Tech Giants Are Starting to Line Up for a David-Versus-Goliath Privacy Fight in California

Ballot initiative can drastically change how companies track consumers

Photo Illustration: Tenzin Tsepel; Source: Getty Images

When California voters go to the polls in November, they might have a chance to drastically change how companies collect online data about consumers in the state.

Now that the General Data Protection Regulation, or GDPR, is in effect in Europe, U.S. privacy advocates are focusing efforts on the California Consumer Privacy Act of 2018, an initiative gaining steam in the state.

The act, which has three main objectives—forcing larger companies to disclose what types of information they collect about consumers, giving everyone the option to opt out of being tracked around the web and opening the door to let people sue companies if their data is ever wrongly collected or if information collected is stolen—requires 360,000 signatures to be verified before it goes on the ballot, and organizers have already submitted more than 600,000.

The initiative is being headed up by a core group of three people, none of whom come from the engineering or venture-capital circles of Silicon Valley, the epicenter of the very area that would be most affected by the passage of the proposal.

Rick Arney, a financial executive and one of the organizers, said the idea started two years ago after he and fellow organizers Alastair Mactaggart and Mary Ross couldn’t get traction in the state’s legislature. (Mactaggart comes from the real estate industry, while Ross spent her career in the CIA.)  

“It is not hard to find someone on a subway train that has been a victim of identity theft,” Arney said. “And when you tell people this will help stop that, they say, ‘Where do I sign up?’”  

What does the act actually do?

The act targets larger businesses, those with annual gross revenue of $50 million selling personal information of more than 100,000 consumers or devices, or having at least half of its annual revenue from selling personal information.

“We’ve tried to craft something that’s really common sense. This bill is something that moves the ball forward,” Arney said. “But I’m a businessperson. We’re not here to tear down companies.”

Some of the largest tech companies in the U.S.—and the advertising trade groups that represent them—say the proposal goes much further than existing laws in the U.S. or Europe. 

For example, while the EU allows people to opt out of exchanging data for offers, the California proposal would ban companies from giving preferential economic treatment—discounts or other promotions—to people who willingly provide their data. Some experts say the sweeping measure would also prevent companies like Facebook from having a paid model for those who don’t want their data collected if there’s still a free version for those who don’t mind targeted ads.

Here comes the money

According to disclosures on the California secretary of state’s website, Microsoft donated $195,000 on June 1 to the Committee to Protect California Jobs, an organization set up by the California Chamber of Commerce, which opposes the act. On the same day, Uber also donated $50,000, as did the Association of National Advertisers. On June 8, Amazon dropped $195,000 into the kitty, while on June 12, the Interactive Advertising Bureau ponied up $50,000 on behalf of its members, the ad tech community. And not to be left behind, the Data Marketing Association donated $50,000 on June 5.

AT&T, Facebook, Google, Verizon and Comcast each gave $200,000 earlier this year, but Facebook and Verizon have both since withdrawn their public opposition.

There’s also a public perception incentive for spending $195,000 instead of matching the other donors with an additional $5,000. State law requires donors of $200,000 or more to officially be labeled opponents of an initiative.

“When they find out they can’t use Waze to get home, when they find out they can’t use Amazon to shop…the support [for the Act] sinks,” said Steven Maviglio, a spokesperson for the Committee to Protect California Jobs.

Brad Weltman, vice president of public policy at the IAB, said the proposal could create a bifurcated internet, where Californians and California businesses have a different set of internet laws than the rest of the U.S. He also said the way the California act defines personal information is expansive.

Among the proposal’s definition of “personal information” are identifiers such as a real name, alias, address, IP address, email address and social security number along with biometric data, location data, audio information and employment information.

“I think the biggest piece without question is the economic harm for consumers and businesses,” Weltman said. “This doesn’t advance the ball. If the proponent’s objective was to increase transparency or consumer protection or whatever his goal was, I think he’s done himself a disservice by writing it in the way that he did. … A constructive conversation would have been much more effective.”

California already has plenty of online privacy laws. It was the first state to pass legislation related to data security breaches, enacting one 16 years before the EU. It was also an early mover for mobile privacy with the California Online Privacy Protection Act, which requires companies’ online privacy agreements to disclose when websites track a user’s browsing.

Recommended articles