California just passed comprehensive new privacy protections in the form of AB-375 or the California Consumer Privacy Protection Act. While potentially a promising foundation, the rushed creation of the rules—combined with heavy lobbying input from telecom and Silicon Valley giants—could prove to be a problem in the long run.
The bill, which shares some fleeting similarities to Europe’s recently passed GDPR privacy protections, imposes some notable new transparency restrictions on the collection and sale of consumer data to third parties. It also penalizes companies that fail to adequately safeguard private consumer information, or fail to make users quickly aware of breaches and hacks.
The passage of AB-375 is just the latest chapter in a long fight to pass privacy protections in the state, after several previous attempts were derailed by some misleading gamesmanship by industry opponents. Today’s bill was the product of a broader effort to prevent even tougher privacy rules from taking effect in the state.
This November, California residents were originally supposed to vote on a new ballot initiative also named the California Consumer Privacy Act of 2018 (CCPA). The proposal closely mirrored FCC broadband-privacy rules that were killed last year by the GOP and Trump administration after significant lobbying by AT&T, Comcast and Verizon.
State financial disclosure records indicate that Google, Facebook, Amazon, Microsoft, AT&T, Verizon and Comcast all donated heavily in an effort to scuttle the ballot initiative. They subsequently joined forces to help shape today’s “compromise legislation,” which is notably weaker and more malleable than the ballot initiative it was intended to supplant.
Critics of the proposal note that AB-375 was cobbled together in a little under seven days behind closed doors, compared to the four years it took to craft the GDPR. Emails obtained by The Intercept show that tech and telecom sector lobbyists spent weeks trying to water down the proposal, all while publicly professing a breathless dedication to meaningful rules.
The emails note the coalition was attempting to weaken AB-375’s definition of “personal information,” ensure inclusion of language mandating binding arbitration (a process than bans class actions and traditionally is lopsided in favor of giant companies), and remove language requiring that companies make opting out of data monetization a simple, streamlined affair.
Most of these companies aren’t eager to have their names associated with the weakening of privacy rules after the Cambridge Analytica scandal, so the majority are employing proxy lobbying organizations to do the heavy lifting. Even then, many of these organizations remained decidedly mixed on the end product despite their disproportionate influence on its creation.
“We oppose many problematic provisions contained within AB-375 and the unprecedented lack of debate or full legislative process," says Robert Callahan, VP of the Internet Association, whose members include Google, Facebook, and Amazon. "The internet industry will not obstruct or block AB-375 from moving forward, because it prevents the even worse ballot initiative from becoming law in California."
Many industry lobbyists realized that the passage of some type of privacy restrictions in activist-heavy California was inevitable. As such, they saw AB-375 as their best option. Not only because it’s easier to amend than a ballot initiative, but because it’s not going to be officially law until 2020, giving lobbyists ample time to weaken the proposal further via amendment.
While industry giants certainly have the experience to provide valuable insight on what a privacy law should look like, they continue to have a disproportionate level of input on the legislative process despite an obvious lack of credibility on the subject (as the recent LocationSmart, Securus, and Cambridge Analytica scandals should make very clear).
After all, AT&T decided it was perfectly ok to charge its broadband customers hundreds of additional dollars annually just to opt out of data collection in a bid to make privacy a luxury option. And Verizon thought it was a good idea to covertly modify wireless user data packets to track them around the internet without telling them or providing working opt out tools.
Facebook, meanwhile, continues to clearly highlight it has absolutely no real idea what becomes of its users’ data as it bounces through the hands of dozens of somewhat dubious partners.
While each of these companies publicly professes they’re whole-heartedly interested in establishing meaningful privacy guidelines, the reality is the majority oppose truly effective privacy rules, since an empowered, informed consumer is far more likely to opt out of data monetization and collection schemes, costing them billions annually in potential revenue.
So while California’s shiny new privacy may be a promising foundation in the wake of its signature by California Governor Jerry Brown, there’s still ample opportunity for the combined lobbying power of numerous industries to ensure the final bill is a faint echo of its original intent.