Google and its industry allies are making a late bid to water down a groundbreaking California data-privacy law, seeking to carve out exemptions for digital advertising, according to documents obtained by Bloomberg and people familiar with the negotiations.
A lobbyist for Google recently distributed proposed new language to state lawmakers that would amend the California Consumer Privacy Act, or CCPA, the first major data-privacy law in the U.S., which was passed in August 2018. As currently drafted, the law limits how Google and other companies collect and make money from user data online, threatening a business model that generates billions of dollars in ad revenue. It’s due to kick in next year and there are only a few more days to amend the law.
The lobbying push seeks legislative approval to continue collecting user data for targeted advertising, and in some cases, the right to do so even if users opt out, according to the documents and the people familiar with the negotiations. They asked not to be identified discussing private activities and to keep the lobbyist’s name confidential.
It’s unclear if the language circulating in the state Capitol’s corridors was drafted by Google, and other lobbyists are probably asking for similar changes. Industry groups, such as the California Chamber of Commerce and the Internet Assn., often help write legislation and have been the face of the tech industry during two years of debate over the CCPA. It’s also common for interested parties to suggest late changes to bills.
“This is a jailbreak,” said state Sen. Hannah-Beth Jackson (D-Santa Barbara). “This blows up the entire purpose of the CCPA, which is for people to know when their information is being used and to give them the right to opt out.”
A spokesman for Alphabet Inc.’s Google said the company has “long supported privacy legislation that protects consumers’ data and encourages innovation.”
“The CCPA will impose new obligations on thousands of small and large businesses, and it is critical that its requirements are clearly defined,” he added in a statement. “We are encouraged that California legislators have been considering clarifications to the law in recent months.”
One proposal shared by the lobbyist, who distributed the revised language in recent weeks, would let Google and others use data collected from websites for their own analysis, and then share it with other companies that may find it useful. This includes companies that are not involved with the websites that collected the data. Currently, the CCPA prohibits the sale or distribution of user data if the user has opted out, with limited exceptions.
Another change would loosen the definition of “business purpose” when it comes to selling or distributing user data. The law currently defines this narrowly and has a list of specific activities, such as auditing and security, that will be allowed. Google’s lobbyist shared new language that significantly broadens the rule by replacing the phrase “Business purposes are” with “Business purposes include,” before the list of approved activities.
The proposal may also create a loophole for companies when users request access to their own data or ask for their information to be deleted.
The Google representative has yet to find a lawmaker to sponsor the amendments, according to people familiar with negotiations. The proposal must be in a bill by Sept. 10 to be eligible for lawmakers to vote on it before they adjourn for the year Sept. 13.
The CCPA is set to become the first data-privacy law in the U.S., once it takes effect in 2020. It’s part of a broader crackdown on internet companies, which have become hugely profitable by offering services to other companies backed by targeted ads and mountains of data. The industry is trying to rewrite the law, while running critical ads in Sacramento, the Washington Post reported Tuesday.
Google works hard to protect user data and the company has applauded some privacy legislation in recent years. Chief Executive Sundar Pichai told Congress in December that data privacy is “an ongoing area of effort” while praising the European Union’s stringent General Data Privacy Regulation as a “well thought-out law.”
Still, the company gets about 85% of revenue from ads, so any limits on its ability to use data for marketing are a threat to its business. In Washington state this year, the company attempted to amend a bill dubbed GDPR-lite, according to sources familiar with the matter. The bill failed to pass. Last year in Illinois, Google tried and failed to roll back definitions in the state’s comprehensive biometric privacy law. The law remains as it was enacted in 2008.
California’s new law is widely viewed as the benchmark other states will use for their own data-privacy regulations. The CCPA may also be a template for a future federal law. In Congress, lawmakers are already discussing language for possible nationwide legislation that would supersede California’s law.
If Google and other internet companies fail to change the CCPA, the proposed amendments suggest the industry will continue to push for exemptions to other data-privacy legislation, or fight for a more-favorable federal law.
This year, the industry proposed a CCPA exemption for all targeted advertising, which failed. In July, the California Chamber of Commerce backed a bill to redefine the term “deidentified,” the practice of separating user data from people’s real identities. Jackson’s Senate committee quashed that effort.
Jackson said the CCPA debate could shift the balance of power in Sacramento, which she thinks has been controlled by Silicon Valley companies to protect their unregulated ways of doing business.
“Up till now, there really hasn’t been any policy. It’s been the Wild West,” she said. “They’ve just gone and done their thing, but now we’ve forced industry to come to the table.”