Earlier this year, we wrote about CalECPA (official name: SB 178), a bill in the state of California that would improve privacy protections for Internet users by requiring due process to ask for online communications data and metadata. This bill has been passed by the California legislature, and is now on its way to the Governor to be signed into law.
In some circumstances, we’d declare victory at this point. But other electronic privacy bills have advanced very far in the California political processes before, only to fail. So it’s not over yet. Fortunately, the scale of support for the legislation in this version is greater than it has ever been, both inside and outside government. We’re hopeful it can succeed this time.
It is important that it passes. California privacy law needs to catch up with other countries and other U.S. states (including Texas, Maine, and Utah). Federal law in the U.S. needs to follow suit. In too many areas, the United States is still applying privacy law written decades ago, long before smartphones were introduced, even before the ubiquity of personal computing devices at any scale. Old law doesn’t always equate to bad law. We rely on a fundamental document, the Constitution, that measures its age in the centuries, after all. In this case however, old privacy laws aren’t protecting Internet users adequately. Today’s old privacy laws weren’t written in a way that adapts well to evolving technology. CalECPA improves on this significantly.
Mozilla Manifesto principle #4 reads, “Individuals’ security and privacy on the Internet are fundamental and must not be treated as optional.” To us, this begins with our technologies. Our privacy principles emphasize limited data, transparency, and meaningful user control, informing and guiding how we engineer all of our products and services.
Legal safeguards, such as the changes proposed in CalECPA, are essential as a complement to good technical practices. Governments want access to the data that businesses collect, store, and use. But when there are no or insufficient protections on what information they can ask for, transparency, accountability, user control, and privacy all suffer.
We saw significant progress on surveillance reform earlier this year through the passage of USA FREEDOM – but we have a very, very long way to go. Adopting CalECPA into law would not only have tangible benefits for Internet users, with impact felt far beyond the state of California. It would also help sustain momentum and contribute to future victories on surveillance reform.