Alastair Mactaggart is out of breath. After rushing to meetings and testifying on Capitol Hill on Wednesday, the words are spilling out of him. The millionaire real estate developer from San Francisco, who spearheaded California’s new consumer privacy law, is in Washington, D.C., to join other privacy advocates who’ve been invited by lawmakers to describe what they want from a potential new federal privacy law. The issue has gained traction on both sides of the aisle in the wake of numerous high-profile privacy scandals, from Facebook user data being shared with Cambridge Analytica, to Google’s recent admission that it deliberately didn’t tell users about a privacy bug involving Google+.
But privacy advocates like Mactaggart are concerned that the bill he championed, which gives consumers sweeping control over their own data, and which took many months to become law in the face of opposition from Silicon Valley lobbyists, could be preempted by a weaker federal law. He was joined at a hearing of the Senate Committee on Commerce, Science and Transportation by Andrea Jelinek, chair of the European Data Protection Board; Laura Moy, executive director of the Georgetown Law Center on Privacy and Technology; and Nuala O’Connor, president of the Center for Democracy and Technology.
“It was my first time testifying before Congress and I think it went okay,” he tells Fast Company, adding that he also met with Democratic staffers. “It’s pretty obvious that the opposition, the big tech firms, are hedging their bets.”
What Big Tech really wants, Mactaggart says, is to gut California’s law before it takes effect in 2020. “If they do that, then they come back to D.C. and say, ‘It turns out we don’t need preemption,'” he says. “If they end up in Sacramento with a result they don’t like, then they’ll say we definitely need preemption right away. They’ll slow-roll it here, because the worst outcome for them is a strong federal law.”
Meanwhile, the California law—the toughest digital privacy law in the country—is already becoming a model for other states, and Mactaggart says that he’s been contacted by folks in Montana and Nevada.
At the hearing, the outrage at big tech companies was clear. Senator Richard Blumenthal (D-CT) said Google’s “deliberate concealment is absolutely intolerable.” He added that he’s writing a letter to the Federal Trade Commission, asking it to investigate the search giant for potentially violating a consent decree it reached with the agency in 2011 over its rollout of Buzz, its predecessor to Google+.
At one point, when lawmakers discussed Google’s statement that it was still waiting for third-party app developers to tell it if data from children was harvested on the social network, Mactaggart quipped, “That’s like waiting for drivers to tell cops that they’re speeding.”
Privacy laws need teeth
Advocates emphasized that privacy rules need to be backed up with tough enforcement measures, including hefty fines, similar to those in Europe. Moy cited the European Union’s General Data Protection Regulation, which has a maximum fine of €20 million, or 4% of a company’s annual global revenue. “Fines can really rise to a level that provides the right incentive for companies under the GDPR, and we desperately need that here in the U.S.,” she said.
Mactaggart warned lawmakers about the enormous sway exerted by companies like Facebook and Google, noting that while drafting the California law, lobbyists got aides to insert a “couple of tiny little words” that “would have totally gutted the law.”
To illustrate the significance of those tiny words, Mactaggart later explained to Fast Company that some of them involved changing the definition of “sell.” As written, consumers had the right to tell a company that they can’t sell their information. That means it can’t be transferred out of the four walls of Facebook, for example, except in certain limited circumstances labeled “business purposes”—such as when you buy a movie on iTunes and Apple sends your credit card info to a third party to make sure your payment is valid. (The California law called for a written contract with the credit card processor, in which that company agrees not to sell your data further.)
Another example of tiny words involved attempts to change the definition of “personal information,” which cannot be sold to third parties under the law. “The tech companies would be happy to narrowly define ‘personal info’ as just your name and email address,” because you can get so much information from other pieces of information, such as your device ID, says Mactaggart. “We want a very broad definition [of that term].”
For now, Mactaggart and his allies are playing the long game because they know that Big Tech has all the tools and resources at its disposal. And as we know, Silicon Valley can be extremely motivated when it wants to be. “They are freaking out,” Mactaggart says.