California passes nation's first statewide consumer privacy law

The state of California has passed a sweeping law that gives its 39 million residents more control over and insight into how companies use their personal data.

A similar measure that gathered enough signatures to qualify for a statewide ballot was withdrawn after Democratic Gov. Jerry Brown signed the bill into law on Thursday. Though consumer privacy advocates applauded the bill’s passage, banks, technology companies and other business groups had opposed it as burdensome.

“California consumers should be able to exercise control over their personal information and should have reasonable certainty that there are safeguards in place to protect against misuse of their personal information,” Assembly member Ed Chau, a Democrat, said at a press conference after the governor signed the bill. “It is also possible for businesses both to respect consumers’ privacy and provide a high level of transparency to their business practices.”

The law gives Californians the right to know all the data that companies collect on them and for what purpose, to refuse the sale of their personal information, and to delete their data. It also mandates an opt-in for children under 16. Additionally, the legislation makes it easier for consumers to sue after a data breach.

David Paul Morris/Bloomberg

The law goes into effect in January of 2020. The first of its kind in the nation, the proposal had drawn comparisons to the European Union’s General Data Protection Regulation for regulating the use of consumer data.

“This is a monumental achievement for consumers, with California leading the way in creating unprecedented consumer protections for the rest of the nation,” Alastair Mactaggart, chairman of Californians for Consumer Privacy, said in a press release.

The group had gathered enough signatures to send a similar proposal to a statewide ballot in November. Under California law, the vote can be avoided if the legislature passes a law supported by the group that wrote the ballot measure.

The legislation passed on Thursday does not apply to information banks may collect under the 1999 Gramm-Leach-Bliley act when provisions of the two laws conflict. Banks that do business in California will have to either create a separate process for handling information about their customers who live in the state, or apply the California standards nationwide.

Tom McMorrow, a partner at Manatt, Phelps & Phillips’ government and regulatory practice, said in a statement that he hoped lawmakers would ultimately strike a balance between consumer privacy and economic interests before the law goes into effect.

“The legislature clearly appreciates that ‘consumer privacy’ must be protected, but the bill authors also understand that California and the nation’s sharing economy has been built on the collection and sharing of personal information, frequently with express consumer permission,” McMorrow said.