By: Thomas Gerhart

I always thought of the “Wild West” as a time period. I understood it to represent westward expansion during the mid-to-late 1800s. It evoked the idea of historical figures like Wyatt Earp, “Buffalo Bill” Cody, and Billy the Kid. Then, I watched the HBO series Deadwood, which highlighted lawlessness in unsettled territories and the opportunity for financial gain in the absence of law.

Despite Alaska’s nickname “The Last Frontier” and Star Trek’s claim that outer space is the “Final Frontier,” we do have a contemporary frontier. It is a place of lawlessness where, like in Deadwood, a person can make it rich­–the Internet.

On the Internet, businesses utilize new and creative ways to make money; and, just like in Deadwood, the absence of law provides an opportunity to attain great wealth. Streaming services, social media, and e-commerce all created avenues for Internet businesses to generate revenue with little regulation and, in some instances, without taxation.

One of the new ways that businesses generate revenue is by offering services for free. Facebook’s business model is to provide a free social media service to its users in exchange for personal information. Facebook then monetizes that information by selling it or using it for marketing. Facebook created a system that generates money by turning its users into human capital, essentially monetizing its users.

What is so bad about this practice? Well, the Facebook/Cambridge Analytica debacle became public knowledge in March of 2018. That data breach showed the world the tip of the iceberg when it comes to the ways that businesses use and sell consumer information. Couple that with the Equifax data breach in 2017, and there is a problem. People disclose information about themselves on the Internet, either voluntarily or as required to open an account, and businesses buy and sell that information while doing little to protect it.

This gets back to how the Internet is like the Wild West. First, there are no laws restricting what businesses may do with consumers’ personal information. Second, a business can be as secretive as it wants about its data collection practices. Yes, a business must publish its privacy policy on its website, but those policies are generally a bungle of legalese. Also, businesses can start collecting and selling information before giving their customers an opportunity to opt out. Third, there are no laws or incentives for a business to protect the information it collects.

The federal government has been silent on regulating Internet privacy, thereby giving the states the power to regulate it. California is one of only ten states that guarantees it citizens’ right to privacy in its constitution. Unfortunately, corresponding privacy laws never materialized. Enter California Assemblymember Marc Levine, who proposed AB 2182 as the first step toward regulating what businesses can do with Californians’ personal information. Levine is passionate about protecting Californians and wanted to tackle this issue. His bill had a lot of promise but, rather than develop it, other legislators defanged it. Before AB 2182 left the Assembly, legislators ensured that it would not challenge the tech industry’s power to use and abuse Californians’ personal information.

While AB 2182 was stuck in the Senate, Alastair Mactaggart and Rick Arney were finalizing three years’ worth of work to tackle this issue. They qualified a ballot measure that proposed privacy laws to protect Californians’ information. Within a few weeks of qualification, legislators reached out to Mactaggart essentially asking him what it would take to withdraw the measure. Mactaggart leveraged a pending deadline to get the Legislature enact every major provision of his ballot measure. The legislators went to work, but the first draft was a lackluster attempt with no regulatory authority. Mactaggart said that version was unacceptable. The next attempt was much better. Mactaggart withdrew his initiative shortly after Governor Brown signed AB 375 into law.

Taking effect on January 1, 2020, AB 375 forces transparency by requiring businesses to disclose their information-sharing practices prior to data collection. Businesses must give consumers the opportunity to opt out of data collection without recourse. Businesses can incentivize data collection, but they cannot discriminate against customers who exercise their “right to opt out.” AB 375 also has some retroactive applicability because Californians can contact a business and request that it delete their personal information. The business must comply with these requests, so long as it does not need the requested information as part of an ongoing business relationship. Finally, AB 375 permits Californians to file suit against businesses whose negligence results in the breach of non-encrypted or non-redacted information.

AB 375 encourages businesses to be more cautious with the data they collect, store, and sell. More importantly, it gives Californians control over their personal information. While AB 2182 is dead, AB 375 changes the landscape of the Internet in California from a lawless frontier to a regulated environment that protects Californians.

To learn more about AB 2182 and AB 375, listen to my interview on “In Session,” a podcast from the University of the Pacific Law Review.