The California Consumer Privacy Act is a landmark. It gives Californians greater privacy protection than consumers anywhere this side of Europe.
But it's imperfect and vulnerable to gutting by business interests working their magic in the state Legislature. So Alastair Mactaggart, the wealthy real estate investor behind the privacy law, has put up a ballot initiative to strengthen the law and inoculate it from the mischief of business lobbies.
It will appear on the November ballot as Proposition 24. MacTaggart has funded the pro-24 campaign with about $5 million of his own funds so far. Business interests so far have kept a low profile on Proposition 24, but signs have emerged that they may already be sharpening their knives against it.
The campaign to defeat the measure has dressed itself up with sober-sounding concerns about moving too fast to change the privacy law before it has had a chance to work, and creating new burdens on small businesses, and establishing a "duplicative" new state bureaucracy to oversee privacy rights. Some of the opponents' concerns are legitimate, but many others are not.
Make no mistake: If Proposition 24 is defeated, the beneficiaries would be businesses that want to exploit your privacy without your consent.
In the wake of the initiative's failure, "I fear that industry would be emboldened to come to the Legislature next year and ask to weaken the CCPA," says Maureen Mahoney, policy analyst in the California office of Consumer Reports. (Consumer Reports hasn't taken a formal stand on the measure.)
There's good reason for Mahoney's concern. After the passage of the CCPA, the California Chamber of Commerce and other big business lobbies inundated the Legislature with measures to gut it, to the point where fighting the bills and getting them watered down became nearly a full-time job for privacy advocates.
The most damaging measures were stopped, Mahoney reports, but some others made it through the Sacramento sieve.
Mactaggart says the experience underscored the need to give the privacy act greater protection to "level the playing field" against "businesses with trillions of dollars of corporate value and extraordinary power." The ballot measure allows the Legislature and governor to amend the privacy act only if the changes "further the purpose and intent" of the law.
Data-driven tech companies are plainly unhappy with the privacy law. In its latest quarterly report, Facebook warned investors that the "limitations on our advertising services, or reductions of advertising by marketers" resulting from the law "have to some extent adversely affected, and will continue to adversely affect, our advertising business."
Companies reliant on personal data have reason to fear that California's law will be replicated by other states, and possibly at the federal level.
It's curious, then, that Proposition 24 is facing opposition from some groups and individuals normally considered privacy advocates, such as the ACLU of California. But, as we'll explain, some of the opponents' arguments don't show them in the best light.
Let's briefly examine what Proposition 24 would accomplish.
In addition to raising roadblocks to efforts to gut the law, the measure would improve enforcement by creating a state agency to do the job, with funding of at least $10 million a year.
The existing law places the burden of enforcement chiefly on the state attorney general, but Atty. Gen. Xavier Becerra has said that his office has only "limited resources" to shoulder the task, and that he would be able to bring only a handful of cases per year.
The initiative would close several loopholes in the law that have already been exploited by companies such as Amazon, Google and Spotify. They include provisions related to targeted advertising — online ads aimed at users based on personal data scraped from their browsers; the initiative, Mahoney says, would give consumers more control over how companies use that data.
The initiative also would grant an exemption from data-collection rules for more small businesses that collect information from fewer than 100,000 customers or households a year (up from 50,000 in the existing law).
Some opponents assert that the initiative falls short of their ideal.
They observe that it fails to provide for an "opt-in" default requiring businesses to avoid collecting personal data unless the consumer affirmatively allows it, rather than an "opt-out" system by which consumers are given the chance to bar collection of their personal information.
They say the initiative would require consumers to "pay for privacy" by allowing businesses to charge customers higher prices if they refuse to allow their information to be collected.
Mactaggart and other defenders of the measure say these objections are exaggerated or based on misunderstandings of the rules.
The "pay for privacy" provision is already part of the privacy law. Both the law and the initiative make clear that a price difference can't be larger than the value to the business of the withheld data, which is generally measured in cents or a few dollars at most.
