Column: Business’s attack on California’s landmark privacy law moves to the ballot box
Back in 2018, after years of consumers’ privacy rights being trampled by businesses with the indulgence of the federal government, California enacted its own consumer privacy law.
The California Consumer Privacy Act is a landmark. It gives Californians greater privacy protection than consumers anywhere this side of Europe.
But it’s imperfect and vulnerable to gutting by business interests working their magic in the state Legislature. So Alastair Mactaggart, the wealthy real estate investor behind the privacy law, has put up a ballot initiative to strengthen the law and inoculate it from the mischief of business lobbies.
The law is so new we don’t know what’s working and what’s not working.
— Mary Stone Ross, opponent of Proposition 24, which would strengthen state privacy law
It will appear on the November ballot as Proposition 24. MacTaggart has funded the pro-24 campaign with about $5 million of his own funds so far. Business interests so far have kept a low profile on Proposition 24, but signs have emerged that they may already be sharpening their knives against it.
The campaign to defeat the measure has dressed itself up with sober-sounding concerns about moving too fast to change the privacy law before it has had a chance to work, and creating new burdens on small businesses, and establishing a “duplicative” new state bureaucracy to oversee privacy rights. Some of the opponents’ concerns are legitimate, but many others are not.
Make no mistake: If Proposition 24 is defeated, the beneficiaries would be businesses that want to exploit your privacy without your consent.
In the wake of the initiative’s failure, “I fear that industry would be emboldened to come to the Legislature next year and ask to weaken the CCPA,” says Maureen Mahoney, policy analyst in the California office of Consumer Reports. (Consumer Reports hasn’t taken a formal stand on the measure.)
There’s good reason for Mahoney’s concern. After the passage of the CCPA, the California Chamber of Commerce and other big business lobbies inundated the Legislature with measures to gut it, to the point where fighting the bills and getting them watered down became nearly a full-time job for privacy advocates.
The most damaging measures were stopped, Mahoney reports, but some others made it through the Sacramento sieve.
Last summer, after years of inaction on consumer privacy by the federal government and slipshod privacy protection by big businesses collecting personal data, the California Legislature took matters into its own hands.
Mactaggart says the experience underscored the need to give the privacy act greater protection to “level the playing field” against “businesses with trillions of dollars of corporate value and extraordinary power.” The ballot measure allows the Legislature and governor to amend the privacy act only if the changes “further the purpose and intent” of the law.
Data-driven tech companies are plainly unhappy with the privacy law. In its latest quarterly report, Facebook warned investors that the “limitations on our advertising services, or reductions of advertising by marketers” resulting from the law “have to some extent adversely affected, and will continue to adversely affect, our advertising business.”
Companies reliant on personal data have reason to fear that California’s law will be replicated by other states, and possibly at the federal level.
It’s curious, then, the opposition to Proposition 24 includes some groups and individuals normally considered privacy advocates, such as the ACLU of California and the Consumer Federation of California. But, as we’ll explain, some of the opponents’ arguments don’t show them in the best light.
Let’s briefly examine what Proposition 24 would accomplish.
In addition to raising roadblocks to efforts to gut the law, the measure would improve enforcement by creating a state agency to do the job, with funding of at least $10 million a year.
The existing law places the burden of enforcement chiefly on the state attorney general, but Atty. Gen. Xavier Becerra has said that his office has only “limited resources” to shoulder the task, and that he would be able to bring only a handful of cases per year.
The initiative would close several loopholes in the law that have already been exploited by companies such as Amazon, Google and Spotify. They include provisions related to targeted advertising — online ads aimed at users based on personal data scraped from their browsers. The initiative, Mahoney says, would give consumers more control over how companies use that data.
The initiative also would grant an exemption from data-collection rules for more small businesses that collect information from fewer than 100,000 customers or households a year (up from 50,000 in the existing law).
California’s privacy law kicks in Jan. 1, but it’s just a start
Some opponents assert that the initiative falls short of their ideal.
They observe that it fails to provide for an “opt-in” default requiring businesses to avoid collecting personal data unless the consumer affirmatively allows it, rather than an “opt-out” system by which consumers are given the chance to bar collection of their personal information.
They say the initiative would require consumers to “pay for privacy” by allowing businesses to charge customers higher prices if they refuse to allow their information to be collected.
Mactaggart and other defenders of the measure say these objections are exaggerated or based on misunderstandings of the rules.
