Privacy advocates got a big win last year, pushing through a landmark law in California. Now, before the law even goes into effect, they are moving to make the statute tougher.
Californians for Consumer Privacy, the nonprofit group behind the privacy law, announced a plan on Tuesday to give Californians new data rights and place new obligations on companies. Most significant, the proposal would require California to establish a data protection agency with the power to enforce the law and issue new regulations.
The group’s leader said he wants to amend the law through a ballot initiative next year. In order to do so, the group will need to first collect the valid signatures of more than 620,000 registered voters in California.
“People are waking up to the fact that they’ve lost control of their information and are trying to take that control back,” said Alastair Mactaggart, the founder and board chair of Californians for Consumer Privacy.
The new privacy effort is likely to further inflame a debate over who should regulate the vast stores of personal details that tech giants have amassed on billions of people. The law passed last year, the California Consumer Privacy Act, will give consumers the right to see what personal information companies have compiled on them, delete that data and stop companies from selling it. It is scheduled to take effect next year.
But many tech companies and trade associations have urged Congress to pass weaker federal privacy legislation that would overrule state laws. Trade associations have argued that it is too onerous for companies to comply with dozens of different state privacy laws and that American consumers should all have the same protections.
“Internet companies stand ready with the broader business community to support unified, national privacy legislation,” Michael Beckerman, chief executive of the Internet Association, said last week in a statement. The group’s members include Amazon, Facebook, Google, Microsoft and Uber.
Mr. Mactaggart, a real estate developer, started Californians for Consumer Privacy to push for a comprehensive state privacy law. He and two colleagues — Rick Arney, a financial industry executive, and Mary Stone Ross, a lawyer who had worked for the Central Intelligence Agency — drafted a consumer privacy bill and introduced it as a ballot initiative. Ashkan Soltani, a privacy expert, worked on technical parts of the bill.
More than 629,000 Californians signed petitions, qualifying the privacy bill for the ballot. But because it is more difficult to change a law passed through the ballot initiative process than one passed by lawmakers, the California Legislature quickly enacted a version of the ballot bill.
Many tech companies and trade groups have been working to defang the California Consumer Privacy Act ever since. The statute is believed to be the most comprehensive state consumer privacy law in the United States.
But after a recent spate of data-mining failures at Facebook and other tech giants, Mr. Mactaggart argues that Californians need stronger rights to control the spread and use of their personal information.
He plans to file a new ballot initiative on Wednesday. Among other things, it would give Californians the right to opt out of having sensitive details — like their race, ethnicity, precise location, health and financial data — used in advertising or marketing.
It would also require companies that use algorithms to automatically make decisions about insurance and lending to explain their system’s reasoning to consumers.
California has long led the nation on consumer privacy. It was the first state to require companies to report data breaches, and to require companies to allow minors to delete their posts, tweets, photos and other material. In 1972, Californians voted to amend the state’s Constitution to add privacy to its list of inalienable rights like freedom of speech and freedom of religion.
Mr. Mactaggart said he hoped that California would also become the first state to establish an independent data privacy regulator.
“An independent watchdog whose mission is to protect consumer privacy should ensure that businesses and consumers are well-informed about their rights and obligations,” a draft of the proposed privacy ballot initiative says, “and should vigorously enforce the law against businesses that violate consumers’ privacy rights.”
But it wouldn’t be the first dedicated state consumer privacy office. In the early 2000s, California had a state agency, called the California Office of Privacy Protection. Now defunct, it developed industry standards for consumer data privacy and security practices. But the guidelines were nonbinding.