California’s landmark data privacy law won’t take effect until 2020. In the meantime, lawmakers are fine-tuning it. Here’s what to watch.
When California passed the nation’s first law giving consumers control over their personal data last year, legislators built in an unusual buffer: an extra year to change the law before it takes effect in 2020.
Lawmakers and lobbyists are now making use of the time, submitting at least 20 bills in recent weeks that would adjust, tweak—or perhaps ultimately gut—California’s unique privacy protections. Privacy advocates are fighting to make the law even broader, while businesses and tech companies want to see it narrowed. The dynamic could force lawmakers to choose between constituents who overwhelmingly feel they have lost control of how their personal information is collected and used, and businesses (including many campaign donors) who argue that broad privacy protections could fundamentally damage the internet economy.
The issue landed in the Capitol with huge urgency because of a San Francisco real estate developer named Alastair Mactaggart. Last year—haunted, he has said, by a dinner party chat with a Google engineer who told him Americans would be stunned to know what the tech giant knew about them—he spent $3.2 million to put a data privacy law on the ballot. Tech companies poured $1 million into an a campaign to fight it, then decided they’d rather seek a compromise in the Legislature. Lawmakers rushed to pass a privacy law last summer, and Mactaggart pulled his measure off the ballot.
“I was aware when I withdrew the initiative that that would open us up to the possibility of change, both bad and good,” Mactaggart said to a panel of lawmakers this month. “I believe you guys are going to do a great job defending this bill, and making sure that when it goes into effect next year it’s a great bill for California and for the world.”
The law requires that companies tell customers what information it collects about them and who they sell the data to. It also requires that companies give customers an easy way to opt out of having their data sold, and limits how much more they can charge those who do.
It’s too soon to say exactly how or whether lawmakers will wind up changing the privacy law. Many of the bills that have been introduced are mere placeholders, and it’s still early in the legislative year. A lot can change before lawmakers cast their final votes in September.
But a few general themes have already emerged. Here’s what to watch as California’s privacy battle unfolds:
Teeth are a big fight
A key aspect of last year’s compromise between tech companies and privacy advocates was minimizing the opportunity for lawsuits. Under the deal they reached, the law only allows lawsuits over data breaches. But that’s now up for debate, with new bills giving Californians the right to sue companies that break other aspects of the privacy law, such as if they don’t give customers the opportunity to opt out of having their data sold or don’t delete data upon customers’ requests.
“In order to make sure they comply with the law, we need to make sure people can exercise their rights,” said Democratic Sen. Hannah-Beth Jackson of Santa Barbara, who is carrying a bill that would expand the ability to sue under the privacy law. “If you don’t violate the law, you are not going to get sued.”
Big business is likely to push back hard.
Chamber of Commerce lobbyist Sarah Boot said changing the privacy law to allow for more lawsuits would trigger “a class action bonanza.”
“Frankly, our court system can’t handle that. California businesses can’t handle it. And the California economy can’t handle that,” Boot said in a hearing before Jackson’s bill was introduced.
Another flashpoint is a change the tech industry wants—limiting which bits of information consumers can opt out of having sold. Tech companies argue that the law should be narrowed so they can still exchange non-identifiable information with advertisers about, for instance, users’ devices and operating systems.
“Treating this as the sale of personal information jeopardizes the underpinnings of the internet,” said Internet Association lobbyist Kevin McKinley.
Privacy advocates caution that some changes that seem small may actually weaken the law.
“Powerful tech companies and their clever lobbyists know how complex privacy policies are and what they may present as a small tweak here and there can fundamentally change the entire law and completely obliterate the rights people have,” said a statement from Jim Steyer, CEO of Common Sense Media, a nonprofit that is part of a coalition of privacy advocates.
Politics aren’t on usual lines
Lawmakers passed the privacy bill last year with a sweeping bipartisan vote, and the issue continues to resonate across the political spectrum.
Republicans—trying to make themselves relevant in a Legislature where Democrats have an enormous majority—have introduced a package of privacy bills, including one that would require social media companies to permanently delete data when people delete their account, and another that would prohibit companies from saving the voice commands people give smart speakers such as Amazon’s Alexa.
GOP Assemblyman Jordan Cunningham said he’s gotten some blowback from business lobbyists who are used to having Republicans on their side.
“Some people are like, ‘What are you guys doing?’” said Cunningham, of San Luis Obispo.
“Privacy is a nonpartisan issue to me. It’s a nonpartisan issue to my constituents. When I talk to people in my district, they uniformly want this stuff. They know their data is being used in ways they’re not aware of.”
Democrats control the legislative process, so one political question to watch is whether they allow Republican privacy bills to advance, or quietly kill them by preventing them from coming up for a vote.
The other political question is whether Democrats themselves will split over any of the proposals, as happens on many fights in the Capitol that impact big business.
“I think there will be a real battle between the pragmatists and the idealists,” said Steve Maviglio, a Democratic political consultant who worked on the tech companies’ brief campaign against the privacy ballot measure. “That’s where it’s going to lie.”
Washington is a wildcard
While California is debating changes to its privacy law, federal lawmakers are also considering a nationwide version. At a pair of hearings this week in Washington, House Democrats vowed to get tough on tech companies and Senate Republicans said they would like to pass a national privacy law that overrides California’s.
Internet companies would prefer a single national law to a patchwork of rules across the states. Privacy advocates, meanwhile, have argued that any nationwide privacy law should be structured to set a tough minimum baseline of privacy protections that state laws could build on.
Built into the argument is the sense, on both sides, that California’s size and market influence will do for internet regulation what it did for rules around auto emissions—force the industry to essentially default to California’s regulations as the national standard.
There, too, California politics could be a factor.
Mactaggart says he thinks it’s unlikely that Congress will pass a law that would substantially weaken California’s, given the size of the state and the prominence Californians hold in the House—both the speaker, Democrat Nancy Pelosi, and the minority leader, Republican Kevin McCarthy, hail from the Golden State.
“It’s going to be hard for them to step in and gut a law that protects one in eight Americans,” Mactaggart said.