By Zach Drucker
Here at sf.citi, we make it a point to keep our finger on the pulse of policy issues affecting our member base of San Francisco tech companies. While buzz of consumer privacy has spread to all corners of the United States, its relevance remains particularly acute in San Francisco, the tech capital of the world. The fact is technology has fundamentally changed our understanding of privacy, with people leaving digital footprints about their interests, political leanings, and overall personal identity each time they browse the internet. This became even more apparent following massive data breaches at Target and Equifax, and Mark Zuckerberg’s testimonial about Cambridge Analytica before Congress.
As world leaders navigate the conversation on privacy, we at sf.citi thought it best to start closer to home in California, which has already begun shaping privacy precedents for our members and tech companies well beyond our city’s borders.
GDPR California Style
Today’s consumers are given the choice of providing personal information in exchange for free access to services—a phenomenon that led the European Union to develop the General Data Protection Regulation (GDPR). GDPR is a set of regulations intended to protect consumer data.
Following the footsteps of our counterparts in Europe, you might assume that creating a data privacy framework should be handled by the federal government. That assumption would be correct, sort of. A few attempts to push forward legislation around consumer data privacy were considered by Congress, but none have come to fruition yet. So where else would an issue of this magnitude be brought up? California, the state that carries the saying, “as goes California, so goes the nation.”
Home to Silicon Valley, the world’s fifth largest economy, and nearly 40 million people, California is an ideal location to implement a policy that pushes the boundaries. With that in mind and looking towards the November election, advocates for digital privacy put forward a statewide ballot initiative, the California Consumer Privacy Act, empowering voters to decide how best to regulate online consumer data. The measure received a lot of attention, and eventually prompted lawmakers in Sacramento to strike a deal that led to AB 375.
What is AB 375?
AB 375 gives consumers the right to request that businesses disclose what personal data they are collecting, as well as the right to request that businesses don’t sell any of their data. The measure was signed into law in record time, prompting the ballot sponsors to withdraw their effort for the November election. By crafting the law through the legislative process, lawmakers can make future improvements to the measure with relative ease, whereas a ballot initiative can only be amended through additional statewide voting — think Prop 13.
Even though AB 375 does not have as much bite as the proposed ballot initiative or GDPR, the bill still achieves the goal of establishing laws around consumer data. AB 375 was even deemed “GDPR lite,” as it requires consumers to opt-out of having their data sold rather than GDPR’s requirement to have consumers opt-in to their data being sold. In the bill, legislators set three main objectives:
- Consumers have the right to ask companies to disclose the categories of information they collect, as well as the kinds of third parties that buy it.
- Consumers have the right to request deletion of personal information upon receipt of a verified request.
- Companies must provide an opportunity for consumers to opt-out from having their data sold. Only for those under the age of 16 will companies need to gain consent before selling their data.
AB 375 will go into effect on January 1, 2020, giving companies a year and a half to comply with the law. This might be easier said than done. In its hasty construction under a tight deadline, AB 375 still leaves a lot to be desired. Parts of the bill are left unclear and vague. How will the law be enforced? What does the process to request information from companies look like? What companies fall under the guidelines of the bill? With many questions still to be answered, both the private sector and consumer watchdog groups will try to influence decisions on these issues and more.
How does AB 375 shape future data privacy legislation?
Overall, the passage of AB 375 accelerated discussion on consumer privacy data in United States – a conversation that is not going anywhere soon. In the race to be the first to put their stamp on the data privacy issue, San Francisco is not far behind. Supervisor Aaron Peskin has a proposed charter amendment for the November ballot in the works, to implement the city’s own rules around data privacy. Now we are left to consider the following question: how do we navigate a growing patchwork of privacy laws across cities, states, and countries, while still remaining a competitive capital of innovation?