Tech Giants Are Starting to Line Up for a David-Versus-Goliath Privacy Fight in California

Ballot initiative can drastically change how companies track consumers

Photo Illustration: Tenzin Tsepel; Source: Getty Images
Headshot of Marty Swant

When California voters go to the polls in November, they might have a chance to drastically change how companies collect online data about consumers in the state.

Now that the General Data Protection Regulation, or GDPR, is in effect in Europe, U.S. privacy advocates are focusing efforts on the California Consumer Privacy Act of 2018, an initiative gaining steam in the state.

The act, which has three main objectives—forcing larger companies to disclose what types of information they collect about consumers, giving everyone the option to opt out of being tracked around the web and opening the door to let people sue companies if their data is ever wrongly collected or if information collected is stolen—requires 360,000 signatures to be verified before it goes on the ballot, and organizers have already submitted more than 600,000.

The initiative is being headed up by a core group of three people, none of whom come from the engineering or venture-capital circles of Silicon Valley, the epicenter of the very area that would be most affected by the passage of the proposal.

Rick Arney, a financial executive and one of the organizers, said the idea started two years ago after he and fellow organizers Alastair Mactaggart and Mary Ross couldn’t get traction in the state’s legislature. (Mactaggart comes from the real estate industry, while Ross spent her career in the CIA.)  

“It is not hard to find someone on a subway train that has been a victim of identity theft,” Arney said. “And when you tell people this will help stop that, they say, ‘Where do I sign up?’”  

What does the act actually do?

The act targets larger businesses, those with annual gross revenue of $50 million selling personal information of more than 100,000 consumers or devices, or having at least half of its annual revenue from selling personal information.

“We’ve tried to craft something that’s really common sense. This bill is something that moves the ball forward,” Arney said. “But I’m a businessperson. We’re not here to tear down companies.”

Some of the largest tech companies in the U.S.—and the advertising trade groups that represent them—say the proposal goes much further than existing laws in the U.S. or Europe. 

For example, while the EU allows people to opt out of exchanging data for offers, the California proposal would ban companies from giving preferential economic treatment—discounts or other promotions—to people who willingly provide their data. Some experts say the sweeping measure would also prevent companies like Facebook from having a paid model for those who don’t want their data collected if there’s still a free version for those who don’t mind targeted ads.

Here comes the money

According to disclosures on the California secretary of state’s website, Microsoft donated $195,000 on June 1 to the Committee to Protect California Jobs, an organization set up by the California Chamber of Commerce, which opposes the act. On the same day, Uber also donated $50,000, as did the Association of National Advertisers. On June 8, Amazon dropped $195,000 into the kitty, while on June 12, the Interactive Advertising Bureau ponied up $50,000 on behalf of its members, the ad tech community. And not to be left behind, the Data Marketing Association donated $50,000 on June 5.

AT&T, Facebook, Google, Verizon and Comcast each gave $200,000 earlier this year, but Facebook and Verizon have both since withdrawn their public opposition.

There’s also a public perception incentive for spending $195,000 instead of matching the other donors with an additional $5,000. State law requires donors of $200,000 or more to officially be labeled opponents of an initiative.

“When they find out they can’t use Waze to get home, when they find out they can’t use Amazon to shop…the support [for the Act] sinks,” said Steven Maviglio, a spokesperson for the Committee to Protect California Jobs.

Brad Weltman, vice president of public policy at the IAB, said the proposal could create a bifurcated internet, where Californians and California businesses have a different set of internet laws than the rest of the U.S. He also said the way the California act defines personal information is expansive.

Among the proposal’s definition of “personal information” are identifiers such as a real name, alias, address, IP address, email address and social security number along with biometric data, location data, audio information and employment information.

“I think the biggest piece without question is the economic harm for consumers and businesses,” Weltman said. “This doesn’t advance the ball. If the proponent’s objective was to increase transparency or consumer protection or whatever his goal was, I think he’s done himself a disservice by writing it in the way that he did. … A constructive conversation would have been much more effective.”

California already has plenty of online privacy laws. It was the first state to pass legislation related to data security breaches, enacting one 16 years before the EU. It was also an early mover for mobile privacy with the California Online Privacy Protection Act, which requires companies’ online privacy agreements to disclose when websites track a user’s browsing.

According to Lothar Determann, a principal at the law firm Baker & McKenzie, the California Consumer Privacy Act doesn’t take into account the hundreds of privacy laws already in place in the state, suggesting that it might be difficult for the act to fit within those statutes.

For example, when legislators address a bill, they work to fit it into existing legislation, and passing the act could create a bill that blankets existing laws. However, it’s not as if lawmakers haven’t already tried to do something similar to November’s proposal. A bill introduced last year that would have limited the selling of online data failed to pass the state legislature.

There are other differences between passing a law via ballot initiative or legislation. For example, while lawmakers can add amendments to existing legislation, any changes to a ballot initiative after voter approval would require a supermajority of 70 percent of all state lawmakers.

“If professional lawmakers were working on this, then I think they could be expected to fit this into an already fragmented and completed existing body of California privacy law,” Determann said.

‘As California goes so goes the nation’

There’s more to gain, and more to risk, with the referendum happening in California than if it had happened in other progressive places like Colorado, Vermont or Massachusetts. The state has a long history of being open to voter-led experiments. (There’s an old golden rule about the Golden State: “As California goes so goes the nation.”) And, of course, it’s also home to Silicon Valley. All of this makes for a perfect storm for privacy.

“The initiative is really being propelled now by this tsunami of concern, fear, name your adjective—outrage—that’s been propelled by the Cambridge Analytica and Facebook scandal,” said Jeffrey Chester, executive director at the Center for Digital Democracy, an online advocacy group that recently opened an office in Ventura, Calif.

Or maybe the internet giants of Silicon Valley will be forced to reckon with privacy like the automotive giants of Detroit had to do with car emissions. When the state passed laws to curb greenhouse gasses several years ago, more states joined in, forcing car manufacturers to either create different cars for different states or change their own standards altogether.

Already, lawmakers from a few other states have gotten in touch with California’s privacy advocates to talk about how they might craft bills of their own. Among those considering the idea are Vermont and Wyoming, Arney said.

Passage in California might also trigger action at the federal level either to preempt state legislation or pass something similar. However, with Facebook, Google and others spending millions on lobbying efforts at the national level, the outcome of that legislation could be less than ideal for privacy advocates.

“The problem with legislation is that it looks good and smells good,” Arney said, “but when you open up the hood, it really doesn’t do anything.”

@martyswant Marty Swant is a former technology staff writer for Adweek.