The business community’s campaign to reduce California’s landmark privacy law to a shadow continues apace, with what privacy advocates call the biggest threat due for a committee hearing this week.
The measure is Assembly Bill 1416, which is scheduled to be heard Tuesday by the chamber’s Privacy and Consumer Protection Committee. The privacy community views the bill as a classic wolf in sheep’s clothing — it claims to address what might be a reasonable issue with the California Consumer Privacy Act (CCPA) but does so in a way that opens a loophole so large the privacy might as well not exist.
“It’s a massive land grab,” says Alastair MacTaggart, the privacy activist who proposed a ballot initiative to protect consumer rights, and settled for ensuring passage of the CCPA last year.
We reported recently on the all-out effort by business interests to undermine the CCPA. This specific case exemplifies the business community’s overreaching.
Who’s behind 1416? Its sponsor is Assemblyman Ken Cooley (D-Rancho Cordova), but its guiding force is a coalition encompassing the California Chamber of Commerce and a coalition of big internet companies, wireless providers and banks — in other words, businesses that have a distinct interest in being able to vacuum up consumers’ private information and sell it without limits.
The problem ostensibly addressed by the bill is that the CCPA’s restrictions on businesses’ ability to collect, warehouse and sell their customers’ or users’ personal data interferes with the businesses’ ability to provide that data legitimately to government agencies.
The chamber and its partners offer a parade of horribles if the CCPA’s limits stand. Government activities that would be hampered, they say, include assessing placement options for foster children with family members, collecting overdue child support payments from absconding parents, locating abducted children promptly and verifying the rights of public pension claimants.
“AB 1416 will ensure that these important government programs can continue,” the Chamber of Commerce says.
Cooley echoes that concern. “We have all these laws that impose on government,” he told me. “We’re supposed to go after deadbeat dads, do studies of the welfare of children in the foster care system. We have this long-established body of law that lays duties on all levels of government that presumes that they will have access to information.”
There are a few problems with this viewpoint. One is that the CCPA already accommodates many of these interactions between businesses and government agencies. “There’s already language in the law for sharing [data] with law enforcement,” observes Justin Brookman of Consumer Reports.
Indeed, the CCPA specifically exempts from its restrictions businesses’ rights and duties to “comply with federal, state, or local laws,” with “a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons” and cases of cooperation with law enforcement agencies concerning conduct by others that may be illegal.
But 1416 would go much, much further. It would exempt business data collections to comply not only with laws, but with “any rules or regulations.” As an Assembly committee analysis points out, that could include company rules and regulations, allowing a company to exempt itself from the CCPA. “Such an outcome is untenable,” the committee analyst wrote.
The bill also would exempt businesses from the data limitation in order to “exercise, defend, or protect against legal claims,” or to protect against fraud or hacking, or to assist “another person or government agency” to conduct any of those activities.
Nothing in that language limits the exemption to making possible data exchanges between businesses and government entities to assist with legitimate governmental programs or services.
“This provision is so unfathomably broad that a company could do anything it wants,” Brookman told me. “There’s no guardrailing at all.”
Cooley says he’s open to amending his law along the lines proposed by the committee analysis. That would mean narrowing the exemptions so they explicitly apply to providing a consumer’s personal data to a government agency solely for the agency’s legitimate needs. The business would be prohibited from selling to anyone else the data collected or held for those purposes.
But Cooley says that he wants a four-year sunset for those changes, which means that by 2024 the restrictions would again be open for debate — and for loosening under lobbying pressure by the chamber and its partners. That sounds like Cooley is willing to go only partway to fixing his bill, the need for which is questionable anyway.