How are laws passed in California

This California law could fundamentally change the relationship between technology companies and consumers

With a data protection law passed in a very short time, the "Golden State" has set clear limits to data collection on the Internet. The American technology companies had tried everything to prevent such a law.

The most populous American state, California, passed a new data protection law last week that could fundamentally change the relationship between technology companies and consumers. The nearly 40 million citizens of California will in future be able to ask companies to find out what personal data is collected about them, what it is used for and whether it is reselling or sharing it with third parties. In addition, consumers can oblige companies not to sell or share their information anymore or to delete it completely.

Effects for all industries

The new law protects minors even more: parents must first give their consent before a website or smartphone application aimed at children can collect their user data. As part of the data scandal on Facebook, a broad social discussion had flared up in the USA in recent months about how children and young people need to be particularly protected on the Internet.

In addition, the new law also creates the basis for customers to sue a company if it does not adequately protect their data from cyber criminals. This provision is a response to data thefts that have become prominent, such as those of the retailer Target or the credit reporting agency Equifax, where the credit card and social security details of millions of Americans were stolen.

According to observers, the law is not quite as far-reaching as the new European data protection law, which came into force at the end of May. In the US, however, it is the most restrictive yet, both at the state and state levels. The new set of rules has major implications for technology companies such as Google, Facebook or Twitter, who offer their services free of charge and, in return, collect and evaluate their users' data and allow third parties to use them. But it is likely to affect countless other industries as well, because almost every company active on the Internet these days collects data about their customers.

The California News Publishers Association said the law was so vague that it could be used by a researcher to prevent an article from appearing online. Other critics say the law will spark a flurry of lawsuits.

More than 600,000 signatures

At a speed that is hardly known from legislators, the bill was whipped through both chambers of parliament within six days. Without a single dissenting vote, it passed the upper and lower houses on Thursday and landed on Governor Jerry Brown's desk, who signed it on the same day. There are good reasons for this sprint: On the same day, a deadline expired until which referendums can be withdrawn, on which California voters are to vote on November 6th. In the past few months, the initiators of the referendum had collected 629,000 signatures from Californians for such a referendum. After the latest data protection scandals, especially on Facebook, citizens were apparently no longer willing to wait until the legislature would take action. Critics keep claiming that Sacramento is firmly in the hands of Silicon Valley.

The presentation of the referendum was similar to the law that has now been passed, but it is more difficult to make changes to a set of rules adopted by referendum than to one initiated by parliament. The authors of the referendum had announced that it would withdraw if Governor Brown signed a new data protection law by the deadline.

The new law still has some weaknesses and ambiguities, even one of the authors admitted. But it helps to promote data protection for consumers and positions California “at the forefront” on this topic.

Protests by tech companies

However, the law is not due to come into force until January 1, 2020 - plenty of time for the big technology companies to do everything they can to relax the current set of rules. With a view to the referendum that was actually planned for November, they had already hit a heavy heap: Tech giants such as Amazon, Uber, Google and Microsoft, as well as leading telecommunications providers, each have tens of thousands, sometimes hundreds of thousands of dollars to the specially created, boldly named “Committee to Protect Californian Jobs »Donated that railed against the original. Facebook was initially also one of the donors, but had distanced itself from the committee in the wake of the Cambridge Analytica scandal.

It is noteworthy that the technology companies and their lobbyists failed to get a single MP to speak out against the new law. In their home port of California, of all places, the tech companies now have to deal with restrictive data protection guidelines. Perhaps they simply did not expect that a parliament would for once put a law in motion within days.