,” CTIA said.