In their public statements, appearances before Congress, and so many recent op-eds, tech leaders like Mark Zuckerberg and Tim Cook have professed their commitment to privacy. But in their home state of California, the lobbying groups and trade associations that represent these same companies have quietly backed legislation that privacy experts say would severely weaken a sweeping privacy law that’s set to take effect in January.
The California Consumer Privacy Act, or CCPA, gives residents of California the ability to request the data that businesses collect on them, demand that it be deleted, and opt out of having that data sold to third parties, among other things. But last week, the California Assembly’s Committee on Privacy and Consumer Protection advanced a series of bills that would either amend CCPA or carve out exemptions for certain categories of businesses. These bills received widespread backing from business groups, including the California Chamber of Commerce, as well as leading tech lobbying firms that represent the likes of Facebook, Google, Amazon, and Apple. But privacy groups almost unanimously opposed them, stoking fears that state lawmakers are about to strip the country’s meatiest privacy law to the bone.
“Numerous stakeholders have urged further refinement of [CCPA]—from addressing workability issues from a business compliance standpoint, to strengthening the law from a consumer and privacy protection standpoint,” Assemblymember Ed Chau, who chairs the committee and also co-sponsored CCPA, told WIRED in a statement. Chau says the committee plans to “review and analyze all bills,” and “give every author an opportunity to make their case before our membership.”
Issie Lapowsky covers the intersection of tech, politics, and national affairs for WIRED.
But privacy advocates worry that this process risks watering down the rights consumers have under the law. The only bill that privacy advocates supported in the Assembly, called the Privacy for All Act, was pulled by its author at the last minute. “All of these industry interests are trying to weaken privacy in California,” says Jacob Snow, staff attorney with the ACLU of California. “The Privacy Committee members who were present revealed their constituency are tech companies.”
From the day CCPA was passed last June, voices on both sides of the privacy debate agreed that it required some fine-tuning. Legislators had hurried it through to prevent a stricter ballot initiative from being put before voters in November. That ballot initiative had widespread public support, but faced stiff opposition from the same companies and trade groups that are now trying to amend CCPA.
Mary Stone Ross, who helped draft the initiative when she was president of the group Californians for Consumer Privacy, describes the subsequent attempts to erode the California law as “painful” to watch. “We forced the hand of the legislature, but now it’s shifted back again,” she says.
A Parade of Bills
The proposed bills all aim to make the law easier for businesses to comply with, and less disruptive to their operations—even if that means giving them more control over people’s data than privacy advocates would like. Several pieces of legislation received widespread support from the tech industry’s top lobbying firms, including the Internet Association, TechNet, and the Consumer Technology Association. One such bill, which Chau introduced, would change the way CCPA regulates employee data. The way the law is written currently, rights under CCPA apply to all California residents. Chau’s bill, known as AB 25, would exclude data that businesses collect on employees, job applicants, and contractors, as long as the businesses use that data “solely within the context” of that relationship.
Privacy groups acknowledge that employers need more freedom to collect data on the people who work for them than, say, a company like Facebook needs to collect on its users. But they fear the wording of AB 25 would allow companies to go too far.
“Absent a safeguard of privacy for workers in the workplace, the bill opens the door to highly intrusive data collection by companies of their employees,” a coalition of privacy groups wrote in a letter to Chau earlier this month. The groups pointed to a report by consulting firm Accenture that found 62 percent of businesses are using new workforce data, but only 30 percent of them “are very confident that their organization is using the data in a highly responsible way.”
Another bill creates a carveout for loyalty card programs. Under CCPA, businesses wouldn’t be able to charge higher prices or offering different services to customers who opt out of having their data collected or sold. Known as the non-discrimination provision, this is supposed to prevent companies from penalizing people who exercise their privacy rights. But a bill called AB 846, which is backed by the CTA and The Wireless Association, would create an exemption for businesses that offer voluntary loyalty cards to their customers. If businesses had to keep the data they collected for these programs to themselves, such a change would be “tolerable” says Adam Schwartz, a senior staff attorney with the Electronic Frontier Foundation, a digital rights group. But the bill puts no limits on what businesses can do with that data, or with whom they share it.
