When state Senator Bob Hertzberg learned that an ambitious privacy initiative had garnered enough signatures to qualify for the California ballot, he knew he had to act quickly.
“My goal was to get the damn thing out of the polls,” he says.
It was spring of 2018. The emerging Cambridge Analytica scandal on Facebook shed a harsh light on the data-gathering practices of the tech giants, spurring calls for more protection of consumer privacy. The initiative was the brainchild of Alastair Mactaggart, a wealthy San Francisco real estate developer who had the idea in the bathroom in 2015 and funded the effort out of his pocket. Mactaggart enlisted his neighbor Rick Arne and Mary Stone Ross, a former CIA analyst and lawyer, to help draft the ballot. None of them had any background in data privacy or, for that matter, anything related to the tech industry.
“Nobody knew who Aleister was,” says Hertzberg, a longstanding fixture of California politics that includes parts of Los Angeles. Who is this man and where did he come from? Suddenly he writes a check, spends two years, does some homework, and takes the ballot. ”If enough voters agree to the initiative that fall, it will create broad new bylaws that can only be amended if the legislature musters an overwhelming 70 percent majority.
This prospect alarmed Hertzberg and some of his colleagues. “The reason we thought it was terrible wasn’t because it didn’t do a lot of good things that were facing the consumer; of course he did. But he set the 70 percent threshold. And in my world, the 70 percent threshold gives the other party all the power.”
He believed it would be much better to address the data privacy issue through the legislative process. So Hertzberg approached Mactaggart with a deal: work with him to draft a bill, and, once passed, withdraw the ballot initiative. Mactaggart agreed. In June of that year, after a few months of intense negotiations, the legislature passed unanimously California Consumer Privacy Act. It was the nation’s most ambitious data privacy law – but it quickly proved inadequate. The urgent and controversial drafting process left massive loopholes in the law, and did not provide the resources to enforce it. Legislators spent the first part of 2019 introducing bills to fix these flaws before the law came into effect but nothing was achieved. (There was also a A series of bills Which tried, and failed, to reduce the law further.)
So, about a year after the California Consumer Privacy Act was passed – but before it came into effect – Hertzberg, who was at the time the majority leader in the California Senate, introduced a new idea on Mactaggart. In a complete reversal of his earlier position, Hertzberg urged Mactaggart to bypass the legislative process. Instead, he should fund and craft a new ballot initiative to improve CCPA. This will not be a bargaining chip. He would have gone to vote by Californians. And this is how the California Privacy Rights Act was born, which will appear on California residents’ ballots this fall as Proposition 24.
“We have to go back to polling.”
“The only way we’re going to go back to polling,” remembers Hertzberg. The legislation seemed to be a dead end. “Because we made mistakes – not terrible mistakes, but mistakes – in CCPA, all business people used them to undermine our credibility. People in Washington were saying, ‘Look, California doesn’t know what they’re doing.’ Looking at the timing, and looking at the speed, we realized we had to Take another initiative. “
Hertzberg’s upturn on the ballot initiative question is just one way in which Proposition 24 has mixed political dynamics in California. The initiative also split the privacy advocates who had previously fought on the same side. Mactaggart’s former ally, Ross, leads the opposition and has recruited allies including the American Civil Liberties Union and consumer advocacy groups. “The CCPA was much weaker than [original] An initiative, but at the same time it was and still is the strongest consumer privacy law in the country. ”“ This initiative weakens it. ”
When regulation is on the table, members of affected industry are expected to line up in opposition. But privacy advocates who resist the privacy initiative are less intuitive. How does Proposition 24 turn these alliances upside down? Answer: It’s complicated. Not only the situation, but the measure itself.
You cannot understand Proposition 24 without first understanding how weak California Consumer Privacy Protection Act is.
