CVIndependent

Wed11252020

Last updateMon, 24 Aug 2020 12pm

It’s one of the most confounding fights on California’s November ballot: While tech companies lie low, advocates for consumer privacy are fighting among themselves over a measure that would give people new rights to control how companies use their digital data.

On one side are those who say Proposition 24 would make California’s existing privacy law even stronger, setting it up as a national model for consumer protection in the digital age. On the other, fellow privacy advocates say the initiative doubles down on problems in the current law and goes too easy on the businesses it’s supposed to regulate.

Credible consumer and privacy advocates have lined up on both sides of the issue, and one of the nation’s foremost privacy champions—the Electronic Frontier Foundation—has decided not to take a position, saying Prop 24 amounts to “a mixed bag of partial steps backwards and forwards.”

“The privacy community can’t even agree on a consumer privacy law,” said Chris Hoofnagle, a supporter of Prop 24 who directs the University of California’s Berkeley Center for Law and Technology. “So it’s really an unfortunate situation.”

At the center is a personal feud between two Bay Area residents who were once allies in trying to win Californians the strongest data-privacy law in the nation. Real estate developer Alastair Mactaggart is the main backer of Prop 24, having poured $5.5 million into it so far. Privacy advocate Mary Ross is leading an opposition campaign with a lot less funding, arguing that Prop 24 “undermines and weakens the rights that we have today.”

Mactaggart says, “I’m gobsmacked that she is doing this, because (Prop 24) is so much better than existing law.”

The pair teamed up two years ago to pressure the Legislature into passing a data-privacy law. But along the way, they disagreed about whether to compromise with tech companies on some provisions. Ross didn’t want to; Mactaggart felt that some negotiating would lead to political success. He made concessions to big business—such as limits on the ability for consumers to sue, and permission for companies to charge customers more if they prohibit businesses from selling their data. The strategy helped win political support in a statehouse where Big Tech has a lot of sway.

Mactaggart and Ross parted ways, and lawmakers approved the California Consumer Privacy Act in 2018. It took effect earlier this year. The law allows Californians to find out what information businesses have collected about them and to direct companies to stop selling their personal data. (It’s why you now see those “Do not sell my info” buttons on many websites.)

“It’s a groundbreaking law,” Mactaggart says. But, he adds, “I think that it can go further.”

Enter Prop 24.

Mactaggart argues that the measure will strengthen California’s privacy law—by allowing consumers to tell businesses to limit the use of sensitive personal information, such as their exact location, health information and race. Prop 24 also would triple the fine companies face if they violate children’s privacy rights, and create a new state agency to enforce the privacy law. It’s won the support of advocacy groups like Consumer Watchdog and Common Sense Media, notable privacy scholars, and Democratic politicians including former presidential candidate Andrew Yang and Rep. Ro Khanna of Silicon Valley.

But Ross also has backing from major privacy advocates in arguing that Prop 24 does more harm than good. Opponents include the American Civil Liberties Union, the Consumer Federation of California and Public Citizen. Groups from both ends of the political spectrum—progressive Democratic clubs as well as the California Republican Party—also oppose the initiative.

“Overall, it’s a step backward,” said Jacob Snow, an attorney who specializes in tech policy for the ACLU. “It would undermine privacy protections for Californians.”

Snow says Prop 24 could allow companies to grab data from Californians’ devices when they leave the state, and would delay certain privacy protections for another two years. Some of his biggest beefs with the measure lie in how it expands aspects of the current law with which he and other opponents fundamentally disagree.

California’s existing privacy law allows companies to charge people more for a service if they opt out of having their data sold. Prop 24 would expand that rule to cover customer loyalty programs, essentially, in Snow’s view, creating more circumstances in which people who are poor might choose to give up their privacy to save some money.

“That has disproportionate effects on communities in California who are already vulnerable, like Black and Latinx families and elderly people,” Snow said. “And those are the people who should be at the center of our thought process, and our concern when we are writing privacy laws.”

But Prop 24 supporters say this aspect of the law could lead to a beneficial system where people are compensated for the value they give companies through their personal data. “Californians could get paid for their data from businesses they like and at the same time, get privacy from those they do not,” Yang wrote in a San Francisco Chronicle commentary.