“If the supermarket is coercing me to hand over my shopping data, or else they’ll take away a 15 percent discount, and they’re selling that information to data brokers, at that point, we see that loyalty program as being a menace to privacy,” Schwartz says. The EFF and other groups say the bill would allow a “pay-for-privacy” regime that creates two different cost structures for those who can afford to protect their privacy and those who can’t.
The Internet Association also sponsored a bill that would eliminate a requirement under CCPA that businesses provide a toll-free phone number where people can make data requests. Instead, the bill, known as AB 1564, would require businesses to provide a toll-free number or an email address. Businesses that maintain websites would also need to accept requests through those. “Many businesses covered in the CCPA do not currently have toll-free numbers and obtaining one would be a cost driver,” industry groups, including the Internet Association, wrote in a letter of support. “Second, receiving and verifying consumer requests via phone calls would present security concerns in many cases.”
Eliminating this requirement may sound like a subtle change, but privacy groups say it puts people without access to the internet, or who are uncomfortable using it, at a disadvantage. “This bill would introduce unnecessary barriers of access, disproportionately affect under-privileged communities, and make it harder for Californians to make use of the protections and rights provided in the CCPA,” the coalition of privacy groups wrote in a letter.
Tech groups also threw their weight behind AB 873, a bill that deals with the tricky definition of “personal information” and what it means for data to be “deidentified.” Under CCPA, even data that “is capable of being associated with” a specific consumer is considered personal information, even if it isn’t directly linked to that consumer already. The supporters of AB 873, including the California Chamber of Congress, argue that’s an overly broad category. It would mean, for example, that a brick and mortar store might have to go so far as to review security camera footage and provide it to any customer who made a data request, even if the store had never linked that footage to the customer to begin with. The bill would redefine “personal information” to include any data that is “reasonably capable” of being associated with a consumer, giving businesses more cover. It would also change the definition of “deidentified,” or anonymous, data, which receives special protection under CCPA.
Taken together, these changes will “make the historic law more workable for both consumers and businesses,” says Kevin McKinley, the Internet Association’s director of California government affairs.
In a statement to WIRED, Facebook vice president of state and local policy, Will Castleberry, said that giving people more control of their data and allowing them to stop companies from selling it are “core principles to strong privacy protections.”
“We support technical efforts as long as they do not weaken CCPA’s underlying principles,” Castleberry said.
But the ACLU’s Snow says the tech companies that the Internet Association and other trade groups represent have been notably missing from these more technical conversations, even as the lobbying firms that represent them negotiate on their behalf. “I think they’re using that to maintain plausible deniability,” Snow says.
There’s no guarantee that these bills will pass when they’re put to a vote in the Assembly and the state Senate before the end of the legislative session this fall. The privacy groups say they will continue to push members of the legislature to oppose measures they say weaken CCPA as it stands. Assemblymember Chau, meanwhile, says that while he’s open to addressing issues in CCPA, he is “equally adamant that we not erode the rights we fought so hard for last year.”
One bright spot for privacy groups is a bill that advanced out of California’s Senate Judiciary Committee, which would give Californians the ability to sue for violations of their privacy rights under CCPA. This provision was included in the ballot initiative, but dropped from CCPA due in part to objections from businesses.
Still, proponents of privacy aren’t entirely optimistic about the final implementation of CCPA, given the slate of bills before them. That’s to say nothing of the ongoing battle in Washington, DC, where tech firms and other industry groups are pushing Congress to pass a federal privacy bill that would override state privacy laws altogether. “Having so many different bills introduced spreads the privacy groups so thin,” Ross says. “They’re up against all these different trade associations. It’s an uphill battle.”