As federal data privacy legislation languishes, the California Consumer Privacy Act—set to go into effect January 1, 2020—is garnering increased attention around the U.S.
Politico reports that the law will require any company that does business in California, regardless of its physical presence in the state, to reveal what personal information they have collected about a California resident upon request. Californians will have the ability to ask business or data brokers to stop selling that information, and to delete it.
Additionally, companies will have to see advanced permission from parents or guardians of Californians under the age of 16 to sell their personal information.
With four weeks left in the legislation session—and having already spent hundreds of thousands of dollars to influence legislation—“trade associations representing Facebook, Google and a host of other corporations are expected to unleash their lobbying firepower to secure exemptions, if not a delay, when lawmakers return to Sacramento on Monday,” said the publication.
Attempts to make changes to the legislation have faltered, including a business-friendly bill that would narrow the definition of “personal information” that was blocked by the state senate judiciary committee and a bill that would create broad exceptions that was withdrawn. Bills that remain in play include CA AB25(19R), which would allow business to authenticate the identities of consumers making information requests.
Attorney Kristen Matthews, whose firm Morrison & Foerster is advising clients on the law, noted that that the law could have a reach much further than California, pointing out that some companies might find it impractical—or simple bad looks—to deny privacy requests from customers in other states. And other state legislatures may also be inspired to take similar steps.
At the federal level “lawmakers from both parties say they have not given up on a national standard, despite disagreements.”