The Digest: California Cracks Down on the Companies Harvesting Your Data

It allows consumers to opt-out if companies sell their data.

PROTECTING CALIFORNIANS. Soon, Californians will have a lot more control over their online data. On Thursday, California Governor Jerry Brown signed into law the California Consumer Privacy Act of 2018, an online privacy law that restricts large tech companies' use of California consumers' data. When the law goes into effect in 2020, it will require tech companies with annual gross revenues more than $25 million to disclose which categories of data they collect on California consumers. They'll also have to disclose any third-parties they let access that information.

Californians will be able to opt-out of having their data sold, and companies will not be able to penalize them— by limiting their use of the service, for example — for choosing to do so. Users under 16 will need to opt-in to having their data sold. The law also grants California’s attorney general the power to fine companies that don't do enough to protect consumers' personal information from cyber attacks.

SETTING A PRECEDENT. In the wake of Facebook's Cambridge Analytica scandal, consumer privacy is getting a lot more attention, even though U.S. legislators have not yet done much to regulate the industry. California's Consumer Privacy Act is largely considered one of the nation's toughest laws on data privacy, if not the toughest law, and it could inspire other states or Congress to take similar action. “I think it’s going to set the standard across the country that legislatures... will look to adopt in their own states,” state Sen. Bob Hertzberg (D) told The Washington Post.

The tech industry is, perhaps unsurprisingly, not all that happy that the law has passed. Robert Callahan, vice president of state government affairs for the Internet Association, a group that represents the interests of Facebook, Google, and other tech companies, claimed in a statement that the law will have "inevitable, negative policy and compliance ramifications" for both California consumers and business.

TOO MUCH COMPROMISE? Still, the tech industry must certainly prefer this law to the far tougher ballot measure that was set to go before voters in November. That measure, drafted by San Francisco real estate developer Alastair Mactaggart, would have given consumers the ability to sue companies for up to $3,000 for each data breach. The law that passed this week limits that figure to $750.

As Mactaggart agreed in advance, he withdrew his measure now that this law his passed. He also said in a statement he was "thrilled" about its passage, calling it "a monumental achievement for consumers."

Still, a law is far easier to amend than a passed ballot measure. That means the version of the California Consumer Privacy Act of 2018 that goes into effect in 2020 might not be the same one signed into law on Thursday. Only time will tell whether the final version benefits consumers or the tech industry.

READ MORE: California Just Passed One of the Toughest Data Privacy Laws in the Country [The Verge]