When it goes into effect next year, the California Consumer Privacy Act will be the nation’s strongest privacy law, with the aim of giving Californians more control over their personal privacy in the fashion of the European Union’s widely heralded General Data Protection Regulation. But privacy advocates say that it does so without crucial provisions that would actually restrict the sharing of personal data and provide consumers the ability to sue companies when they violate people’s privacy.
This week, the legislature in Sacramento voted to advance a number of follow-on amendments to CCPA. But notably missing was the strongest proposal yet, AB-1760, known as Privacy For All. Introduced in February by Assemblymember Buffy Wicks, the bill would require companies to ask consumers to opt-in to data collection rather than opt-out, and would have restricted not just the selling but the sharing of personal information—two provisions that are staunchly opposed by industry groups.
On Monday, Assemblymember Wicks withdrew Privacy for All because it was unlikely to get the necessary votes. Instead, the Privacy Committee backed six bills supported by the tech industry, including measures that would allow employers to retain personal data on employees (AB-25) and enhance the power of companies to compel consumers to pay for privacy protections (AB-846).
Other bills supported by internet and advertising industry groups and advanced by the committee on Tuesday included AB-191, which would carve out exceptions for the insurance industry, AB-873, which would weaken the critical definitions of “personal information” and “deidentified,” and AB-874, which exempts “publicly available information” from California’s rules, permitting companies to continue scraping consumer data for sale to advertisers.
Jacob Snow, Technology and Civil Liberties Attorney with the ACLU of Northern California, said the outcome of Tuesday’s Assembly Privacy Committee hearing is “beyond disappointing.”
“Led by committee chair Ed Chau, the committee killed AB-1760, the only bill that would have given California consumers real privacy,” says Snow. “In the same breath, the committee rubber-stamped six different bills that are backed by the tech industry to weaken the [CCPA].”
Hope for more stringent privacy rules this year now largely rests with a bill under consideration in the Senate, Sen. Hannah-Beth Jackson’s SB-561, which would give consumers the ability to sue companies for privacy violations.
Twenty-four tech companies, including the privacy-based DuckDuckGo search engine, have expressed support for AB -760 and Privacy for All. “Those companies realize that privacy is a growth industry, and that there is a lot of money to be made in prioritizing privacy and in offering products that protect people,” says Snow.
Some of the country’s most powerful tech companies, including Facebook and Google, also say they support new data privacy regulations. But those companies have also been working on the local and national level to resist more stringent upgrades. Shortly after the California law was enacted, for instance, the California Chamber of Commerce and 39 other business lobbies submitted a 20-page list of proposed fixes to the law that would not meet the strict standards urged by some lawmakers and privacy advocates.
One of the biggest proposed industry-backed bills up for consideration in the Senate, SB-753, goes in the opposite direction of Privacy for All: It would establish an exemption for tech companies who say they merely share data and sell targeted advertisements rather than sell user data to third parties.
Specifically, the amendment would exempt the sharing of personal data in the process of real-time bidding, a form of programmatic advertising that sits at the heart of Facebook’s business model, among many others. Last year, real-time bidding generated $20 billion in revenue in the U.S. alone, according to eMarketer. A spokesperson for Facebook did not respond to a request for comment about its lobbyists’ efforts to water down the California law.
“A privacy law shouldn’t have a targeted advertisement exception for the same reason that an environmental law shouldn’t have a coal mining exception,” says Snow. “Privacy is undermined by people’s information being gathered and accumulated, and then used to serve behavioral advertisements as they move about the internet. Having an exception there really flies in the face of privacy and would be really harmful, and that is why we’ve opposed SB-753.”
A Facebook spokesperson declined to comment on its lobbyists’ efforts to water down the California law.
Snow and other advocates for more stringent rules point to a parade of abuses: Beyond Cambridge Analytica’s political-psychological operation, there have been massive data breaches, the accidental harvesting of 1.5 million Facebook users’ email contacts, and various forms of discrimination using targeted ads. And as groundbreaking as CCPA is for user data protection and privacy, at least in the United States, its deficiencies are glaring, he says.
California’s new law—which was introduced in January 2018, shortly before reports that Cambridge Analytica had illicitly harvested Facebook user data for use in political campaigns—says that users can only opt out of the sale of their information, not the collection and sharing of their data. And if a company collects and shares that data after a user opts-out, for instance, the California Attorney General is solely responsible for enforcing an action against the company. Even then, that enforcement can only come after a 30-day cure period during which companies could consult with the AG regarding compliance.
Dead for now: The opt-in power of “Privacy for All” (AB-1760)
Privacy for All sought to remedy some of those issues. Hayley Tsukayama, a legislative activist at the Electronic Frontier Foundation, says the amendment’s opt-in provision is critical for any serious consumer data protections. “Sharing by default is what got us into the privacy mess we’re in right now, where people can’t stop companies from sharing information because they simply don’t know or realize that it’s happening,” she says. “We shouldn’t have to go take the time to go to every company in our lives and ask them to stop invading our privacy. They should simply ask before they take it.”
