The move by California came after large breaches in recent years at companies including Target and Equifax.
California will soon have what experts call the nation’s most far-reaching law to give consumers more control over their personal data under a bill the governor signed Thursday.
The law will compel companies to tell customers upon request what personal data they’ve collected, why it was collected and what categories of third parties have received it.
The new law will take effect Jan. 1, 2020, and lawmakers say they will likely make alterations to improve the policy before then.
Consumers will also be able to ask companies to delete their information and refrain from selling it.
It’s similar to data privacy regulation in the European Union, which also aims to give consumers control over use of their data.
The California bill signed by Gov. Jerry Brown will apply only to California consumers. However, internet users in other states will likely see changes, said Cynthia Larose, a cybersecurity expert at the law firm Mintz Levin.
“It’s going to be impractical for companies to maintain two separate sets of privacy protections — one for California and one for everyone else,” she said.
The move by California came after large breaches in recent years at companies including Target and Equifax. Facebook also has faced intense scrutiny amid revelations that Republican-linked consulting firm Cambridge Analytica collected data from millions of Facebook users without their knowledge.
The bill by Assemblyman Ed Chau, an Arcadia Democrat, gives companies the ability to offer discounts to customers who allow their data to be sold and charge those who opt out a reasonable amount based on how much the company makes selling the information.
It also bars companies from selling data from children younger than 16 without consent.
“We in California are taking a leadership position with this bill,” said Sen. Bob Hertzberg, a Van Nuys Democrat who co-authored the bill. “I think this will serve as an inspiration across the country.”
Brown signed the measure just hours after lawmakers passed it with no dissenting votes in a last-minute scramble to convince San Francisco real estate developer Alastair Mactaggart to remove a similar initiative from consideration for the November ballot ahead of a Thursday deadline.
Mactaggart spent $3 million on the related initiative but withdrew it shortly after the law was signed.
Voter-enacted initiatives are much harder to alter than laws passed through the legislative process.
Given the significance and complexity of the issue, supporters and even many opponents said they wanted legislators to pass the bill instead of allowing the initiative to move forward so lawmakers can more easily change it in the future.
Lawmakers suggested the bill will need amendments.
Republican Assemblyman Jay Obernolte of Hesperia said he thinks the parts of the bill allowing people to sue companies over data breaches are too broad.
Although the bill is aimed at regulating internet and tech companies, some opponents say it could have unintended consequences on other industries.
A lobbyist for the newspaper industry, for example, said he worried the bill could harm news reporting by allowing subjects of negative investigative stories to prevent publication. Lawmakers said that’s not the bill’s intent.
TechNet, a technology lobbying group, urged lawmakers to improve the law before it takes effect “so it provides meaningful privacy protections for Californians while also allowing all the benefits and opportunities consumers expect from US technology to continue.”
“Policymakers around the country looking at what California has done on this issue should understand that the California Legislature’s work is far from finished and that this law remains a work in progress,” the group said in a statement.