Last summer, after years of inaction on consumer privacy by the federal government and slipshod privacy protection by big businesses collecting personal data, the California Legislature took matters into its own hands.
The California Consumer Privacy Act, signed by Gov. Jerry Brown in June, is a landmark achievement by any standard.
According to a legislative outline, the measure gives consumers important rights concerning the collection of their personal information by a business — “the right to delete it, the right to know what personal information is collected, the right to know whether and what personal information is being sold or disclosed, the right to stop a business from selling their information, and the right to equal service and price” regardless of whether consumers grant the business access to their personal data.
That’s a lot of power getting shifted from mega-businesses such as Facebook and Google back into consumers’ hands. The law, which goes into effect Jan. 1, 2020, also covers information collected by banks, insurance companies, auto dealers and supermarkets (via their loyalty programs.)
So you shouldn’t find it shocking that business has begun to take steps to roll back parts of the law. The effort began in earnest a couple of months ago, with the introduction in Sacramento of a passel of bills corresponding to the wish list of the California Chamber of Commerce and other business lobbies. They’re fighting not only the CCPA as enacted, but measures also introduced this year to strengthen the privacy law by giving consumers more power over their data and expanding their right to bring lawsuits against wrongdoing firms.
Consumer advocates vow to protect the law. “The idea that we would water down landmark legislation is not OK, and we expect the Legislature to stand up and say ‘No’ to any real erosion,” James Steyer, CEO of Common Sense Media, a content-rating service for parents and a major backer of the CCPA, told me.
What probably concerns industry the most is that the CCPA is a legal initiative taken by a single state, albeit the biggest in the nation. That raises the specter of as many as 50 or 51 partially incompatible privacy statutes for businesses to comply with. It’s not “fair” for some states’ residents to have rights others don’t, as Roslyn Layton of the pro-business American Enterprise Institute told Congress in February — better to have a single common federal standard.
Of course, what industry fears is not state-level regulation as such, but strict regulation. Its lobbyists know that any privacy law that could get through Congress would be vastly weaker than California’s; if the concern were merely too many state laws, then the lobbyists could advocate making the CCPA a model act and encourage other states to adopt it.
California’s auto emissions rules have become the standard for a dozen states encompassing about 40% of the U.S. auto market, because its rules are comprehensive and aggressive. Now, the state has taken it upon itself to fill the vacuum in consumer privacy regulation, and what’s wrong with that?
In Sacramento, the cage match over privacy between business and consumers kicks off on Tuesday, when the Assembly Committee on Privacy and Consumer Protection — chaired by Assemblyman Ed Chau (D-Monterey Park), sponsor of the CCPA — considers 10 follow-on bills, including four that would strengthen or expand the privacy act and five that would carve out exemptions for some businesses or otherwise narrow the law.
It’s proper to acknowledge that some tweaks to the law are warranted. As my colleagues John Myers and Jazmine Ulloa reported, the measure was drafted and enacted on a tight deadline in order to head off a voter initiative that had qualified for the November 2018 ballot. So it bristles with ambiguities and other shortcomings that “make it unenforceable and lead to unintended consequences for consumers,” as Sarah Boot, a policy expert at the California Chamber, asserts.
Within about a week of the law’s enactment, the chamber and 39 other business lobbies submitted a 20-page list of proposed fixes. “We’ve been very careful about what we’ve asked for,” Boot says. “We’re not trying to roll any rights back.”
Yet privacy advocates, while conceding that some cleanup is warranted, say many of the chamber’s recommendations “go too far,” in the words of Adam Schwartz of the Electronic Frontier Foundation. Some would lead to exemptions that would “create a society of privacy haves and privacy have-nots,” he says. (The foundation and 19 other consumer groups submitted their own chapter-and-verse objections to the chamber’s wish list.)
Let’s look at some of the specific battlegrounds.
