Silicon Valley operates in a regulatory Wild West. But with repeated and high-profile data breaches piling up, its days of unchecked authority might be numbered.

Because internet technology has developed faster than state and federal privacy laws, Silicon Valley companies have for years been in charge of how the data they collect from their customers is used. Anyone browsing the web, performing a search on Google, or logging into Facebook operates on blind faith that the companies behind the technology will protect their private data and use it appropriately.

But history has shown that faith-based system isn’t exactly working. Yahoo user data was breached in 2013, 2014, and 2016. There was a massive breach of sensitive Equifax data in 2017. And Facebook is currently embroiled in a scandal over how its user data was used by right-wing political consultancy Cambridge Analytica. Indeed, the US Federal Trade Commission (FTC) is reportedly investigating whether the social media giant violated an agreement over privacy it made in 2011.

California data protection law

That most recent case has reignited conversations about whether federal and state governments should exert more oversight over so-called Big Tech. The willingness to do so will first be tested in coming months in Silicon Valley’s backyard, as a piece of legislation makes its way through California’s state capitol in Sacramento. First introduced in February by assemblyman Marc Levine, the legislation seeks to establish a data protection authority that would be charged with regulating how big tech companies request and use Californians’ personal data. The regulated data would include people’s names, social security numbers, driver’s license numbers, financial account data, medical data, and email addresses, among other information.

“These are the wealthiest corporations since God created light.”

If passed by the legislature and signed into law by governor Jerry Brown, the authority would be an important and symbolic step toward reining in the power of technology companies. It would also be a bold signal by California to Washington that if federal lawmakers won’t step up to the challenge of monitoring giant technology companies, California will take matters into its own hands.

“Given that Facebook is in California and the questions about whether there’s enough regulation of internet giants, maybe this could be a big thing,” says Eric Goldman, the co-director of the High Tech Law Institute at the Santa Clara University School of Law.

The author of the bill certainly thinks so. Once a project manager for an open source encryption technology product, Levine switched gears in the mid-2000s and got into local politics. In 2012, he was elected to the California state legislature, where he represents communities in Marin and southern Sonoma. Now he’s readying to shepherd the idea of the California Data Protection Authority through the legislature.

“These are the wealthiest, most profitable corporations in all of world history, since God created light,” Levine says. “For lawmakers, or even consumers of social media, to be hoodwinked into thinking that these are geeky college kids in garages, wearing hoodies and jamming on their keyboards writing code, is absolute garbage. These are the richest special interests ever and we have to get a handle on this.”

Modeled on the EU

Levine’s bill (AB 2182) was loosely designed in the image of a new law in the European Union called General Data Protection Regulation. That law put into place constraints on how tech companies can use people’s data, backed by very high penalties for violators—up to 4% of global annual revenue or €20 million, whichever is higher. The proposed California authority would have the power to adopt regulations that would set data-privacy standards for the tech companies that operate just a few miles south of Levine’s district. Some of those include:

Creating a standardized online user agreement aimed at helping people clearly understand what permissions they are giving to a company regarding the use and dissemination of their personal information.

Establishing rules around how a person’s information will be removed from a company’s database if the person chooses to stop being a customer.

Adopting regulations to prohibit tech companies from conducting potentially harmful experiments on non-consenting users.

“I think this is important for where it may lead,” says Ari Waldman, the director of the New York Law School’s Innovation Center for Law and Technology. “It’s a baby step in the right direction. We undoubtedly need a data protection authority in this country above and beyond the FTC.”

“It’s a baby step in the right direction.”

If the regulatory authority is established in California, it’s conceivable that any rules it imposes could set data-privacy policy for the rest of the nation. That’s because it’s difficult for companies to quickly ascertain whether any one particular piece of data comes from California or someplace else. Therefore, in order to comply with California law, companies would likely have to adopt nationwide standards based on the actions of California regulators, Waldman says.

No enforcement powers

Still, the proposed law is imperfect. Even if the state establishes a regulatory authority to monitor data privacy, the wording of the bill is such that the agency would have no enforcement powers. Levine says he plans to speak to the governor to request money be set aside for his proposed authority—something in the “seven figure” range (he suggested about $7 million) to get it started, and then more down the line.

The Consumer Technology Association declined to comment for this story. A representative with the California Technology Council said his group had held several meetings to discuss the proposed legislation, but declined to offer further comment. Both groups represent the interests of technology companies.

It’s still early. The bill needs to be approved by at least one state assembly committee before it’s put up to vote. It has been referred to the committee on privacy and consumer protection but has yet to be formally debated.

“I think a lot of people, including lawmakers, are dazzled by the industry leaders of Big Tech,” Levine says. “If you’ve ever seen someone take a tour of the Googleplex or the Facebook office, it’s like it’s a Disneyland, a place of wonder. We need to dispel that in Sacramento.”