The “pay for privacy” provision is already part of the privacy law. Both the law and the initiative make clear that a price difference can’t be larger than the value to the business of the withheld data, which is generally measured in cents or a few dollars at most.
In other words, customers who refuse a retailer the right to use their personal data as part of a “loyalty” or frequent-user program can’t be charged double the price on a given item for not giving up their privacy, though they might be charged a few cents or bucks more.
Many privacy advocates appear to be holding out for a simple yet all-encompassing statute. Yet that’s an unrealistic goal, says Chris Hoofnagle, a privacy expert at UC Berkeley, a former staff member of the influential Electronic Privacy Information Center and a supporter of the initiative.
“They favor a law that can’t be passed politically or that the Supreme Court will strike down,” Hoofnagle told me. The Supreme Court signaled in a 2011 case that it would find opt-in clauses to be unconstitutional breaches of businesses’ free speech rights.
Good corporations know that the secret to success is to focus on your best quality and use it to serve your customers.
Some of the objections aren’t exactly paragons of consistency. Consider those of Mary Stone Ross, a lawyer and former colleague of Mactaggart’s in the original project to pass the privacy law, who is now head of the No on 24 campaign.
Ross, who has described herself as a privacy advocate, counts some high-tech companies subject to the privacy law among her consulting clients. She says it’s too soon to pass an initiative addressing a law that went into effect only Jan. 1.
“We already have all this time and energy expended toward compliance,” Ross told me. “The law is so new we don’t know what’s working and what’s not working.”
She complains that the new state agency would add another layer of bureaucracy and cost too much “at a time when we can’t even pay our firefighters.” (Ten million dollars would come to about five thousandths of a percent of the state’s $202-billion budget this year.)
Not only do those arguments sound as if they came directly from the Chamber of Commerce playbook, but they’re also at odds with points Ross made in an article published in January. She argued then, as the article headline stated, that the privacy law “doesn’t go far enough.”
She wrote then that “industry has relentlessly lobbied for legislation that will fundamentally undermine” the privacy law. She called leaving enforcement in the hands of an attorney general with inadequate resources “one of the most egregious mistakes in the drafting of the law ... rendering the CCPA largely toothless.”
After the state political party conventions in June, Ross’s committee issued a press release stating that both state parties “rejected” Proposition 24.
That was true of the Republican Party, but a lie as it applied to the Democratic Party. The Democrats at their convention decided to remain neutral on Proposition 24. Ross tried to tell me that this was tantamount to a rejection, but in the real world it is not. Period.
It’s impossible to know who is behind Ross’ No on 24 campaign because the campaign hasn’t filed any donor disclosure reports with the California secretary of state’s office.
Campaign spokeswoman Marva Diaz told me that’s because the campaign “has not yet received any reportable contributions.” Generally, starting 90 days before an election (that is, Aug. 3 this year), an initiative campaign must report any contributions of $2,000 or more within 24 hours.
The campaign employs a campaign consultant and has created a website and issued press releases, all of which presumably carry costs; Diaz says that “all expenses accrued — such as website or consulting fees ... will be disclosed, as required, on our first pre-election statement due Sept. 24.”
Companies love “wellness” programs for a number of reasons.
“We’re not a self-funded multimillionaire that has the money to be doing this,” Ross said. That’s a swipe at Mactaggart, but of course the reason we know about MacTaggart’s contributions is that his campaign committee has filed detailed contribution disclosures covering the time span from December through Aug. 24.
Ross says she’s not averse to taking money from the tech industry, even though it’s a central target of the privacy law.
“They should give us money,” she told me. “We’ve shown that once we get our message out to policy makers and voters, they realize they should vote no.”
Consumers should be very nervous about any effort to block an upgrade to California’s groundbreaking privacy law at the ballot box that welcomes contributions from its own targets. The law isn’t perfect, and neither is the initiative. They’re both complicated, which leaves the path open to misrepresentation by their opponents.
But that complexity is inevitable, Hoofnagle says. “There is no way to write a simple privacy law because a simple law would be unworkable.” Of the CCPA, he says, “In the history of privacy laws in California, no one has ever been able to get a law this strong.”
6:52 p.m. Aug. 28, 2020: This column was updated to acknowledge additional opponents of Prop. 24 and include a more detailed response from the No on 24 campaign on the issue of contributions.