California Wants to Govern Bots and Police User Privacy on Social Media

The proposed legislation will hold social media and Internet companies accountable for user privacy, and force them to stop the spread of misinformation by bots.

by / February 23, 2018

A California legislator has introduced legislation that will force social media sites to protect users from bots and create a state privacy agency to regulate and protect consumers’ online information. The activity in Sacramento comes at a time of heightened urgency around these issues, including special counsel Robert Mueller's recent indictment of 13 Russians and three Russian companies for their use of bots on social media to diminish voter turnout in the 2016 presidential election.

“We saw the harm that this unregulated space could cause to citizens, and we decided to do something,” said Rep. Marc Levine, D-District 10. “There is just too much profit to be made off of real humans and bots,” he said.

A social media bot or chatterbot is a computer program that engages with users’ conversation via text. The programs are designed to simulate how a human would behave in a discussion and are frequently mistaken for real people. Some 15 percent of the total users on Twitter that were active during the 2016 U.S. presidential election were bots. At least 400,000 thousand bots were responsible for about 3.8 million tweets, roughly 19 percent of the total volume during election season, according to Recode.

To stop the bots, Levine introduced AB 1950 in January, a bill that would require social media sites to identify and verify all social media advertising purchases to be linked to verifiable humans. “AB 1950 will regulate bots and prevent the spread of misinformation,” he said.

According to Levine, the tech industry is unable to regulate itself. “These things are not difficult to verify; the software they have written is not magic,” he said. “This is merely a work effort to add more lines of code. I am sure they can verify this stuff.”

In addition to Levine’s bill on bots, the legislator has also introduced a placeholder bill (SB 2182) designed to protect users from social media companies taking ownership of a user’s social media material; and other vital data that is held by companies.

The bill would create the California Data Protection Authority and oversee Californians’ personal data on the Internet. The legislation was inspired by the European Union’s General Data Protection Regulation (GDPR), which goes into effect in late March.

The GDPR forces companies to erase a user’s identity upon request. It also requires that social media companies explicitly state what users agree to when they sign a consent to participate in the social media platform. The rule also addresses data breaches. In the case of a breach, the GDPR calls for users to be notified within 72 hours when personal and sensitive information has been released, and it also allows for an independent authority to monitor complaints and violation of the rule. The independent regulator could charge and fine those companies that have violated the law.

Levine says there is a significant number of questions that need to be answered by regulation. The federal government has failed to act on the issues of privacy and the issue of ownership needs to be clarified, he said. “The federal government has been useless and powerless. California has a role to play and can be a model for federal law.”

According to Levine, key questions must be answered: “Who owns your data? Once you decide to leave Facebook, do you still want your information to continue (in perpetuity)?"

He points to the Equifax data breach that exposed more than 140 million Americans to identity theft and the hacking of, which affected 3 billion email accounts containing passwords and birthdates. These companies were unable to inform their clients of the piracy in a timely fashion.

Facebook also gave academic researchers access to the home pages of some 689,000 users to conduct a study. Researchers manipulated users posts to make them feel more positive or negative through a process of "emotional contagion.” 

The bill would create an agency or privacy czar that would oversee the actions of Internet companies and hold them responsible for data breaches and other actions. “I think it is important to have a regulatory agency that holds these companies and their actions accountable.”

He said he purposely wrote the bill in an open-ended way so that fellow lawmakers and regulation experts could have input on the final product. “This bill will go through many committee hearings; it will change.”

With both bills, Levine hopes to engage the industry early in the process of crafting the laws. “This is a consumer protection measure, and we want to engage these companies and get their input.” 

The very open-endedness of the current bills has made it difficult for lobbying groups to develop positions. Two groups that one would expect to oppose these bills include the Computing Technology Industry Association (CompTIA), an advocate for the $1.5 trillion U.S. information technology ecosystem, and the California Chamber of Commerce. Both say they have not taken a position on either bill yet. 

So far, he has seen lobbyists from trade groups within the sector but has not had contact directly with Facebook or “I want to engage with social media companies to make sure this law works,” he said. “I would welcome heartier engagement.”

Elizabeth Zima Staff Writer

Elizabeth Zima has written in depth on topics including health care, clinical science, physician relations and hospital communications.