June 28 Update: It's official, California signed into law June 28, 2018 Bill AB-375, giving its citizens far-reaching privacy rights! More to come, I'm sure.

***********

Original piece - June 27, 3018:

On Tuesday, June 25, 2018, the California State Legislature voted to send Bill AB-375, the California Consumer Privacy Act 2018, from the State’s Senate Judiciary Committee to the State’s Senate Appropriations Committee. The bill will be put to a full Assembly and Senate vote tomorrow, June 27, 2018. If it passes, the bill will be sent to Gov. Jerry Brown's office to be signed and put into law, effective 2020.

This law, even the proposal of the law, is a big deal. It is the first of its kind in the U.S to get through this far in the process of becoming law (if anyone knows differently, please add an update to the comments - the historian in me would love the input). It includes many of the consumer rights recently enacted into law in the last month by the European Community, see GDPR, and takes some of them a step. If the law passes, businesses will be required to adhere to a number of new consumer rights.

As defined by the bill, a business

• is a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity,
• has revenues in excess of $25M
• or, has access to personal information of 50,000 or more consumers, households, or device,
• or, derives 50 percent or more of its annual revenues from selling consumers’ personal information

Personal information is defined as information that relates to any data that can be associated with an individual, or household, including identifiers, descriptive categories, protected characteristics, or commercial records; the definition does not include publicly available information. What I find interesting here is the inclusion of households within the scope of the personal information definition. I suspect this will be new to others as well, as most definitions of personal information only take the individual into account.

In today’s version of the bill, which will undoubtedly be edited, if the bill becomes law, California residents will have the right to,

• a copy of all the personal information that a business has on them
• a report of all the categories and sources of personal information collected on them
• an explanation of the business purposes for which their information is being collected, used, and/or sold
• a report of the categories of 3rd party companies with which their information has been shared with or sold to
• have their personal information deleted, barring some legitimate use carveouts; they can also maintain the expectation that the business would pass along their deletion request to 3rd party companies that received or bought their information
• have their information removed from any sale, and to not fear discrimination or reprisal (this is referred to as the "right to opt-out")
• receive financial incentives for the collection and exchange of their personal information

I find this last point particularly important, as it is validating the concept that has been forming for decades now that personal information is a valuable asset owned by the individual, and that individuals should be compensated when it is used.

But there is more. The bill states “A business may also offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the consumer by the consumer’s data.” In other words, personal information may be taking on luxury good status, which I've talked about before.

Now, the devil will be in the details. The bill still needs to pass, be signed, edited, and time to pass before it can take effect. But, even if it does not pass this time, I’m sure that one day it, or something similar, will.

Other state initiatives,

• New York State, 2 Nov '17, proposed the SHIELD Act – Stop Hacks and Improve Electronic Data Security Act – a bill that would heighten data security requirements for companies and better protect New York residents from data breaches of their personal information.
• Washington State, 27 JUN '18, announced it will launch a Privacy Check list to help government groups understand and manage privacy related issues
• Other states proposing new laws following the 2016 role back of the FCC ISP regulations geared to protect consumer personal include Connecticut, Illinois, Kansas, Maryland, Massachusetts, Minnesota, Montana, and Wisconsin.

It is important that none of us sit idle with events, like the development of this bill. Why? Because, when the 5th largest economy in the world takes action, it is essential that we all pay attention, as this action will not just have local, but global ramifications.