Sep 30, 2019

California initiative pushes an even stronger privacy law

Illustration: Lazaro Gamio/Axios

With impeachment hogging Congress' agenda, no national privacy law is likely to pre-empt California's stringent rules from going into effect next year — and activists in the state are already gearing up to put an even tougher initiative on the state's 2020 ballot.

Why it matters: California's rules often become de facto national standards. Home to Google and Facebook, this is where the tech industry's user-tracking, ad-targeting economy was born, but now it's also where efforts to tame the industry keep sprouting.

Driving the news: Real estate developer Alastair Mactaggart and his organization Californians for Consumer Privacy, which led the drive for a state law in 2018, last week introduced a new privacy-focused ballot initiative for 2020 that would bolster the requirements of the state's current law.

  • The California Consumer Privacy Act (CCPA), passed in 2018 and set to go into effect Jan. 1, 2020, gives state residents the right to find out whatever personal information about them companies possess, to have them delete it, and to stop them from selling it.

The new ballot initiative goes further ...

  • establishing a data protection agency for the state to enforce new privacy laws and make new regulations.
  • creating a new class of "sensitive information" — data like social security numbers, precise location, and financial info — that firms could not sell without users opting in.
  • enacting a new right to correct inaccurate personal information stored by companies.

Flashback: The CCPA was written and passed hastily in 2018 as part of a deal with Mactaggart and his group to withdraw an earlier ballot initiative that had first spurred the push for a state-level privacy law in California.

  • Businesses have argued ever since that the law is full of loopholes and needs to be revised, but the California legislature defeated efforts to revamp the law.
  • The tech industry hoped that bipartisan efforts in Congress earlier this year would produce a less strict national privacy law that would take precedence over California's, but those efforts faltered.

Between the lines: Critics say big global companies that have already adapted to Europe's strict GDPR rules won't bat an eye at further privacy limits in California, while small firms and startups may find themselves hobbled.

  • CCPA only applies to companies with over $25 million in revenue, personal information on at least 50,000 people, or earning at least half their money by selling consumers' personal information.
  • The new initiative raises the bar to apply only to firms with information on 100,000 customers or households.

What's next: California initiatives need more than 600,000 signatures to qualify for the ballot.

  • If the new privacy initiative qualifies, it will get a yes or no decision from voters in 2020.
  • Successful initiatives are much harder to modify or amend than laws passed by the state legislature.

Go deeper: The future of privacy starts in California

Go deeper

The future of privacy starts in California

Illustration: Sarah Grillo/Axios

A landmark privacy law in California, which kicks in Jan. 1, will give Golden State residents the right to find out what a company knows about them and get it deleted — and to stop the company from selling it.

Why it matters: It could effectively become a national privacy law, since companies that are racing to comply with it may give these privileges to non-Californians, too.

Go deeperArrowSep 30, 2019

The best and worst states for online privacy

California, Delaware and Utah are the states that best protect users' online privacy in 2019, according to an annual ranking by privacy and cybersecurity research firm Comparitech.

Why it matters: States are taking the lead on online privacy protections in the U.S. as bipartisan efforts in Congress have yet to produce a federal privacy law.

Go deeperArrowOct 23, 2019

Nevada privacy law takes effect

California's pending European-style digital privacy law will likely be the most impactful in the country, but it won't be the first. Nevada's law takes effect Tuesday.

Why it matters: With no superseding federal law, we're at the start of, potentially, 50 different privacy laws covering each of the 50 states — all interacting, potentially conflicting, and affecting business and consumer peace of mind for years to come.

Go deeperArrowOct 1, 2019