The Washington PostDemocracy Dies in Darkness

California adopted the country’s first major consumer privacy law. Now, Silicon Valley is trying to rewrite it.

Privacy advocates say the industry lobbying push — weeks before the legislature adjourns — threatens to undermine Web users’ rights

A page on Facebook has been sharing videos encouraging people to spare online advertisers from adhering to some of California’s new privacy rules. (Jenny Kane/AP)

SACRAMENTO — For the past two months, residents here in California’s capital have been inundated by mysterious ads on Facebook and Twitter, warning that the government is about to destroy the Internet as they know it.

“The FREE websites and apps you use every day could start costing you,” announced one such ad on Twitter.

“Using the internet shouldn’t hurt your wallet,” began another that predicted browsing the Web could someday seem like paying at the pump for gasoline.

Little did viewers know, though, that the ads came from a lobbying organization representing the very social media sites they were using. They appeared to target mostly people located in or around the state’s capital. And they reflected just how hard Facebook, Google and other tech giants in Silicon Valley have tried to muscle changes into the country’s first-ever consumer privacy law before its protections take effect in January.

‘There’s going to be a fight here to weaken it’: Inside the lobbying war over California’s landmark privacy law

Adopted last year, the California Consumer Privacy Act (CCPA) grants Web users the right to see the personal information that companies collect about them and stop it from being sold. The law applies only to residents of the Golden State, but its backers hope it might someday spur regulators around the country to follow suit — and force the tech giants to change their practices nationwide.

“We will have in place the first consumer privacy act in the country,” said Sen. Hannah-Beth Jackson, a top Democrat in the state legislature.

But powerful business organizations — representing retailers, marketers and tech giants — have responded by seeking sweeping revisions to the law before it goes into effect. So far, they haven’t been successful in a campaign that privacy advocates deride as an attempt to weaken consumers’ rights. But they haven’t relented, either, with only two weeks remaining to California’s legislative calendar.

The lobbying barrage even has involved their own websites: A page on Facebook and an account on Twitter called Keep the Internet Free began sharing videos this summer encouraging people to spare online advertisers from adhering to some of California’s new privacy rules.

One set of ads — running on Twitter beginning mid-August — has been seen already by about 184,000 people, all located in Sacramento, according to Twitter’s ad archive. Only by navigating to the website for Keep the Internet Free are its origins revealed: A line at the bottom of the site says it’s the “project of the Internet Association,” a trade group for Facebook, Google, Microsoft and Twitter.

“I don’t think anything we supported weakened the law at all,” said Kevin McKinley, the director of government affairs in California for the Internet Association. Rather, he said, the goal had been to make it “easier for businesses to understand."

Facebook declined to comment, and Google did not respond to requests for comment.

Privacy advocates always anticipated such a fight given the unlikely — and messy — circumstances that produced California’s novel digital protections in the first place. State legislators adopted the CCPA at lightning speed in 2018, under an agreement that was meant to stave off an even more aggressive ballot initiative.

In doing so, Golden State leaders had accomplished in a matter of days what has eluded their federal counterparts for more than a decade, even in the face of massive privacy scandals at tech giants including Facebook and Google.

U.S. government issues stunning rebuke, historic $5 billion fine against Facebook for repeated privacy violations

But California’s haste also resulted in a law riddled with drafting errors and unresolved issues over what kind of information it covers and how consumers could stop the sale of their data. The holes left tech companies, privacy advocates and lawmakers in a rare alignment that they had to update the law this year — a process that opened the door to another round of legislative wrangling.

On one side were consumer groups including the American Civil Liberties Union, Common Sense Media and the Electronic Frontier Foundation, which sought to strengthen California’s rules. They aimed to limit the ways companies like Facebook or Google could tap and monetize it for their own purposes, something the CCPA doesn’t really restrict now. Privacy advocates further sought to give consumers the rare power to sue companies in the event that their personal information was mishandled, an idea backed by California’s attorney general, Xavier Beccera, who will become the CCPA’s chief enforcer when the law goes into effect.

