In June, privacy advocates celebrated the passage of a historic bill in California that gave residents of that state unprecedented control over how companies use their data. Two months later, the party’s over.
Lobbying groups and trade associations, including several representing the tech industry, immediately started pushing for a litany of deep changes that they say would make the law easier to implement before it goes into effect in January 2020. But privacy advocates worry that pressure from powerful businesses could end up gutting the law completely.
“This is their job: to try to make this thing absolutely meaningless. Our job is to say no,” says Alastair MacTaggart, chair of the group Californians for Consumer Privacy, which sponsored a ballot initiative that would have circumvented the legislature and put the California Consumer Privacy Act to a vote in November. Big Tech and other industries lobbied fiercely against the initiative. In June, MacTaggart withdrew it once the bill, known as AB 375, passed.
At the most basic level, the law allows California residents to see what data companies collect on them, request that it be deleted, know what companies their data has been sold to, and direct businesses to stop selling that information to third parties. But the task of shaping the specifics is now in the hands of lawmakers—and the special interests they cater to.
“The new sheriffs showed up and drew a gun. Then they put it down and walked away,” Kevin Baker, legislative director of the American Civil Liberties Union in California, says, referring to MacTaggart’s initiative. “Now that they’ve done that, and the initiative threat has gone away, we’re back to politics as usual.”
With just three days left in the legislative session, California lawmakers are scrambling to vote on a new bill, called SB-1121. The original bill had been hastily written and passed in an effort to keep MacTaggart’s initiative off the ballot. The original goal of SB-1121 was to deal with typos and other small, technical errors, with the hope of introducing more substantive changes in further legislation next year. But over the last few weeks, groups like the Chamber of Commerce and the Internet Association, which represents companies like Google and Facebook, have pushed for significant alterations, even as the tech industry works to develop a federal privacy bill that would, if passed, override California’s law.
“The lack of precise and clear definitions in this legislation will make compliance difficult for companies looking to do the right thing,” Robert Callahan, vice president of state government affairs at the Internet Association, said in a statement. “This could lead to serious and costly consequences for internet businesses in California, which contribute 11.5 percent to the state’s overall GDP, as well as every other sector of the economy.”
In early August, a coalition of nearly 40 organizations, ranging from the banking industry to the film industry to the tech industry’s leading lobbying groups, sent a 20-page letter to the lawmakers behind SB-1121, effectively a wish list of changes. While the suggestions weren’t ultimately included in the draft that legislators will vote on this week, they’re a clear sign of the battle in store for 2019.
‘If these changes are permitted, a business could offer incentives that are unjust or unreasonable.’
Mary Stone Ross, Privacy Advocate
Among the most significant proposed changes was a reframing of who the law considers a “consumer.” The bill as written applies to all California residents, a provision that industry groups wrote would be “unworkable and have numerous unintended consequences.” Instead, trade groups wanted the law only to apply to people whose data was collected because they made a purchase from a business, or used that business’s service. They also proposed making it so that only businesses had the right to identify people as consumers, and not the other way around.
Such a change might seem small, but it would substantially narrow the law’s scope, says Mary Stone Ross, who helped draft the ballot initiative as the former president of Californians for Consumer Privacy. “This is significant because it [would] not apply to information that a business does not obtain directly from the consumer,” Ross says, like data sold by data brokers or other third parties.
Another major change sought to tweak disclosure requirements. Whereas the original bill requires companies to share specific pieces of data, the industry groups prefer to draw the line at “categories of personal information.”
There are other, subtler suggested changes, too, that Ross says would have sweeping implications. The law includes language that would prevent a business from discriminating against people by, say, charging them inordinate fees if they opt out of data collection. But prohibiting blanket discrimination is too broad for the business groups, who want to add a caveat specifying that they may not “unreasonably” discriminate. In another section, which discusses offering consumers incentives for the sale of their data, the industry groups also proposed striking the words “unjust” and “unreasonable” from a line that reads, “A business shall not use financial incentive practices that are unjust, unreasonable, coercive, or usurious in nature.”
“If these changes are permitted, a business could offer incentives that are unjust or unreasonable,” Ross says. Weakening these non-discrimination provisions, she says, could “turn privacy into a commodity that will disproportionately burden the poor.”
On Tuesday night, during an Assembly hearing on the bill, the final sticking point, particularly for the tech giants, was the law’s handling of data collected for the purposes of advertising. While the law prohibits users from opting out of advertising altogether, it does allow them to opt out of the sale of their personal information to a third party. But the industry wanted to create an exception for information that’s sold for the purposes of targeted advertising, where the users’ identities aren’t disclosed to that third party. Privacy groups including the ACLU and EFF vehemently opposed the proposal, as did MacTaggart. They argued that such a carve-out would create too big a loophole for businesses and undermine consumers’ right to truly know everything businesses had collected on them.
“I was surprised they were this blatant, this early,” MacTaggart says. “I expected this attack in 2019, but not in August 2018, two months after we passed the bill in the first place. “
As of Tuesday night, the industry groups failed to get that amendment into the bill. But MacTaggart and others expect to fight this battle all over again next year.
Room for Improvement
It’s not that the privacy bill is perfect. The ACLU, for one, criticized the bill’s exclusion of a provision in the ballot initiative that would have given people the right to sue companies for violating their data privacy rights. It instead leaves enforcement up to the Attorney General, except in the case of a data breach. In turn, attorney general Xavier Becerra proposed his own list of changes to the law in a letter last week, including the restoration of people’s ability to sue.
As the bill was being finalized, all sides did agree to some tweaks, like clarifying language that would protect data collected through clinical trials and other health-related information. Another change ensures that information collected by journalists remains safeguarded. And while the Attorney General didn’t get everything he asked for, the legislature did agree to provide his office with an additional six months to implement enforcement regulations.
The Electronic Frontier Foundation also concedes the law needs more substantive work. The organization wants to change the bill so that consumers would be able to opt into data collection, rather than opt out. The EFF also wants to ensure the law applies not just to businesses that buy and sell data, but data they share freely, sometimes at no cost to either party. That’s how some app developers were able to gain access to tons of Facebook user’s friends’ data for years.
‘I was surprised they were this blatant, this early.’
Alastair MacTaggart, Californians for Consumer Privacy
And yet Lee Tien, senior staff attorney at the EFF, says the business groups’ hamfisted efforts to jam so many changes through in a matter of months is counterproductive. “There will be battles over the definition of consumer and personal information, and we’re prepared to talk seriously about those definitions,” he says. “But that can’t happen in any kind of responsible, grown-up way, in a short period of time.”
For now, all sides at least agree that SB-1121 is effectively a stopgap. The fact that big businesses didn’t get their way this time hardly signals a resounding victory for privacy. Next year’s legislative session will likely see new bills with even more serious changes proposed by influential industries. “They’ve got another chance to succeed, and they’ll be back for sure,” Baker says.
“One of the reasons why AB 375 passed unanimously is everyone knew there’d be a cleanup bill, and they had plenty of time to lobby to get their changes through,” adds Ross, who opposed pulling the ballot initiative in June.
Some engaged citizen, of course, could always mount another bid for a ballot initiative, but with the 2018 deadline already passed, that couldn’t happen until at least 2020, and it would take millions more dollars to put up another fight. That’s left activists like Ross and MacTaggart relatively powerless in the very battle they began.
“I can talk to people and wave my arms around,” MacTaggart says. “But the day I signed to give up the petition, I’m like Cinderella back in a pumpkin.”