“People will recognize who’s supposed to be protecting them because right now, [it’s] no one — there’s nobody,” said California Attorney General Xavier Becerra (D), whose role overseeing the new law will make him one of the country’s top privacy enforcers.
But the law won’t take effect until next year, creating an opening for lobbying groups representing Facebook, Google and other businesses beyond Silicon Valley to tinker with its guts. The delay has left local policymakers and privacy watchdogs fearful that their signature accomplishment might not remain intact.
Some organizations, including the tech-backed Internet Association and the California Chamber of Commerce, known as CalChamber, are arguing in favor of tweaks that consumer groups contend would limit who the law covers, and how it would work. At a listening session in Sacramento this week, industry leaders said the privacy rules aren’t workable in their current form.
California’s race to regulate the tech industry stands in stark contrast to the federal government, where lawmakers long have failed to adopt a national privacy law of their own — even as scandals at Facebook, Google and other tech giants have infuriated Web users and drawn international scorn.
Europe, in contrast, began enforcing privacy rules last year that carry sky-high fines for companies that mishandle users’ data. Many tech giants have complied with Europe’s General Data Protection Regulation by overhauling their privacy practices globally, as opposed to offering different versions of their apps, sites and services depending on the regulations in place.
California’s law could similarly evolve into a de facto national standard. A ballot measure that was about to be teed up for voters in November forced local lawmakers, privacy advocates and business leaders to the table to negotiate the legislation, resulting in lightning-fast adoption in June of one of the country’s most critical consumer-protection laws.
The California privacy law “is the floor, not the ceiling,” said Jim Steyer, the founder of Common Sense Media, a nonprofit organization that has advocated privacy rules nationwide.
Other states this year have sprung to action in a bid to follow California’s lead. Lawmakers in New Mexico have put forward a bill that largely copies Sacramento. In Massachusetts, members of the legislature unveiled a proposal that would allow consumers to sue if their privacy is violated. Washington state Sen. Reuven Carlyle (D) wrote a measure that borrows from Europe’s approach.
“I don’t think there's a state legislature in the country that doesn’t want comprehensive, sweeping legislation they craft to become a national model,” Carlyle said.
To stop the spread of piecemeal state regulation, Facebook, Google and other tech companies have set their sights on the District of Columbia. They have called for a federal privacy law, but with a price: They are urging Congress to effectively invalidate the privacy protections adopted in California and under consideration by its peers. In September, the Internet Association said it supported “preempting state consumer privacy and data security laws” so the rules are “consistent” nationwide.
But the hasty adoption of California’s 24-page privacy law has left many issues unresolved. Some provisions, for example, say both consumers and households can request access to their data — a seemingly minor discrepancy that could open the door for privacy pitfalls, such as roommates or family members seeing information they should not be able to access. Both sides of the fight have called on California’s legislature to take a closer look.
In the process, though, the debate over revisions has been viewed with deep suspicion by privacy advocates, who believe it is a guise to erode California’s strong protections. They have pointed to proposals previously backed by CalChamber, the Internet Association and an array of other groups that would tweak what qualifies as personal information, and what consumers would be able to see, as efforts to limit the protections afforded web users.
Last year, CalChamber helped spearhead a $2.2 million coalition that tried to scuttle the ballot initiative that predated the state’s privacy law, local ethics records show. Initially, Facebook and Google donated to that campaign, though Facebook later withdrew support. Since then, CalChamber has spent more than $1.6 million in lobbying, including attempts to revise California’s rules, according to the reports. The Internet Association, which also counts Amazon, Twitter and Uber as members, spent about $200,000 on lobbying since the law was adopted last year.
“There's going to be a fight here to weaken it,” said Mary Stone Ross, who helped organize the original ballot initiative. “You name the companies and their trade associations, and there’s no way [advocates] can hold a candle to that.”
Tech leaders strongly reject the notion they’re trying to scuttle the law. Robert Callahan, the vice president for state government affairs at the Internet Association, said this week the “Internet industry is actively working to strengthen” it. At Facebook, Will Castleberry, who oversees state and local policy, said, “We support the California Consumer Privacy Act and are looking forward to the law going into effect next year.” Google declined to comment.
Privacy advocates, including Common Sense Media and the Electronic Frontier Foundation, are pushing back, seeking tougher protections before the law comes into effect. EFF, for example, wants to grant consumers the ability to sue companies directly if their data has been misused — an idea that Becerra this week said he supported. Privacy watchdogs further aim to limit what companies do with data they amass, even if it’s not sold.
“People are steadily more anxious and mistrustful of what companies are doing with their data,” said Adam Schwartz, a senior staff attorney at EFF.
The fault lines were apparent in Sacramento on Tuesday, when aides to the attorney general convened a listening session to hear out the lobbyists and lawyers who hope to shape California’s landmark privacy statute. The decisions that Becerra’s team makes could expand or narrow the personal information protected by new privacy rights, for example, or affect which consumers can access that data.
Boot, CalChamber’s top privacy aide, took the podium early in the three-hour session, warning that California’s “rushed process has resulted in a confusing and complicated law that presents serious privacy concerns.”
Consumer advocates, who spoke sparingly, acknowledged some tweaks are necessary. But Justin Brookman, the director of consumer privacy and technology at Consumer Reports, lamented the lobbying barrage. “We’ve heard a lot of efforts in this room to shrink the scope of CCPA beyond what was intended by the drafters,” he said.
Amid the flood of lawyers that addressed a packed auditorium on the grounds of the capitol was Louise Mehler. A 71-year old former state employee, Mehler expressed alarm that she couldn’t keep track of her data online. She turned to the government officials sitting onstage and began with a plea. “We need help; we need it from you,” she said. “Please remember all of us out there who don’t know what’s going on.”
The architects of California’s law said they are open to changes but plan to stand firm on their toughest-in-the-nation privacy protections. “I’m sure industry as a whole wants to water down our law,” said assembly member Ed Chau, whose first privacy law, governing drones, hangs on a wall in his Sacramento office. “We want to preserve what we have created.”
Last week, Chau led colleagues on a trip to Washington, where he urged federal policymakers, including House Speaker Nancy Pelosi, a fellow Democrat from California, to hold the line as well.
“I think members of Congress know that this could become the third rail,” Becerra said in reaction to the lobbying blitz. “Be careful what you touch, be careful what you do, because you may get away with something for a while — but if the voters and consumers find out what you did, you might find yourself in trouble.”