An address on a cable contract, the location of a cellphone, a store purchase or a simple Internet search for a vacation spot. All of that information about a consumer can be unknowingly collected and sold by businesses — at least for now.
A proposed ballot initiative aims to give Californians the power to find out what personal information a business has gathered about them and tell them to stop — an approach critics say could stifle commerce but privacy experts say doesn’t go far enough.
“The reality is most of us have a vast digital file being collected about us,” Alastair Mactaggart, a lead sponsor of the California Consumer Privacy Act of 2018, told Techwire in an interview this week.
“There’s a lot of risk for Californians,” he said.
At issue is how businesses — including Internet service providers, Google, Facebook and large brick-and-mortar corporations — use the information they collect about their customers. The information, which can be sold to third parties, is a valuable commodity and a tool for businesses that want to target products to someone’s preferences and needs.
It’s a broad and complicated issue of privacy rights that goes beyond just a person’s home address or Social Security number. It involves the collection of a vast amount of information used to create profiles, trends, demographics and other data sets.
And privacy — or the lack of it — gained the attention of lawmakers across the country after two very controversial moves last year in Washington, D.C. Last spring, Congress blocked what would have been landmark privacy rules on broadband companies, requiring them to get customer permission before they use or share that personal information. And then in December the Federal Communications Commission set aside so-called net neutrality rules that required ISPs to treat all data that travels over their networks equally.
“Given the anti-consumer antics that we have been seeing from Washington over this last year, action at the state level is all the more imperative,” Assemblyman Ed Chau, chair of the Assembly Privacy and Consumer Protection Committee, said in a statement to Techwire.
Chau, who has not yet taken a position on the ballot measure, tried last year to clamp down on ISPs and restore the FCC privacy rules, pushing legislation that would have banned them from using, sharing or selling any information that would be used to make a profit. His bill, AB 375, stalled after a successful lobbying effort by the cable and telecommunications industry.
He has said he wants to work with opponents to come up with a bill that provides “reasonable privacy protections” for broadband customers. And he plans to hold a hearing to examine the privacy ballot initiative if it gets enough signatures to qualify for the ballot.
Business and tech groups are gearing up to fight the ballot measure, but declined interviews this week to discuss their concerns. In an interview with the Los Angeles Times earlier this year, Allan Zaremberg, president of the California Chamber of Commerce, said California’s economy depends on data sharing.
In a statement to Techwire, Zaremberg said a committee had been formed to oppose the initiative. “We expect a well-funded campaign from a broad-based coalition,” Zaremberg said.
They have called their effort The Committee to Protect California Jobs.
The ballot measure is broader than Chau’s bill in the sense that it would impose privacy rules on all businesses, not just ISPs. But it’s narrower in the type of information it would regulate.
It would allow Californians to find out what personal information a business has collected, ask businesses to stop selling that information, and bans businesses from discriminating against customers who don’t want their information shared. It doesn’t address any data sets or profiles that might be created from personal information and sold to third parties as long as that information cannot reasonably identify a particular consumer or device.
Information that can be linked a single person, Mactaggart says, should be off limits. For example, under current law, a woman who has searched on the Internet about pregnancy information, for example, might not be hired by an employer who had access to her browsing history.
The ballot measure would also increase fines and penalties for companies that don’t follow the rules.
At the end of the day, the best way to protect consumers, says Ernesto Falcon, legislative counsel at the Electronic Frontier Foundation, is to simply ban the collection of information.
“The surest way to ensure sensitive information does not fall into the wrong hands is to not allow the collection of it,” Falcon said.