In two votes Thursday, the state's Senate and Assembly both passed the bill unanimously, and Gov. Jerry Brown signed it within a matter of hours. The rush to pass the bill comes courtesy of an even stricter voter initiative that would've appeared on California ballots this November if lawmakers hadn't gotten the bill through by 5 p.m. PT Thursday. Thursday is the state's deadline for withdrawing a ballot measure for the November election.
Privacy advocates cheered the new law. Marc Rotenberg, executive director of the Electronic Privacy Information Center, said the law means privacy could become an issue that impacts the upcoming midterm elections.
"This is a milestone moment for privacy law in the United States," Rotenberg said in a statement. "The California Privacy Act sends a powerful message that people care about privacy and that lawmakers will act."Sounds great doesn't it? Two days ago, I'd have been cheering, too. But that was then, and this is now, and Exactis happened in between.
The Achilles' heel of California's new law is that people need to know when companies are collecting their data, in order to be able to tell them to stop. That might deal with the likes of Facebook, but most of the people affected by Exactis' data breach had no idea that the company even existed, and no way to know that they were building shadow profiles of as many as 60% of people living in the U.S. Yes, it sends a message; unfortunately, that message is that U.S. lawmakers still don't fully comprehend the scope and severity of the problem.
Lawmakers, both in California and elsewhere, should make the practice of shadow profiling into a criminal offence, with significant penalties for those found to be building such profiles anyway, and additional penalties for failing to secure databases of peoples' personal and financial information. Stop putting the onus on consumers to police this, and make it the responsibility of the companies in question to stop invading peoples' privacy and weakening the security of their data.