The amendment would have also removed a loophole in the CCPA that would let companies charge more or give lower quality service to people who exercise their privacy rights, and would have also required companies to tell users what type of information they are collecting, and with whom they are sharing it.
“Right now, companies bury things in privacy policies, and they do that to hide them from users,” says Snow. “But one of the things that is important about these new privacy rules is that people have the right to find out exactly what information is collected, held, and shared.”
Assemblymember Wicks, who abstained from all Privacy Committee votes on Tuesday, intends to bring the bill back for a vote in the committee next year.
Still alive: The right of individuals to sue companies under SB-561
Another concern for consumer advocates is that under the CCPA, only the Attorney General has the authority to enforce the law. But, as California AG Xavier Becerra noted in a letter he penned to state senate and assembly leaders, there is concern about his office’s ability to effectively oversee and enforce CCPA’s privacy protections.
Among Becerra’s various critiques of the law were the 30-day cure period, under which the AG’s office would, he argues, essentially give free legal advice to tech companies at the taxpayers’ expense. Becerra also took issue with the lack of a private right of action, a provision that would allow users to sue tech companies to protect their privacy. Currently, the CCPA only allows plaintiffs to sue tech companies in the event of a data breach, but not other kinds of violations of privacy.
Senate bill 561, which is coming up for a Senate vote in a few weeks, would change that. “Under SB 561, people would have that right to enforce their rights in court if there was a violation,” says Snow, noting that this provision would also ease the burden on the AG office’s enforcement of CCPA, which would be constrained by limited resources.
“People are the best enforcers of their own privacy. If we can’t advocate for ourselves, who will?” says Tsukayama. With a private right of action provision, “if you find a company shared information with third-party that you did not opt-in to a relationship with, that would be grounds for a suit.”
Opposition in California and D.C.
Like Washington’s recently defeated algorithmic accountability bill, the CCPA amendments face stiff opposition. In an August 8 letter to California State Senator Bill Dodd, the coalition of California business lobbies requested to be included in CCPA clean-up legislation. In the 20-page letter, which recommended various changes to CCPA, the group argued that privacy compliance will place logistical and financial burdens, both large and small, on businesses in almost every industry.
“For example, the definition of “personal information” includes IP addresses,” the coalition wrote. “As such, this bill ostensibly applies to any business that receives 50,000 IP addresses per year on its website—that’s an average of about 137 unique visitors per day. Many small businesses will have to comply with this bill, regardless of their level of technological sophistication or their resources.”
Another battle line is being drawn at the federal level. The Center for Democracy and Technology, a D.C.-based think tank that draws funding from Silicon Valley, has written one of a number of draft privacy bills that would effectively “nullify” state privacy laws. CDT’s draft emphasizes an “opt-out” rather than an “opt-in” model for data sharing, and would give the Federal Trade Commission authority to enforce a federal privacy law—an agency that only has 40 people policing data privacy and security. CDT accepts donations from Google, Facebook, Verizon, and other tech companies, and the worry is that this monetary relationship would influence any federal privacy law passed by Congress.
Joseph Jerome, Policy Analyst with CDT’s Privacy & Data team, tells Fast Company, however, that their federal proposal would build upon and include provisions in leading state privacy laws, like the CCPA and Illinois’ biometric law. He says that the U.S. deserves data privacy protections stronger than those guaranteed by any existing state law. CDT’s draft bill would put the onus on companies to change their data privacy practices, taking pressure off users to navigate preferences and settings on hundreds of apps, services, and devices.
But unlike SB-561 and Privacy for All, the bill does not provide consumers the right to sue over violations, nor does it require companies to ask consumers to “opt-in” to data sharing.
“An opt-in model still requires users to navigate settings and preferences on hundreds of apps, services, and devices, and we can create stronger protections by seriously limiting the ability of companies to process sensitive data when it isn’t required for a product or service,” says Jerome. “Opt-in rights do not automatically protect users. For example, we don’t think people should have to opt in or opt out of a flashlight application collection of precise geolocation. The flashlight should just not collect geolocation data.”
In December, a group of 15 senators led by Senator Brian Schatz of Hawaii introduced a privacy bill called the “Data Care Act of 2018.” Unlike the CCPA amendments, the bill, which enjoys tech industry support, would also offer neither an opt-in or a private right-to-action provision. In January, Senator Marco Rubio (R-FL), introduced the American Data Dissemination Act (PDF), a bill which he claimed would “protect small businesses and startups while ensuring that consumers are provided with overdue rights and protections.” As with CDT’s draft legislation, Rubio’s bill would empower the FTC to enforce consumer privacy protections.
“Strong federal privacy protections make sense, but federal legislation should act as a floor, not a ceiling, for privacy interests,” says Snow. “No federal law should wipe out existing privacy laws that protect consumers or foreclose states from acting to address future privacy threats.”