California's politicians rush to gut internet privacy law with pro-tech giant amendments

Meanwhile, the only pro-privacy proposal gets quietly pulled

Analysis The right for Californians to control the private data that tech companies hold on them may be undermined today at a critical committee hearing in Sacramento.

The Privacy And Consumer Protection Committee will hold a special hearing on Tuesday afternoon to discuss and vote on nine proposed amendments to the California Consumer Privacy Act (CCPA) – which was passed last year in the US state but has yet to come into force. Right now, the legislation is undergoing tweaks at the committee stage.

Privacy advocates are warning that most of the proposals before the privacy committee are influenced by the very industry that the law was supposed to constrain: big tech companies like Google, Facebook, and Amazon.

In most cases, the amendments seek to add carefully worded exemptions to the law that would benefit business at the cost of consumer rights. But most upsetting to privacy folk is the withdrawal of an amendment by Assemblymember Buffy Wicks (D-15th District) that incorporated changes that would enhance consumer data privacy rights.

Wicks' proposal would have given consumers more of a say of what is done with their personal data and more power to sue companies that break the rules. But the Assemblymember pulled the measure the day before the hearing because it was not going to get the necessary votes. If a measure is voted down it cannot be reintroduced in that legislative session.

“The public wants more consumer protections and assurances that their private information stays private,” said Wicks in a pretty meaningless canned statement to The Reg.

“I am proud to be a part of an impressive group of privacy and advocacy organizations looking to strengthen the landmark California Consumer Privacy Act. Big change is hard and I am committed to continue fighting for effective legislation that puts Californians consumer privacy first.”

Assemblymember Wicks will continue working with stakeholders and fellow legislator to bring it back to committee in 2020, her spokesperson said.

Among the proposals that will now be considered are:

  • AB 25 – authored by committee chair Ed Chau (D-49th District) – which would exempt companies from the rules as it applies to their employees i.e. companies would be able to collect whatever data they wanted on employees and not be obliged to let them know what it was.
  • AB 846 – authored by Assemblymember Autumn Burke (D-62nd District) – that would allow companies running loyalty card programs to charge people to gain access to the private data held on them.
  • AB 873 – from Jacqui Irwin (D-4th District) – does three things: it removes "households" from the rules - meaning that things like Amazon's Alexa digital assistant would not be included under the law; it exempts data that has been "deindentified" i.e. does need connect directly to a specific person – which would create a large loophole for companies like Facebook; and it loosens the definition of what "personal information" actually is, which would open another data loophole.
  • AB 874 – also from Irwin – that exempts "publicly available information" from the rules – which could open up a large loophole for tech companies who scrape databases to find data to associate with existing user data and then package together for advertisers.
  • AB 1564 – from Marc Berman (D-24th District) – that removes the requirement for companies to offer both a phone number and an email address for netizens to submit requests for information. The change would require only one method – and the company can choose which. Privacy advocates argue this would likely disadvantage people without ready access to the internet.

The other four amendments are intended to clean up the law rather that create specific loopholes – such as exempting vehicle information from the rules, defining the meaning of "social media", and so on.


Hey, remember that California privacy law? Big Tech is trying to ram a massive hole in it


The amendments are just the latest example of the overweening influence of lobbyists in Sacramento. The law was only passed when a small group of Californians decided that the only way to constrain tech giants' vast databases of personal data was to put the issue to a direct voter ballot – because the issue would never make it through the normal policymaking processes thanks to special interests.

That ballot measure was pulled at the very last minute after the people behind it agreed that if Sacramento passed a privacy law, they would step away. The California Consumer Privacy Act was approved and signed into law in record time.

But before the law comes into effect, lawmakers are allowed to put forward amendments and Big Tech has been fighting furiously ever since to write loopholes into the law.

The worst proposed change is currently in the California Senate where state senate bill 753 would effectively exempt Google and Facebook's entire business models. ®

Keep Reading

Marketers for an Open Web ask UK competition watchdog to block launch of Google's anti-tracking Privacy Sandbox

Group claims adtech 'has nothing to do with privacy' but is rather an attempt 'to take control of the web'

EFF off: Privacy Badger disables by default anti-tracking safeguard that can be abused to track you online

Google has a word with digital rights warriors

Micropayments company Coil distributes new privacy policy with email that puts users' addresses in the ‘To:’ field

Hundreds of email addresses exposed, customers predictably less-than-thrilled

Reply-All storm flares as email announcing privacy policy puts 500 addresses in the 'To' field, not 'BCC'

Newsletter-as-a-service outfit Substack does the usual apologising

Apple: Yeah, about those ground-breaking privacy features in iOS 14 – don't expect them until next year

'Fundamental right to privacy' can wait – Facebook and others are annoyed

Apple wants privacy 'nutrition labels' on all new and updated apps in its software store from next month

How many grams of carbo-spy-drates are in your favorite applications?

Brave browser first to nix CNAME deception, the sneaky DNS trick used by marketers to duck privacy controls

Next release will block third-party trackers posing as first-party resources

Global Privacy Control emerges as latest attempt to let netizens choose whether they want to be tracked online

It's Do Not Track II: The Wrath of Ashkan and Sebastian... Caaaaaaaan't you stop stalking us around the internet

Biting the hand that feeds IT © 1998–2020