The law was intended to give Californians the right to know what data companies are collecting about them, to opt out of selling that data, and to have companies delete the data they have already collected. But these rights are mostly theoretical, thanks to a few slips by lawmakers. First, the CCPA specifies that users have the right to opt out of the “sale” of their data. But tech companies argue that many of the transfers of user information that appear to raise privacy concerns are not sales at all, because no one pays for the data: websites typically provide user data to third parties such as Facebook in order to more effectively sell subscriptions and ads. .
“We did all the work and Google can still take all of your information, and Facebook can still place a pixel on a website.”
Second, the California Consumer Privacy Act (CCPA) ended up including an exception for “service providers” who need user data to perform a “business purpose”. Companies like Facebook and Google have exploited this language, arguing that they offer a small targeted ad service. Taken together, the two provisions essentially exclude targeted advertising from the privacy law – which, given how important advertising is to all tracking users online, is somewhat similar to exempting coal plants from a law promoting clean air.
Justin Brockman, director of consumer privacy and technology policy at Consumer Reports, says the “selling” and “service provider” issue are two big loopholes that companies are currently exploiting. “If you say, ‘don’t sell’ today, many companies are doing nothing.”
Mactaggart laments the fact that, as he sees it, tech lobbyists have been able to include a provider clause in the bill. “I picked up a bunch of things they were trying to do, but I just didn’t get this.” As a result, he says, when it came to downsizing the biggest sources of tracking online, “We literally did nothing. We’ve done all the work and Google can still take all of your information, and Facebook can still place a pixel on a website. All they have to do is. Get a contract with this site, and one of the commercial purposes says “advertising, marketing, and prosperity.”
The other big flaw in California’s Consumer Privacy Protection Act is enforcement. The original ballot initiative version of the law would have allowed any California citizen to sue a company that violates its provisions – the so-called private right to work. But this provision, which the tech companies vehemently opposed, was killed in the negotiation process. Ultimately, the law gives the state attorney general the exclusive authority to enforce it. (Ross disagreed so strongly with that privilege, along with abandoning the 70 percent threshold, that she and Mactaggart stopped speaking.)
Enter the Attorney General
“One of the decisions we made was,” says Hertzberg, “that we’re only going to give oversight authority over this to the California attorney general.” This position is currently held by Xavier Becera, fellow Democrat. “I thought I was doing him a great favor by giving him the ultimate power to decide on all these privacy issues,” says Hertzberg. In fact, Becera said his office only has the resources to raise a few cases annually. Even if it has more, the law allows companies to avoid punishment if they “fix” a reported violation. There is no good reason for companies to take it seriously.
Data from the law’s first six months in existence indicates that it hasn’t changed the privacy game for consumers much either. According to an analysis by DataGrail, a company that helps companies comply with privacy laws, there were only 82 “no-sell” requests for every million consumer records in that time period.
The goal of Proposition 24 is to correct the holes that make the California Consumer Privacy Protection Act (CCPA) a leaked privacy ship. If approved by California voters, the initiative will change the “no-sell” clause in the law to “not sell or share” to remove any room for maneuver for unpaid data transfers, and clarify that targeted advertising is not a “commercial purpose” “that exempts It also aims to boost enforcement by requiring the legislature to allocate $ 10 million in annual spending to the all-new Privacy Protection Agency. And unlike the 2018 ballot initiative, Proposition 24 allows the legislature to make future changes by a simple majority – but only if it is These changes reinforce, rather than weaken, the purposes of the law.
“We’re not trying to create a new roof, we’re trying to raise the floor,” says former presidential candidate Andrew Yang. Yang, who chairs the Mactaggart-based advisory board in California on consumer privacy, is a prominent proponent of the initiative, along with Congressman Ro Khanna and tech theorist Shoshana Zuboff. “It preempts tech companies’ ability to loosen the CCPA and make it toothless. It leaves us all how we want to continue developing people’s privacy and data rights. If it doesn’t include everything you want, that’s cool – let’s put that in place and stand up for something else that keeps raising the ground. “.