In other words, customers who refuse a retailer the right to use their personal data as part of a "loyalty" or frequent-user program can't be charged double the price on a given item for not giving up their privacy, though they might be charged a few cents or bucks more.
Many privacy advocates appear to be holding out for a simple yet all-encompassing statute. Yet that's an unrealistic goal, says Chris Hoofnagle, a privacy expert at UC Berkeley, a former staff member of the influential Electronic Privacy Information Center and a supporter of the initiative.
"They favor a law that can't be passed politically or that the Supreme Court will strike down," Hoofnagle told me. The Supreme Court signaled in a 2011 case that it would find opt-in clauses to be unconstitutional breaches of businesses' free speech rights.
Some of the objections aren't exactly paragons of consistency. Consider those of Mary Stone Ross, a lawyer and former colleague of Mactaggart's in the original project to pass the privacy law, who is now head of the No on 24 campaign.
Ross, who has described herself as a privacy advocate, counts some high-tech companies subject to the privacy law among her consulting clients. She says it's too soon to pass an initiative addressing a law that went into effect only Jan. 1.
"We already have all this time and energy expended toward compliance," Ross told me. "The law is so new we don't know what's working and what's not working."
She complains that the new state agency would add another layer of bureaucracy and cost too much "at a time when we can't even pay our firefighters." (Ten million dollars would come to about five thousandths of a percent of the state's $202-billion budget this year.)
Not only do those arguments sound as if they came directly from the Chamber of Commerce playbook, but they're also at odds with points Ross made in an article published in January. She argued then, as the article headline stated, that the privacy law "doesn't go far enough."
She wrote then that "industry has relentlessly lobbied for legislation that will fundamentally undermine" the privacy law. She called leaving enforcement in the hands of an attorney general with inadequate resources "one of the most egregious mistakes in the drafting of the law ... rendering the CCPA largely toothless."
It's impossible to know who else is behind Ross' No on 24 campaign because the campaign hasn't filed a single donor disclosure report with the California secretary of state's office.
Ross says the campaign is complying with all the disclosure rules in state law, but that's just a dodge based on the peculiarities of the disclosure calendar.
The campaign won't be required to file its first disclosure reports until late September. Nothing in the law prevents it from revealing its donors earlier, however — it's merely putting off the day of public reckoning until it has no choice.
Yet someone must be bankrolling the campaign — it has hired campaign consultants, created a website and issued press releases. "We're not a self-funded multi-millionaire that has the money to be doing this," Ross said.
That's a swipe at Mactaggart, but Ross has some nerve because the reason we know about MacTaggart's contribitions is that his campaign committee has filed the disclosures that Ross' committee hasn't, covering the time span from December through Aug. 24. I asked Ross' campaign for up-to-date data on its fundraising and spending, and was rebuffed.
That's not the only curious aspect of Ross' campaign. After the state political party conventions in June, her committee issued a press release stating that both state parties "rejected" Proposition 24.
That was true of the Republican Party, but a lie as it applied to the Democratic Party. The Democrats at their convention decided to remain neutral on Proposition 24. Ross tried to tell me that this was tantamount to a rejection, but in the real world it is not. Period.
Ross declined to tell me what businesses or individuals she has approached for contributions through a pitch letter seeking $500,000 to carry the campaign through July and August. She says she's not averse to taking money from the tech industry, even though it's a central target of the privacy law.
"They should give us money," she told me. "We've shown that once we get our message out to policy makers and voters, they realize they should vote no."
Consumers should be very nervous about any effort to block an upgrade to California's groundbreaking privacy law at the ballot box that welcomes contributions from its own targets. The law isn't perfect, and neither is the initiative. They're both complicated, which leaves the path open to misrepresentation by their opponents.
But that complexity is inevitable, Hoofnagle says. "There is no way to write a simple privacy law because a simple law would be unworkable." Of the CCPA, he says, "In the history of privacy laws in California, no one has ever been able to get a law this strong."
©2020 the Los Angeles Times, Distributed by Tribune Content Agency, LLC.