One is the question of who holds the initiative in controlling personal information. This is the difference between an “opt-out” model, in which businesses can collect and sell your personal information unless you tell them not to, and “opt-in,” in which they have to get your explicit permission first.
The shortcomings of opt-out are obvious — this is the system prevailing today, in which consumers signing up for digital services typically are offered a term sheet of thousands of words and the requirement that they agree to all terms, including the sale of their data, to use the service.
The CCPA preserves the opt-out model except for consumers younger than 16, who must opt in to the trading or sharing of their personal information (parents or guardians can opt in for consumers younger than 13). But it requires online businesses to provide consumers with an opt-out button to click on, and generally bars them from refusing to serve consumers or charging them extra just because they’ve refused to allow the trading of their information.
A cleanup bill sponsored by Assemblywoman Buffy Wicks (D-Oakland) would convert all arrangements for the sale or sharing of personal information to the opt-in model. (The bill is on Tuesday’s committee agenda.) That’s the right approach; Facebook, Google and their cousins shouldn’t be allowed to assume they can sell your personal data by default.
Another battleground is targeted advertising. These are the online ads that pollute your internet screen by pushing products or services at you based on your web surfing history. You know how it works — check out bicycles online, and you’ll be seeing ads for bicycles until the end of recorded time.
The privacy law could be interpreted as covering the data used for ad targeting, which would be subject to the opt-out rule. A pro-business measure introduced by Sen. Henry Stern (D-Los Angeles) would exempt targeted advertising from the CCPA.
Bad move. Targeted advertising is a major source of pollution of the online experience. Don’t believe those polls claiming it’s beloved by consumers; the polls generally are sponsored by the advertising industry. The technology underlying ad targeting is “very damaging to privacy,” Schwartz says, because it uses personal data to steer ads to consumers without their explicit permission. Target advertising also is the driver of the business model that incentivizes firms such as Facebook to scoop up your personal information, so it can be sold to, yes, advertisers. At the very least, it should be subject to opt-in rules, or preferably banned.
Then there’s the question of enforcement of the CCPA. The act awards that responsibility chiefly to the state attorney general, although individual consumers could sue companies that left their personal data vulnerable to a security breach. A bill introduced by Sen. Hannah-Beth Jackson (D-Santa Barbara) would also allow consumers to sue any business that violated their rights under the CCPA. Wicks’ measure, meanwhile, would extend enforcement rights to district attorneys and city attorneys.
Businesses object to those provisions on the grounds they would produce a blizzard of litigation and confused interpretations of the law. “The law needs one regulator,” Boot says.
Atty. Gen. Xavier Becerra disagrees, as it happens. He’s the sponsor of Jackson’s bill.
Becerra says that saddling his office alone with the task of interpreting and enforcing the CCPA would impose “serious workability and operational challenges” on his office. In a legislative statement supporting consumers’ right to sue, he added, “There is something unfair about giving California’s consumers new rights but denying them the ability to protect themselves if those rights are violated.”
One scare tactic the business community is using against the law is the claim that it will become, as Boot asserts, a burden to “businesses of all sizes,” even “a pizzeria down the street.” Many might have to pay for legal and technical advice about their obligations under the law.
Is that plausible? The law applies to businesses with $25 million in annual sales, or access to the personal information of at least 50,000 consumers or devices per year. That would mean 137 new and unique customers every day, weekends included, which sounds like a ton of new patrons for a neighborhood pizzeria.
The fact is that the CCPA is aimed chiefly at big online companies engaged in snarfing up your personal data and selling or trading it for profit. Facebook has become, well, the face of the attack on personal privacy, for good reason: It’s been impervious to the consequences of its cavalier, profit-driven approach to its users’ data (and even to data regarding people who aren’t its direct users).
That’s because effective data privacy laws haven’t existed at any level of government, until now. This is a complicated field with “a lot of moving pieces,” says Justin Brookman, director of consumer privacy at Consumer Reports.