The EFF points out that California's Consumer Privacy Act won't become law for 18 months, and that advocates have that amount of time to lobby for improvements to it. I agree completely with their list of suggestions:
- The Act allows businesses to charge a higher price to users who exercise their privacy rights.
- The Act does not provide users the power to bring violators to court, with the exception of a narrow set of businesses if there are data breaches.
- For data collection, the Act does not require user consent.
- For data sale, while the Act does require user consent, adults have only opt-out rights, and not more-protective opt-in rights.
- The Act’s right-to-know should be more granular, extending not just to general categories of sources and recipients of personal data, but also to the specific sources and recipients. Also, the right-to-know should be tailored to avoid news gathering.
Much of the above squares directly with the EU's GDPR legislation, which itself has a number of faults--but it seems most complaints about GDPR focus on the ways in which they will necessarily inject a lot of uncertainty into the operation of online businesses. I don't think many people can look at a list like the one above and tell you with a straight face that there is anything wrong with any of these ideas.
Though it is flawed, the California law remains a very heartening reflection of the fact that people seem to be waking up--slowly but surely--to the idea that it is worth it for all of us to care about individual privacy. While it would obviously be better if the cowardly turds inside the U.S. Capitol building wanted to do something about these issues, I'll take a flawed approach from Sacramento--for now--as a sign that other jurisdictions will also step up to the plate.