Another area of disagreement: whether companies should have to ask permission to sell consumers’ data (the “opt in” model) or whether consumers should have to ask companies to stop selling it (“opt out”). The existing law requires Californians to opt out.

Prop 24 does not change that. Opponents had hoped it would, because opting out is a tedious process that requires people to fill out forms on every individual website they visit.

It puts the burden on consumers instead of companies, Ross said, making it “very hard to opt out of the sale of your personal information.”

Hoofnagle says an opt-out system may not be perfect, but is “the only workable approach.” Besides, he points out, technology is being developed that will eventually allow people to sign up once to make their data restrictions apply across all the sites they visit on the web.

Prop 24 opponents say the new law would allow companies to ignore such a universal opt-out if they instead post a “Do not sell my info” button; Hoofnagle counters that companies hate posting those buttons and would be enticed to obey the universal opt-out.

The tech industry, meanwhile, is not saying much. The California Chamber of Commerce and the Internet Association testified against Mactaggart’s initiative during a legislative hearing this summer, arguing that it’s too soon to pass a new privacy law given that one just passed in 2018.

“A new ballot measure creates a whole new set of compliance challenges,” Internet Association lobbyist Dylan Hoffman said in an August interview. “With the regulations being so fresh, our companies are trying to understand and comply with those first.”

The group—which represents dozens of internet-based companies, including Facebook, Google and Amazon—declined to comment on Prop 24 when asked for an interview again this month. Neither the Internet Association nor the Chamber of Commerce have taken a formal position on Prop 24 since it landed on the ballot. Nor have they spent a penny campaigning for either side.

Ross said she’d hoped the tech industry would help fund her campaign against Prop 24. She sees their lack of spending as a sign that they got what they wanted from private negotiations with Mactaggart and secretly like what the measure would do.

But it may just be that tech companies have learned that fighting privacy is a politically untenable position as Americans become more aware of how much control they have over personal information. Facebook was widely criticized two years ago when it teamed with other tech companies to pump $1 million into fighting Mactaggart’s earlier privacy measure.

A coalition of advertisers—who use consumer data to serve up ads—oppose Prop 24, but also haven’t put money toward defeating it. The “no” side is struggling to raise money, with just $48,000 so far from Consumer Federation, the League of Women Voters and the California Nurses Association.

The “yes” side, with more than $5.5 million, is funded almost entirely by Mactaggart.

CalMatters is a nonprofit, nonpartisan newsroom committed to explaining California policy and politics.

Published in Politics

When California passed the nation’s first law to give consumers control over their personal data last year, legislators built in an unusual buffer—an extra year to change the law before it takes effect in 2020.

Lawmakers and lobbyists are now making use of that time, submitting at least 20 bills in recent weeks that would adjust, tweak or perhaps ultimately gut California’s unique privacy protections.

Privacy advocates are fighting to make the law even broader, while businesses and tech companies want to see it narrowed. The dynamic could force lawmakers to choose between constituents who overwhelmingly feel they have lost control of how their personal information is collected and used, and businesses (including many campaign donors) who argue that broad privacy protections could fundamentally damage the internet economy.

The issue landed in the Capitol with huge urgency because of a San Francisco real estate developer named Alastair Mactaggart. Last yearhaunted, he has said, by a dinner-party chat with a Google engineer who told him Americans would be stunned to know what the tech giant knew about themhe spent $3.2 million to put a data-privacy law on the ballot. Tech companies poured $1 million into a campaign to fight it, then decided they’d rather seek a compromise in the Legislature. Lawmakers rushed to pass a privacy law last summer, and Mactaggart pulled his measure off the ballot.

“I was aware when I withdrew the initiative that that would open us up to the possibility of change, both bad and good,” Mactaggart said to a panel of lawmakers this month. “I believe you guys are going to do a great job defending this bill, and making sure that when it goes into effect next year, it’s a great bill for California and for the world.”

The law requires that companies tell customers what information it collects about them and to whom they sell the data. It also requires that companies give customers an easy way to opt out of having their data sold, and limits how much more they can charge those who do.

It’s too soon to say exactly how or whether lawmakers will wind up changing the privacy law. Many of the bills that have been introduced are mere placeholders, and it’s still early in the legislative year. A lot can change before lawmakers cast their final votes in September.