But their efforts to toughen the CCPA soon faltered. Lawmakers weren’t sold on empowering privacy lawsuits, and advocates faced a barrage of opposition from well-funded business lobbyists, who argued the proposals would hamstring the Internet and expose companies to unnecessary legal risk. A robust bill to strengthen the privacy act never came to the legislature for a vote.

Organizations like the Internet Association and the California Chamber of Commerce — representing a broad swath of Silicon Valley and other industries — mounted their own offensive. They turned out in force for a critical Senate hearing this July, where lobbyists stepped up to a microphone and expressed support for tweaks that would have limited what qualifies as personal information under the CCPA.

At the moment, California’s rules grant consumers the right to opt out of the sale of data that’s linked directly to them or that someday could be linked to them. By trying to narrow what qualifies as personal information, however, the tech industry essentially would have been restricting how and when consumers can invoke their rights under the state’s privacy law.

Testifying at the hearing, Sarah Boot, who oversees privacy work at the California Chamber of Commerce, said the changes wouldn’t strip people of their new privacy protections. “This is not workable,” she said of the law as written. (The organization did not respond to a request for comment.)

But Jackson, who oversees the chamber’s Judiciary Committee, responded in frustration. Seated at the head of the dais, she ripped into the proposal as an attempt by the industry to take data and “sell it and use it any way they want,” undermining California’s intent. Privacy groups, including the ACLU, sided with her, and Jackson led her colleagues in blocking the measure’s advance.

I found your data. It’s for sale.

With the legislature slated to adjourn by mid-September, lawmakers in the California Assembly and Senate instead are expected to consider more broadly supported technical fixes, including a proposal that would ensure the state’s new privacy rules don’t upend shopping and travel loyalty programs.

“There were attempts to weaken the law to some extent, and we held the line as much as possible,” said Ed Chau, a top Democratic assemblyman who helped write the CCPA, during an interview in his office in the Capitol.

But there remains a lingering fear that high-powered tech lobbyists could make a final, successful push with last-minute, late-night amendments changing — and potentially weakening — the law.

The Internet Association, for example, has continued to push legislators to make what it has called an “ads fix.” With its business peers, the group has sought more legal latitude around ads targeting people based on their shopping habits or Web history, arguing those ads are tied to a specific device or web browser, not an identifiable person. The change would exempt much of the ad industry’s pervasive online tracking from California’s rules requiring companies to obtain consumers’ permission when their data is sold, according to privacy advocates who oppose such an exemption.

The Internet Association has spent nearly $176,000 lobbying on the matter and other issues over the past three months, according to state ethics records, the most it has ever spent in a single three-month period in Sacramento. Online, its Keep the Internet Free campaign calls on visitors to sign a petition arguing that California’s consumer privacy law was “never intended to prohibit the use of tailored online ads,” a major source of revenue for most free-to-use sites.

McKinley, the group’s top lobbyist in California, said tech giants, online publications, Web retailers and others rely on the exchange of this information to make ads work, which they don’t see as a sale. “We have pushed from last year to this year,” he said, and “we’re going to continue to seek clarification.”

The lobbying barrage increasingly has worried supporters of the law, who hoped California’s position — as the nation’s most populous state and the home of the tech sector — would provide the leverage to compel tech giants to provide the benefits of the CCPA nationwide. Many say the fight to preserve their work is only just beginning, expressing alarm that the tech industry’s efforts won’t subside at the end of 2019.

“You can’t underestimate the power of the tech industry,” Jackson warned.

Dig Deeper: Personal tech + Privacy

Want to learn about how to keep your personal information private? Check out our curated list of stories below.

Get smart about stopping spam calls

Americans receive more than 5.2 billion automated calls in a month. But there are new apps to help stem the deluge.

Understanding what your phone tracks for marketers

As tech columnist Geoffrey Fowler slept, a dozen marketing companies used his iPhone to learn his number, email, location and IP address.

Say no to your default privacy settings

Changing privacy default settings means you’ll get less personalization from some services, but it can slow down the number of eerie on-the-nose ads driven by data siphoned by major companies.