The fight over the fight for California’s privacy future

The fight over the fight for California’s privacy future
Aurich Lawson / Getty Images

When state Senator Bob Hertzberg learned that an ambitious privacy initiative had gotten enough signatures to qualify for the ballot in California, he knew he had to act quickly.

“My objective,” he says, “was to get the damn thing off the ballot.”

It was the spring of 2018. Facebook’s emerging Cambridge Analytica scandal had cast a harsh light on the tech giants’ data-gathering practices, spurring calls for more consumer privacy protections. The initiative was the brainchild of Alastair Mactaggart, a wealthy San Francisco real estate developer, who had the idea in the shower in 2015 and funded the effort out of pocket. Mactaggart enlisted his neighbor Rick Arney and Mary Stone Ross, a former CIA analyst and lawyer, to help craft the ballot measure. None had any background in data privacy or, for that matter, anything related to the tech industry.

“No one knew who Alastair was,” says Hertzberg, a longtime fixture of California politics whose district includes parts of Los Angeles. “Who is this guy, and where is he coming from? All of a sudden he writes a check, spends a couple years, does some homework, and does a ballot initiative.” If enough voters approved the initiative that fall, it would put in place extensive new regulations that could only be amended if the legislature mustered a 70 percent supermajority.

The prospect alarmed Hertzberg and some of his colleagues. “The reason we thought it was horrible wasn’t because he didn’t do a lot of good things that were consumer-facing; of course he did. But he put a 70 percent threshold. And in my world, a 70 percent threshold basically gives the other party all the power.”

Much better, he thought, to address the problem of data privacy through the legislative process. So Hertzberg approached Mactaggart with a deal: work with him to craft a bill and, once it passes, withdraw the ballot initiative. Mactaggart agreed. That June, after a few months of intense negotiation, the legislature unanimously passed the California Consumer Privacy Act. It was the most ambitious data privacy law in the nation—but it quickly proved inadequate. The rushed and contentious drafting process left enormous loopholes in the law, and it didn’t provide the resources necessary for its own enforcement. Legislators spent the early part of 2019 introducing bills to fix those flaws before the law took effect but didn’t get anywhere. (There was also a series of bills that tried, and failed, to pare back the law further.)

So, about a year after the CCPA was passed—but before it had gone into effect—Hertzberg, who by then was majority leader of the California State Senate, pitched a new idea to Mactaggart. In a total reversal from his earlier stance, Hertzberg urged Mactaggart to bypass the legislative process. Instead, he should fund and draft a new ballot initiative to improve upon the CCPA. And this one wouldn’t be a bargaining chip. It would go all the way to a vote by the people of California. Thus was born the California Privacy Rights Act, which will appear on Californians’ ballots this fall as Proposition 24.

“We have to go back to the ballot”

“The only way we’re going to do this is, we have to go back to the ballot,” Hertzberg recalls saying. Legislation looked like a dead end. “Because we had made mistakes—not horrible mistakes, but mistakes—in CCPA, all the business people were using it to cut up our credibility. Washington people were saying, ‘See, California doesn’t know what they’re doing.’ Given the timing, given the speed, we realized that we had to do another initiative.”

Hertzberg’s flip-flop on the ballot initiative question is just one way in which Proposition 24 has scrambled political dynamics in California. The initiative has also divided privacy advocates who previously fought on the same side. Mactaggart’s former ally, Ross, is leading the opposition and has enlisted allies that include the American Civil Liberties Union and consumer-advocacy groups. “The CCPA was a lot weaker than the [original] initiative, but at the same time it was, and still is, the strongest consumer privacy law in the nation,” she says. “And this initiative weakens it.”

Whenever regulation is on the table, members of the affected industry can be expected to line up in opposition. But privacy advocates resisting a privacy initiative is less intuitive. How did Proposition 24 upend these alliances? The answer is: it’s complicated. Not just the situation, but the measure itself.

Problematic predecessor

You can’t understand Proposition 24 without first understanding how lame the CCPA turned out to be.

