Battles over privacy ahead
California lawmakers’ attention turns to how companies use and protect personal data.
SACRAMENTO — Amid battles with President Trump over his calls to shut down the nation’s borders and increase deportations, California lawmakers focused this last legislative session on keeping personal data collected by state and local agencies away from the federal government.
In the coming year, their attention is likely to turn to private companies and how they protect consumers’ information. With federal regulation rollbacks, a rise in data breaches and a growing industry of products connected to the internet, some legislators and tech lobbyists say they want people to have more notice and control over what personal data is collected, without having to pay for privacy or better services.
Here are some efforts to watch:
Legislation aimed at net neutrality
After the Federal Communications Commission voted to repeal net neutrality regulations, state Sen. Scott Wiener (D-San Francisco) pledged to bring them back to California.
The Obama-era rules put in place in February 2015 barred broadband and wireless companies such as AT&T and Verizon from
slowing speeds for some video streams and other content, discriminating against legal material online and selling faster delivery of certain data. They also gave the Federal Trade Commission authority over internet service providers.
Supporters of net neutrality could go to court in an attempt to halt the FCC order and to challenge language that could prevent state and local governments from adopting their own net neutrality rules.
But Wiener says there is room for the state to act now. He is looking into ways to require net neutrality as a condition in state contracts, cable franchise agreements and broadband packages.
Efforts to stop sale of personal data
Assemblyman Ed Chau (D-Monterey Park) has been working to reinstate another set of FCC regulations rolled back by Trump and Congress: rules that require internet providers to get permission from customers before using, selling or allowing access to their browser history.
Chau first introduced the California Privacy Act last legislative session, but it was shelved in the state Senate after heavy lobbying efforts by major internet service providers. He intends to try again in 2018.
The bill would enshrine the old federal regulations in state law. It also would bar companies from blocking or limiting service if customers do not waive their privacy rights. And it would prohibit them from offering customers discounts in exchange for waiving their privacy rights — or from charging them a penalty if they refuse to do so.
In a separate effort, privacy advocates are trying to establish similar rules through a proposed ballot measure. But they want the regulations to apply to all businesses that collect and deal data for commercial purposes. Organizers have until May to collect more than 365,000 signatures before the initiative can become official.
Lowering the cost of credit freezes
In an area where there are no federal rules, state Sen. Jerry Hill (D-San Mateo) has said he plans to introduce legislation to prevent credit agencies from charging as much as $10 to place or lift a credit freeze.
The legislation comes after Equifax, one of the nation’s three major credit reporting agencies, revealed in September that the personal data and credit information of more than 145 million consumers had been exposed in a breach, including names, birth dates and Social Security and driver’s license numbers.
Under California law, people can freeze their credit for free if they have been victims of identify theft and have filed a police report. Otherwise, a person can pay as much as $30 to freeze their credit with all three major credit agencies — Equifax, Trans-Union and Experian — and another $30 to unfreeze it. Residents older than age 65 can get a credit freeze for free but must pay $5 to remove it.
Four states — Indiana, Maine, North Carolina and South Carolina — allow free credit freezes, according to the U.S. Public Research Interest Group.
“Credit agencies are involved in so many aspects of our lives — from buying a car and purchasing a home, to simply signing a new cellphone contract,” Hill said in a statement. “The agencies possess our most sensitive information, and they shouldn’t profit from consumers’ efforts to protect their personal and financial data.”
Rules for teddy bears and toasters
Privacy advocates also are watching for the comeback of another Senate bill shelved last year that would prevent companies from selling products that can listen in on conversations and collect personal information from unknowing consumers.
SB 327, also known as the Teddy Bear and Toaster Act, by state Sen. Hannah-Beth Jackson (D-Santa Barbara) would require manufacturers to equip their internet-connected devices, including toys, clocks, kitchenware and electronics, with certain security and privacy features.
Products would have to alert consumers — through visual, auditory or other cues — when they are gathering data. Companies would have to obtain user consent when they intend to transfer the information. And they would have to disclose at point of sale whether the devices are capable of sweeping up sensitive data so that customers can take that into account while shopping.
Jackson probably will move the bill forward in January.