Technology companies are fighting a behind-the-scenes battle in California to undermine new privacy legislation before it comes into effect.
The California Consumer Privacy Act was approved back in June following an extraordinary game of chicken between grassroots campaigners and lawmakers. It will give new rights to the state's 40 million inhabitants, including the ability to view the data that companies hold on them and, critically, request that it be deleted and not sold to third parties. It's not too far off Europe's GDPR.
Any company that holds data on more than 50,000 people is subject to the law, and each violation carries a hefty $7,500 fine. But, in order to help companies prepare, the law will only come into effect in January 2020. And that has given Big Tech a window to try to pressure lawmakers into making changes.
A 20-page letter [PDF] from a 38 different trade groups, led by the California Chamber of Commerce and sent to key Californian lawmakers, outlines in precise detail the changes that tech companies want made to the law before it comes into effect – and some of them have privacy advocates up in arms.
The letter complains about the "hastily passed" law and proposes amendments that would "address drafting errors, and fix aspects of this bill that would be unworkable and that would result in negative consequences unintended by the authors."
Critics charge however that some of the proposed changes would effectively kill off the law's key elements. Proposed changes include deleting the term "specific pieces" which would have the effect of allowing companies that hold your data to give consumers vague responses like "browsing history" to requests for data rather than precise details such as which websites they have associated with your profile.
Usable? Don't be ridiculous
The companies would also like to delete a key part of the law that gives consumers the right to ask for their personal data in a "readily usable" format – something that would make it much easier to share, analyze and move data. Without this provision, companies will be able to provide your personal data in a format that is much harder to make sense of, search through, or send to others to analyze. Think PDF instead of spreadsheet.
Other changes are clearly designed to protect Google's and Facebook's business models where they gather vast amounts of data on individuals and package it to sell to third party advertisers.
Tech companies claim that because they don't provide identifiable information to advertisers – i.e. they can advertise to 18-30 year-old men who live in a specific geographic radius and are interested in video games but they don't get the specific names of those people – that there are no privacy issues.
But privacy advocates argue that the companies gathering and selling that data are running amok and gathering all sorts of highly personal data that they sell on. Users should be allowed to see what data is held on them and demand it be deleted if they don't want a company to know that about them, they argue.
There are some very specific proposed changes that would effectively allow Facebook, Google et al to keep doing what they are doing despite the clear intent of the law to give the user more control over their data.
For example, Big Tech proposes the complete deletion of a section about profiles that "reflect the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes." In other words, the most disturbing personal data that companies have on you.
Getting personal. Or not
It also attempts to write into the law that the definition of "personal information" not include "aggregate consumer information nor information that is deidentified, pseudonymized, or publicly available information..."
In other words, Google and Facebook's extremely valuable packages of consumer information would be specifically written out of the law.
And while the letter steers clear of offering precise wording changes over the critical issue of targeted advertising and whether consumers will be given a right to refuse the use of their data for advertising, it makes it plain that tech companies will be pushing on that too.
The final version of the privacy act "should clarify that the law does not to require an opt-out of all advertising," the letter argues. "Online advertising allows companies to reach audiences that are likely to be interested in the companies’ products or services in a privacy protective way, which does not require the online platform to identify the consumer to the business in order to deliver the business’s advertisement."
Which is a policy wonk way of trying to make sure that consumers can't pre-emptively stop companies from selling their data. It would result in you having to periodically contact every company that has data on you and insist they delete it, rather than be able to say upfront "you can't sell this data."
In effect, personal data deletion would become like unsubscribing from unwanted emails: every few months it's up to you to go and insist you no longer be sent any more emails. And then, of course, a few months later you are back to where you started.
The letter also proposes giving companies longer to respond to requests – 45 days no less – and they want to push back implementation by a year.
Of course amid the self-satisfying proposals there are also quite a few good suggestions for tightening up the law. Which is, of course, how lobbyists find their way into lawmakers' offices: by being useful. Right before they propose changes that suit their business model to the detriment of the law's intention.
Nope and nope
In response, privacy advocates are pushing back.
They've sent their own letter [PDF] in response to Big Tech's letter urging lawmakers not to make many of the changes.
"On behalf of 39.5 million Californians, the undersigned state and national organizations strongly urge you to reject recent proposals to weaken the California Consumer Privacy Act (“CCPA”)," it begins, before arguing that "the majority of the Chamber letter’s proposed changes are substantive in nature and would fundamentally water down the CCPA’s privacy protections."
It goes on: "Even when the letter does identify a provision where a technical fix is needed, the proposed solution is often excessive in nature and would run counter to the clear intention of the legislation."
Perhaps most significantly, it takes on the core argument that the current law is "unworkable" by arguing: "What is allegedly 'unworkable' today will be workable once companies comply with the law."
Google weeps as its home state of California passes its own GDPRREAD MORE
This effort to try to rewrite the law was always inevitable after lawmakers in Sacramento were basically forced to pass the legislation in record time in order to prevent a similar proposal being put on the California ballot by three determined citizens.
Under California law any one with sufficient backing can propose a change to state law – and a proposal by real estate developer Alastair Mactaggart, former civil servant Rick Arney and former CIA analyst and lawyer Mary Stone Ross to introduce a real privacy law looked extremely likely to pass.
Laws passed by ballot measure are much harder for lawmakers to change, so Sacramento reached a deal with the authors in which they promised to pass the Privacy Act if they pulled their ballot measure. The act was signed into law literally hours before a ballot deadline came into effect.
Everyone accepted as a result of the rushed process that the law would need to be tightened up subsequently, and so an 18-month window to make "technical, clean-up amendments" was introduced.
The result – SB 1121 – should, in theory, be a cleaner version of the same law but Big Tech is determined to make as many changes as it can to limit the ability of people living in California to find out what data such companies have on them, and to oblige them to delete it if they don't like it. ®