Analysis A proposed amendment to California's new data privacy law would drive a huge hole through the legislation, privacy advocates have warned.
The change to the California Consumer Protection Act (CCPA) – in state senate bill 753 – will be reviewed by Cali's Senate Judiciary Committee next week and effectively adds Google and Facebook's entire business models to an exemption list, meaning consumers would not be able to sue tech giants for misusing their personal data.
The exemption list is intended to ensure that companies can use personal data if consumers actively agree to it. However a new addition to the limited list would include any business that "shares, discloses, or otherwise communicates to another business or third party an online identifier, an Internet Protocol address, a cookie identifier, a device identifier, or any unique identifier only to the extent necessary to deliver, show, measure, or otherwise serve or audit a specific advertisement to the consumer."
The change is designed to be defensible as it would require there to be a contract between two companies that would also "prohibit the other business or third party from sharing, selling, or otherwise communicating the information except as necessary to deliver, show, measure, or otherwise serve or audit an advertisement from the business."
But the legalistic language that appears to fit with the law hides its true intent: exempting the system that tech giants use to make money. Under this proposal, so long as they use a form of online bidding for placing ads, they would be exempt from the law.
Emerging browser maker and privacy advocates Brave is having none of it, pointing out in a letter to Cali's Senate Judiciary Committee that the change would "seriously undermine the California Consumer Privacy Act."
It points out: "The amendment would permit companies to broadcast intimate personal information to hundreds of companies every time an ad is served using 'real-time bidding', one of the most common ways that advertisements are sold and served on the Internet."
It goes into fine detail about how bidding systems work and stresses that it is extremely common: "Real-time bidding happens at a staggering scale: hundreds of billions of such auctions every day. Each of these broadcasts can be received by hundreds of companies, which may then pass it on to hundreds more."
As for the sort of information that can be shared in this "limited" exemption, they include someone's age, location, politics, health and mental health, race, and so on. Do you know for example that Google has a specific code for eating disorders (571) and black people (547)?
Allowing the exemption would allow for "the most massive leakage of sensitive personal information ever recorded," Brave notes. And yet the leakage – and the companies behind it – would be exempted from a law that was written specifically to prevent such sharing.
The addition of a contract is a red herring, Brave warns, since such contracts would be "impossible to investigate and enforce" and quotes the Interactive Advertising Bureau's (IAB) own documents that "there is no technical way to limit the way data is used after the data is received by a vendor for decisioning/budding on/after delivery of an ad."
In other words, it is a locomotive of an exemption that the tech industry is trying to drive through the law. And there are, of course, other ways to do advertising and auctioning that wouldn't expose personal data.
This is just the latest effort by the tech industry to undermine the CCPA, which was itself signed into law in the most extraordinary circumstances.
The bill was rushed through California's legislature and signed by the governor in record time for one simple reason: a small group of Californians had succeeded in getting a ballot measure on data privacy accepted and it was due to go to state residents for a vote.
There was little doubt that it would pass, prompting tech giants to lobby lawmakers to get their own version of privacy legislation approved. The ballot proposers agreed to withdraw their measure if the bill was signed into law before a ballot cutoff date – which it was, but only by a few hours.
The logic to move away from a ballot is that a law passed by elected representatives (as opposed to through direct voter approval) can be amended and revised. Given that data privacy in the digital age is a complex business, it seemed like a good idea to allow it to be subject to the spotlight of the normal policymaking process.
Schneier: Don't expect Uncle Sam to guard your web privacy – it's Europe riding to the rescueREAD MORE
But of course, that also gave tech industry lobbyists an opening to push amendments in their favor: something that they have continually done in the 10 months since it was signed into law, with equally concerted pushback by privacy advocates.
Those advocates are backing [PDF] another series of amendments put forward by Assemblymember Buffy Wicks (AB 1760) that would give consumers more of a say of what is done with their personal data and more power to sue companies that break the rules.
Meanwhile, Big Tech is also trying to undermine the entirety of the California law by going to Washington DC and pushing for a federal law that would pre-empt state laws. But, this being Washington, there is no guarantee that the law will ever get passed thanks to partisan politics. ®
Facebook is awful
Incidentally, in case you had forgotten that Facebook is a terrible company that lies incessantly and has no respect for personal data, NBC has got hold of lots of previously unreleased Facebook documents that reveal its executives put dollar values on the user data they had and used that data as leverage in business negotiations despite having claimed for years that they have never done any such thing.
Also, working within Facebook has been described as fresh Hell – who knew?