Illustration: Lazaro Gamio/Axios
With impeachment hogging Congress' agenda, no national privacy law is likely to pre-empt California's stringent rules from going into effect next year — and activists in the state are already gearing up to put an even tougher initiative on the state's 2020 ballot.
Why it matters: California's rules often become de facto national standards. Home to Google and Facebook, this is where the tech industry's user-tracking, ad-targeting economy was born, but now it's also where efforts to tame the industry keep sprouting.
Driving the news: Real estate developer Alastair Mactaggart and his organization Californians for Consumer Privacy, which led the drive for a state law in 2018, last week introduced a new privacy-focused ballot initiative for 2020 that would bolster the requirements of the state's current law.
- The California Consumer Privacy Act (CCPA), passed in 2018 and set to go into effect Jan. 1, 2020, gives state residents the right to find out whatever personal information about them companies possess, to have them delete it, and to stop them from selling it.
The new ballot initiative goes further ...
- establishing a data protection agency for the state to enforce new privacy laws and make new regulations.
- creating a new class of "sensitive information" — data like social security numbers, precise location, and financial info — that firms could not sell without users opting in.
- enacting a new right to correct inaccurate personal information stored by companies.
Flashback: The CCPA was written and passed hastily in 2018 as part of a deal with Mactaggart and his group to withdraw an earlier ballot initiative that had first spurred the push for a state-level privacy law in California.
- Businesses have argued ever since that the law is full of loopholes and needs to be revised, but the California legislature defeated efforts to revamp the law.
- The tech industry hoped that bipartisan efforts in Congress earlier this year would produce a less strict national privacy law that would take precedence over California's, but those efforts faltered.
Between the lines: Critics say big global companies that have already adapted to Europe's strict GDPR rules won't bat an eye at further privacy limits in California, while small firms and startups may find themselves hobbled.
- CCPA only applies to companies with over $25 million in revenue, personal information on at least 50,000 people, or earning at least half their money by selling consumers' personal information.
- The new initiative raises the bar to apply only to firms with information on 100,000 customers or households.
What's next: California initiatives need more than 600,000 signatures to qualify for the ballot.
- If the new privacy initiative qualifies, it will get a yes or no decision from voters in 2020.
- Successful initiatives are much harder to modify or amend than laws passed by the state legislature.
Go deeper: The future of privacy starts in California