The law was intended to give Californians the right to know what data businesses are collecting about them, to opt out of the sale of that data, and to make businesses delete the data they’ve already gathered. But those rights are mostly theoretical, thanks to a handful of missteps by the law’s drafters. First, the CCPA specifies that users have the right to opt out of the “sale” of their data. But tech companies argue that many transfers of user information that seem to raise privacy concerns aren’t sales at all, because no one is paying for data: websites commonly give user data to third parties like Facebook in order to more effectively sell subscriptions and advertising.

“We did all this work and Google can still take all your information, Facebook can still put a pixel on a website.”

Second, the CCPA ended up including an exception for “service providers” who need user data to perform a “business purpose.” Companies like Facebook and Google have seized on that language, arguing that they provide the service of microtargeted advertising. Taken together, the two provisions essentially exempt targeted advertising from the privacy law—which, given how central advertising is to all the tracking of users online, is a bit like exempting coal plants from a law promoting clean air.

“The ‘sale’ and the ‘service provider’ issue are two huge loopholes that companies are currently exploiting,” says Justin Brookman, the director of consumer privacy and technology policy at Consumer Reports. “If you say, ‘Do not sell’ today, many companies are doing nothing.”

Mactaggart rues the fact that, as he sees it, tech lobbyists managed to get the service provider clause into the bill. “I caught a bunch of the things they were trying to do, but I didn’t catch this one.” As a result, he says, when it comes to cutting down on the biggest sources of online tracking, “We literally didn’t do anything. We did all this work and Google can still take all your information, Facebook can still put a pixel on a website. All they have to do is have a contract with that website, and one of the business purposes says ‘advertising and marketing,’ and boom.”

The other big CCPA shortcoming is enforcement. The original ballot-initiative version of the law would have let any Californian sue a company that violated its provisions—a so-called private right of action. But that provision, which tech companies vehemently opposed, got killed in the negotiation process. In the end, the law gives the state attorney general the exclusive power to enforce it. (Ross disagreed so bitterly with that concession, along with giving up on the 70 percent threshold, that she and Mactaggart stopped speaking.)

Enter the attorney general

“One decision we made was, we’re just going to give the power to oversee this to the California attorney general,” says Hertzberg. That position is currently held by Xavier Becerra, a fellow Democrat. “I thought I was doing him a big favor by giving him the power to ultimately decide all these issues in privacy,” Hertzberg says. In fact, Becerra has said his office only has the resources to bring a handful of cases a year. Even if he had more, the law lets businesses avoid punishment if they “cure” a violation that gets flagged. There is little reason for businesses to take it very seriously.

Data from the first six months of the law’s existence suggests that it hasn’t changed the privacy game for consumers all that much, either. According to an analysis by DataGrail, a company that helps businesses comply with privacy laws, there were only 82 “Do not sell” requests for every million consumer records in that timespan.

The point of Proposition 24 is to patch the holes currently making the CCPA such a leaky privacy vessel. If approved by California voters, the initiative would change the law’s “Do not sell” provision to “Do not sell or share” to eliminate any wiggle room for unremunerated data transfers, and it clarifies that targeted advertising does not count as a “business purpose” that exempts companies from complying with user opt-outs. It also aims to beef up enforcement by requiring the legislature to appropriate $10 million in annual spending for an entire new privacy-protection agency. And unlike the 2018 ballot initiative, Proposition 24 allows the legislature to make future changes with a simple majority vote—but only if those changes enhance, rather than weaken, the purposes of the law.

“We’re not trying to create a new ceiling, we’re trying to raise the floor,” says Andrew Yang, the former presidential candidate. Yang, who chairs the advisory board for Mactaggart’s Californians for Consumer Privacy, is one of several prominent supporters of the initiative, along with congressman Ro Khanna and tech theorist Shoshana Zuboff. “It preempts tech companies’ ability to water down the CCPA and make it toothless. And it leaves up to all of us how we want to continue to develop people’s privacy rights and data rights. If it doesn’t include everything that you want, fantastic—let’s get this one in place and then champion something else that continues to raise the floor.”

https://arstechnica.com/?p=1708760