California has passed a consumer privacy law that will compel significant changes on companies that deal in personal data. Silicon Valley internet companies, tech companies, and many other stakeholders were involved in the negotiation preceding the passage of AB 375, which will take effect 2020 Q1. While it solely applies to California residents, it is thought to have broader implications.
The law establishes a number of new rights around personal data including the right to be informed about the type of personal data that has been collected and why. California consumers may now request their personal data be deleted, opt out of the sale of their personal information and access their personal data in order to transfer to other parties without hindrance.
Of particular note is the broad definition of personal data including geolocations, biometric data, psychometric data, internet browsing history and more.
Enforcement of the law will be by the state’s attorney general, though consumers will maintain a private right of action should companies fail to maintain reasonable security practices resulting in unauthorized access to the personal data. Data breaches fall under different, narrower rules.
The new ruling will likely impact businesses that advertise on digital platforms, meaning that highly targeted advertising could become less precise.
Most major companies have some Californian customers. Such companies will need to reform their data infrastructures to comply with California’s law, or institute a network that treats Californians’ data differently than everyone else’s—a more expensive option likely to irritate non-Californians given fewer options regarding their data. This topic was also discussed within Mark Zuckerberg’s congressional testimony in regard to Facebook’s compliance with new European regulations.