Last week, California passed an Internet privacy law that is far ahead of what other states and the federal government mandate. Online companies that collect personal information about users will be required to tell them what they do with the data, and with whom they share it.
The companies will also have to let consumers see what information has been collected about them, and consumers can demand that it be deleted. They can also tell companies not to share the data with anybody else. And Californians will have the right to sue companies for breaking the rules.
The law is enforceable only in the Golden State. But don’t forget the “California effect,” first noted by University of California business professor David Vogel. When the nation’s most populous state cracked down on automotive air pollution, carmakers started making all of their vehicles run cleaner. It’s cheaper than making one version for California, and another for everybody else.
In the same way, there’s a chance the California standard will become the baseline for Internet privacy when the law takes effect on Jan. 1, 2020. So even if the federal government does nothing, we will, in effect, have a national privacy standard by then.
Either way, it probably won’t matter to the biggest Internet companies, which make billions of dollars capturing and monetizing our data. They barely objected to the new law, saying it was much better than a proposed ballot initiative with even tougher proposed mandates. The California Legislature’s has knocked that plan off the ballot and gives Big Tech time to try to get the new standards watered down.
But even if California’s law takes effect as is, the Internet giants can live with the outcome. They have the money for the complex bureaucracy necessary to follow the law. Not so for your typical startup, however, which might be bankrupted by the cost.
“You can call it a consumer-protection law . . . but it’s a business-destroying law, as well,” said Ryan Hagemann, senior director for policy at the Niskanen Center, a pro-free market think tank in Washington.
Hagemann cites news reports from Europe, which last month began enforcing tougher privacy standards. Some small companies have said they’re shutting down because they can’t afford to meet the new standards.
No doubt about it, new companies will find it harder to become global titans by monetizing people’s private data. People like Andrew Carnegie got rich by building industrial empires that also had filthy, smoke-belching steel mills. That doesn’t mean we allow everyone else to do the same. Perhaps strong privacy regulations will prevent the rise of “the next Facebook,” but is that a bad thing?
Maybe new regulations will result in fewer companies hitting me up for sensitive data. But I’d rather have one or two huge companies tracking me than 20 or 30 smaller ones. There are fewer opportunities for data breaches that way, and it’s easier to sue when something goes wrong.
Besides, the California law has some features that should cushion the blow for small businesses. For instance, it exempts companies with annual gross revenue below $25 million, or those that have personal information on fewer than 50,000 people. Internet companies that stay small can violate our privacy as much as they like.
And that will be fine with most people. I used to think we’d all get fed up by the constant tracking, but public reaction to privacy violations at Facebook has made me a total cynic. Sure, lots of folks complained about it. But hardly any of us stopped using Facebook, myself included. We like it too much.
If a company offers us a suitably attractive service in exchange for our personal data, most of us will hand it over without a qualm — privacy law or no privacy law.
I’m glad that California made its move, because it will provide valuable protection for people who really care about privacy. There must be three or four of them out there, somewhere.