News outlets — from Bloomberg to the New York Times — recently revealed the extent to which Internet of Things devices like Amazon’s Alexa or Google Home are, indeed, recording, storing and sometimes selling your conversations to third parties.
Now a new California bill would prohibit those devices and their manufacturers from such practices without consumer permission.
The Anti-Eavesdropping Act was introduced in February by Assemblyman Jordan Cunningham, R-San Luis Obispo, and would make it illegal for companies to store or sell that data without a written request by a consumer. Companies found violating these rules would be subject to a civil fine of up to $2,500 per connected device — a statute enforceable by the state’s attorney general.
The bill, which passed the Assembly’s Privacy and Consumer Protection Committee Tuesday, serves as one component of a larger package of legislation — the Your Data Your Way initiative — that seeks to augment the recently passed California Consumer Privacy Act (CCPA) by providing additional consumer protections. It is also one of the first of its kind to target the largely nebulous practice of data collection by smart devices.
“The genesis of it really was my wife buying a bunch of Amazon Alexas for our home,” said Cunningham, in an interview with Government Technology. At first, the Assemblyman said, the devices were great: they told the weather, acted as an alarm clock, played music, and helped put the kids to bed with ambient noises.
But the family’s enthusiasm soured after news broke that the devices were recording and storing conversations within the home. Not long afterward, it became apparent that not only were the devices listening, but so were thousands of human employees and contractors hired by Amazon to transcribe device recordings.
“I just believe in the fundamental right of privacy,” Cunningham said. “Privacy is a right in the California penal code. It prohibits eavesdropping and criminalizes unconsented recording of a private conversation ... if you’re going to have a baseline of privacy the interest is that it peaks when it comes to the home — and these devices are in our homes.”
Cunningham said he also felt companies had a responsibility to their consumers to give them power over their data.
“I think that the company should have to disclose what it’s doing with respect to recording people’s most intimate and private conversations and get opt-in consent if it’s going to be storing and retaining those recordings. I think that’s something most constituents want,” he said.
The bill has inspired resistance from industry groups — many of which showed up to voice their dissent at Tuesday’s committee hearing.
“This bill is unnecessary and its requirements remain confusing,” wrote a cadre of groups at the hearing. Those groups included Microsoft subsidiary TechNet, the California Chamber of Commerce, and the Internet Association, a large lobbyist group originally established by the likes of Google, Facebook, and Amazon.
The groups argued that necessary legal protections already exist against the kinds of privacy infringements the bill purports to solve.
Cunningham’s bill had support, however, from the nonprofit California Civil Liberties Advocacy (CCLA).
“We’re getting concerned as much about corporate spying as we are about government spying,” said Matty Hyatt, a legislative advocate with CCLA. Given the frequency with which private companies share consumer data with law enforcement agencies, those two things are increasingly one and the same, he added.
“There’s been about 100 million Amazon smart speaker devices that have been sold since the beginning of this year and there’s only about 330 million people in the United States so it’s not hard to see that this is becoming ubiquitous,” Hyatt said.
Cunningham said that his bill would hopefully give consumers more control over their data.
“I want to give the consumer the choice. Right now, the choice is made for you,” he said. “Even if you trust these companies, once something is digitized it can be replicated countless times. It can be sold, it can be shared, it can be given to a different third-party entity that mines it for marketing data or whatever.”
