Deal to protect online privacy could head off ballot measure
Amid mounting public outrage over online privacy and security breaches, California lawmakers introduced legislation Friday to strengthen protections while potentially heading off a consumer revolt at the polls that industry leaders oppose.
The California Data Privacy Protection Act by state Sen. Robert Hertzberg, D-Van Nuys, and Assemblymember Ed
Chau, D-Monterey Park, would allow consumers to know what data companies collect on them, allow them to opt out and hold companies accountable for breaches.
“Privacy is a fundamental American value,” said Chau, who chairs the state’s Assembly Privacy Committee. “That California is able to lead the nation into an era of consumerfirst protections is a boon to our democracy.”
The proposed legislation follows a steady drumbeat of data breaches and unauthorized dis-
closures that have left consumers vulnerable to identity theft and fraud or exposed personal information that they had assumed would be kept private.
Facebook CEO Mark Zuckerberg acknowledged in March that the social media giant had failed its users after reports that British political consulting firm Cambridge Analytica had harvested up to 87 million Facebook user profiles without their consent.
It was the latest in a series of failures by various companies to protect consumers’ data. Other companies that acknowledged major data breaches include Uber in November affecting 57 million users, Yahoo in October affecting 3 billion users, Equifax in September affecting 148 million users, LinkedIn in 2016 affecting 100 million users, and Anthem in 2015 affecting 80 million users.
The bill is sponsored by advocacy group Common Sense and supported by privacy activist Alastair Mactaggart, who
launched the effort for a California Consumer Privacy Act ballot initiative. Mactaggart, a San Francisco real estate developer who has spent $1.65 million on the campaign, said that he would withdraw the ballot measure if the Legislature passes the proposed bill and Gov. Jerry Brown signs it by June 28 — the last date for the ballot measure to qualify or to be pulled from the ballot.
That’s a tall order. “They’ve got to do it real quick,” said Robin Swanson, the campaign’s consultant and spokeswoman. “It’s a take-it-or-leave-it proposition. We know our initiative not only will qualify, but it polls off the charts. It’s up to them to make that strategic decision.”
The initiative campaign submitted 629,000 signatures in May for the proposed ballot measure,
which would need at least 365,880 to qualify. Swanson said they expect to have enough signatures verified to qualify the measure as early as Monday.
The bill mirrors three core components of the ballot initiative. It would guarantee consumers the right to know what data is being collected from them, as well as the right to opt out of that data collection. It also would hold companies liable for data breaches.
Industry leaders, including the Silicon Valley Leadership Group, which represents major technology firms, opposed the ballot measure, arguing it went too far and was approved without industry input. Facebook was initially opposed, but dropped its opposition in April.
Peter Leroe-Muñoz, the leadership group’s vice president of technology and innovation, said Friday that data privacy and security “is a complex issue requiring continued conversation.”
“The Silicon Valley Leadership Group looks forward to actively bringing together our member companies and legislators to continue to find an approach that meets the needs of the technology sector,” Leroe-Muñoz said.
Swanson said the bill differs from the initiative in the way that companies would be held accountable for breaches to address an industry concern. The bill would allow the state attorney general to levy fines for data breaches, after which consumers could then sue over them. The ballot measure would expose companies to litigation regardless of the state attorney general’s action.
The bill also adds provisions that go beyond the ballot measure. It would require parental consent for companies to sell data on children younger than 16. And it would include provisions of Europe’s privacy laws such as consumers’ right to compel companies to delete all their private data.
“I think they both accomplish the same goals broadly,” Mactaggart said in an interview. “They both provide the transparency, the control and the accountability. Those are the three pillars of the initiative, and of the bill, as well.”