How the tech industry is sowing confusion about privacy laws

An architect of California’s tough new privacy laws says we shouldn’t bet on anything similar happening on a national level in the near future.

How the tech industry is sowing confusion about privacy laws
Alastair Mactaggart [Photos: Chip Somodevilla/Getty Images;Joshua Sukoff/Unsplash]

Alastair Mactaggart founded and bankrolled the privacy activism organization that pushed California’s landmark privacy law—the California Consumer Privacy Act (CCPA)—into the books in 2018. The law spurred the introduction of similar privacy bills in states around the country, and it will likely give shape to an eventual federal privacy law.


As the story goes, Mactaggart, who made his fortune in the Bay Area real estate market, spoke to a Google employee at a cocktail party in 2016 who told him he’d be surprised at the amount of data the search giant had on him. Alarmed, Mactaggart and his friend Rick Arney hatched the idea of proposing a ballot measure to ensure privacy rights for Californians, and they signed on attorney Mary Stone Ross to help shape a new law. The ballot measure eventually gave rise to a comparable bill in the state legislature, which, despite heavy pushback from the tech and telecom lobbies, was quickly passed and signed into law by then-governor Jerry Brown.

The CCPA gives Californians the right to know what data tech companies such as Google and Facebook are collecting on them, the right to stop that data from being shared or sold, and the right to sue if a tech company fails to protect their personal data. It was the most extensive consumer privacy law in the country at the time.

Mactaggart’s group, Californians for Consumer Privacy, pushed another ballot measure in 2020, Proposition 24, that strengthened the CCPA. Voters passed the measure, and the proposition became the California Privacy Rights Act (CPRA), which goes into effect at the start of 2023. The law establishes a new privacy agency called the California Privacy Protection Agency, with a 5-member board and a $10 million annual budget.

While a number of states have followed California in passing their own consumer privacy laws, the vast majority of states still have weak or nonexistent privacy laws. Now Democrats and Republicans in Congress are trying to work together to pass a national privacy bill. A number of bills were floated in 2020, along with a major bill (from Representative Suzan DelBene, a Democrat from Washington) in 2021, but none has advanced very far. Meanwhile, the tech and online advertising industries are lobbying hard for a weak federal privacy law that might preempt stronger state laws, such as California’s.

I spoke with Mactaggart about the state of data privacy today and about the chances for a meaningful federal privacy law in the near future.


The interview has been edited for length and clarity.

Fast Company: Do you think there should be a federal privacy law, and if so, what are the chances of one getting passed in the current Congress?

Alastair Mactaggart: It’s unlikely that there is a federal law that preempts California’s privacy law. As an American I would welcome a strong national privacy law. Great. So where does that leave us? I don’t know. But when everything’s going to have to get done with 50 votes [in the Senate]—until the filibuster goes, 60 votes—it’s a hard one to imagine happening, I’ve got to tell you.

What do you know about the tech industry’s strategy regarding shaping a federal privacy policy?

[Tech industry groups are] very overtly going around the country trying to pass weak laws. The Virginia law is very weak compared to California. Because their strategy is to create confusion that will allow them to go to Congress and say “You guys need to fix this.”


And for all these [tech] businesses that will say “We can’t possibly plan for 50 different state laws,” I say, “Well, the last time I looked, there are banks and hospitals in all 50 states—you do it in these sectors. Why can’t you do it across the board?”

If you look at the existing national privacy laws, whether it’s the GLBA for finance or HIPAA for health, they are both laws that set a national floor, but they let states go further. Professional licensing is done by the states, and employment and unemployment insurance and working conditions are regulated differently state by state, so I don’t buy that at all. The desire for one law is really just the desire of an industry to have a weak law.

You said the tech industry’s strategy is to work at the state level to try to pass weaker privacy laws. So their endgame is to pass a weak federal privacy law that would preempt state privacy laws, correct?

Yes. I’ve talked to people who say they’ve been on calls with industry groups saying that their overall strategy is to create that confusion and then go to Congress and say “There’s such confusion.”

And yet, you know, a lot of the trains are already leaving the station. You see what Apple did with iOS 14.5 [requiring app makers to ask permission to track users], and what Google is now doing with their ending support for third-party cookies. I think a lot of the big companies are reading the writing on the wall and thinking “This is coming my way.”


We need to stop this unregulated market in consumers’ most personal information.”

One way to look at the CPRA, the 2020 law, is we just recreate the General Data Protection Regulation (GDPR), materially and in all respects, in California. I’m optimistic for privacy in the United States, because I feel like one in eight Americans [Californians] now has really strong privacy. What we saw last time is that a lot of companies extended CCPA rights to the rest of the country. And I’m hopeful that they will extend CPRA rights in the country like Microsoft and Apple and others did.

There has been so little regulation around the raw material of the tech industry for so much of its history—the raw material being all of us—so now we’re going to have some regulation around it, and I think it’s appropriate and it’s overdue. This stuff [personal data] used to be free; you can share it, you can trade it, you can trick people into giving you more information than they ever would normally, and then you can sell it and never tell them you’re going to sell it, or you bury it on page 75 of your privacy policy. All that is going to be a readjustment, but it should be, frankly. We need to stop this unregulated market in consumers’ most personal information.

Looking out for the little guy

Are you concerned that Congress might pass a privacy law that big companies such as Facebook and Google will have no trouble complying with, but small companies might be hurt because they lack the resources to comply?

In the new law we raise the threshold in terms of how many pieces of personal information you have to collect before you qualify as “in the business.” We simplified it so that it’s very clear that if you buy or sell or share data basically for advertising information, that’s when you’re covered.

If you’re not buying or selling information, or if you’re not actually taking people’s information and using it to ship off somewhere for advertising, you’re really not covered if you’re a small business. We’re very clear that we’re trying to go after people who are making a market in this information.


When it really gets down to the nitty-gritty, how do you make people understand what’s really at stake here? Many consumers just don’t appreciate what they’re giving up when they allow their personal data to be harvested and used without their consent.

We’ve done our research, and people really care about it,  but they don’t know what they can do. [In California] I think people had that sense before our laws that there was nothing they could do. I think when people have an easy way to enable that right [to not have their personal data sold or shared], they will. Not everybody. Some people won’t care, but the people who do will enable that right.

There’s so many analogs. You remember antivirus software? Before that, there were no viruses, and then there were, and people said, well, we need software. And now most of us are not updating our virus software because it’s automatic. It comes preinstalled. Given that functionality, it’s going to be the same thing with privacy over time.

Car safety is another good example. The car companies fought it tooth and nail. Tooth. And. Nail. And then over time the people said “No, you can do better than this.” You can have a padded dashboard, you can have safety glass. So it’ll be the same goal with privacy.

About the author

Fast Company Senior Writer Mark Sullivan covers emerging technology, politics, artificial intelligence, large tech companies, and misinformation. An award-winning San Francisco-based journalist, Sullivan's work has appeared in Wired, Al Jazeera, CNN, ABC News, CNET, and many others.