But a few general themes have already emerged. Here’s what to watch as California’s privacy battle unfolds:

Teeth are a big fight: A key aspect of last year’s compromise between tech companies and privacy advocates was minimizing the opportunity for lawsuits. Under the deal they reached, the law only allows lawsuits over data breaches. But that’s now up for debate, with new bills giving Californians the right to sue companies that break other aspects of the privacy law, such as if they don’t give customers the opportunity to opt out of having their data sold or don’t delete data upon customers’ requests.

“In order to make sure they comply with the law, we need to make sure people can exercise their rights,” said Democratic Sen. Hannah-Beth Jackson, of Santa Barbara, who is carrying a bill that would expand the ability to sue under the privacy law. “If you don’t violate the law, you are not going to get sued.”

Big business is likely to push back hard.

California Chamber of Commerce lobbyist Sarah Boot said changing the privacy law to allow for more lawsuits would trigger “a class-action bonanza.”

“Frankly, our court system can’t handle that. California businesses can’t handle it. And the California economy can’t handle that,” Boot said in a hearing before Jackson’s bill was introduced.

Another flashpoint is a change the tech industry wants—limiting which bits of information consumers can opt out of having sold. Tech companies argue that the law should be narrowed so they can still exchange non-identifiable information with advertisers about, for instance, users’ devices and operating systems.

“Treating this as the sale of personal information jeopardizes the underpinnings of the internet,” said Internet Association lobbyist Kevin McKinley.

Privacy advocates caution that some changes that seem small may actually weaken the law.

“Powerful tech companies and their clever lobbyists know how complex privacy policies are, and what they may present as a small tweak here and there can fundamentally change the entire law and completely obliterate the rights people have,” said a statement from Jim Steyer, CEO of Common Sense Media, a nonprofit that is part of a coalition of privacy advocates.

Politics aren’t on usual lines: Lawmakers passed the privacy bill last year with a sweeping bipartisan vote, and the issue continues to resonate across the political spectrum.

Republicans—trying to make themselves relevant in a Legislature where Democrats have an enormous majority—have introduced a package of privacy bills, including one that would require social-media companies to permanently delete data when people delete their account, and another that would prohibit companies from saving the voice commands people give smart speakers such as Amazon’s Alexa.

GOP Assemblyman Jordan Cunningham said he’s gotten some blowback from business lobbyists who are used to having Republicans on their side.

“Some people are like, ‘What are you guys doing?’” said Cunningham, of San Luis Obispo. “Privacy is a nonpartisan issue to me. It’s a nonpartisan issue to my constituents. When I talk to people in my district, they uniformly want this stuff. They know their data is being used in ways they’re not aware of.”

Democrats control the legislative process, so one political question to watch is whether they allow Republican privacy bills to advance, or quietly kill them. The other political question is whether Democrats themselves will split over any of the proposals, as happens on many fights in the Capitol that impact big business.

“I think there will be a real battle between the pragmatists and the idealists,” said Steve Maviglio, a Democratic political consultant who worked on the tech companies’ brief campaign against the privacy ballot measure. “That’s where it’s going to lie.”

Washington is a wildcard: While California is debating changes to its privacy law, federal lawmakers are also considering a nationwide version. At a pair of recent hearings in Washington, House Democrats vowed to get tough on tech companies, and Senate Republicans said they would like to pass a national privacy law that overrides California’s.

Internet companies would prefer a single national law over a patchwork of rules across the states. Privacy advocates, meanwhile, have argued that any nationwide privacy law should be structured to set a tough minimum baseline of privacy protections upon which state laws could build.

Built into the argument is the sense, on both sides, that California’s size and market influence will do for internet regulation what it did for rules around auto emissions—force the industry to essentially default to California’s regulations as the national standard.

There, too, California politics could be a factor.

Mactaggart said he thinks it’s unlikely that Congress will pass a law that would substantially weaken California’s, given the size of the state and the prominence Californians hold in the House—both the speaker, Democrat Nancy Pelosi, and the minority leader, Republican Kevin McCarthy, hail from the Golden State.

“It’s going to be hard for them to step in and gut a law that protects one in eight Americans,” Mactaggart said.

CALmatters.org is a nonprofit, nonpartisan media venture explaining California policies and politics.

Published in Politics