Last week, the corporate-backed, legislative battle against California privacy met a blockade, as one Senate committee voted down and negotiated changes to several bills that, as originally written, could have weakened the state’s data privacy law, the California Consumer Privacy Act.
Though the bills’ authors have raked in thousands of dollars in campaign contributions from companies including Facebook, AT&T, and Google, records portray broader donor networks, which include Political Action Committees (PACs) for real estate, engineering, carpentry, construction, electrical, and municipal workers.
Instead, Big Tech relied on advocacy and lobbying groups to help push favorable legislative measures forward. For example, one bill that aimed to lower restrictions if companies provide consumer data to government agencies was supported by TechNet and Internet Association.
Those two groups alone represent the interests of Amazon—which was caught offering a corporate job to a Pentagon official involved in a $10 billion Department of Defense contract that the company is currently seeking—and Microsoft—another competitor in the same $10 billion contract—along with Google, Twitter, Lyft, Uber, PayPal, Accenture, and Airbnb.
Below is a snapshot of five CCPA-focused bills that were all scheduled for a vote during a July 9 hearing by the California Senate Judiciary Committee. The committee chair, Senator Hannah-Beth Jackson, pulled a 12-hour-plus shift that day, trying to clear through more than 40 bills.
Yet another day in politics.
We hope to provide readers with a look at both the support and opposition to these bills, along with a view of who wrote the bills and what groups have donated to their authors. It is important to remember that lawmaking is rarely a straight line, and a campaign contribution is far from an endorsement.
The assembly bills
- What’s it all about? Exceptions to the CCPA when companies provide consumer data to government agencies
- Author: Assemblymember Ken Cooley
- Author’s top 2018 donors: the California Democratic Party ($111,192), the State Building and Construction Trades Council of California PAC Small Contributor Committee ($17,600), the California State Council of Laborers PAC ($17,600).
- Author’s tech donors: AT&T ($8,800), Facebook ($6,900)
- Supported by: Internet Association, Technet, Tesla, Symantec, California Land Title Association, California Alliance of Caregivers, among others
- Opposed by: ACLU of California, Electronic Frontier Foundation, Common Sense Kids Action, and Privacy Rights Clearinghouse
AB 1416 would have created a new exception to the CCPA for any business that “provides a consumer’s personal information to a government agency solely for the purposes of carrying out a government program, if specified requirements are met.”
The bill would have granted companies the option to neglect a consumer’s decision to opt-out of having their data sold to another party, so long as the sale of that consumer’s data was “for the sole purpose of detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity.”
According to multiple privacy groups, those exceptions were too broad. In a letter signed by ACLU of California, EFF, Common Sense Kids Action, and Privacy Rights Clearinghouse, the groups wrote:
“Given the breath of these categories, especially with the increasing use of machine learning and other data-driven algorithms, there is no practical limit on the kinds of data that might be sold for these purposes. It would even allow sales based on the purchaser’s asserted purpose, increasing the potential for abuse, much like the disclosure of millions of Facebook user records by Cambridge Analytica.”
These challenges were never tested with a vote, though, as Asm. Cooley pulled the bill before the committee hearing ended.
- What’s it all about? Changing CCPA’s definition of “deidentified” information
- Author: Assemblymember Jacqui Irwin
- Author’s top 2018 donors: California Democratic Party ($105,143), the State Building and Construction Trades Council of California PAC ($17,600), the Professional Engineers in California Government PECG-PAC ($17,600)
- Author’s tech donors: Facebook ($8,800), AT&T ($8,200), Hewlett Packard ($3,700)
- Supported by: California Chamber of Commerce (sponsor), Internet Association, Technet, Advanced Medical Technology Association, California News Publishers Association, among others
- Opposed by: ACLU of California, EFF, Campaign for a Commercial-Free Childhood, Access Humboldt, Oakland Privacy, Consumer Reports, among others
According to the bill, the definition of “deidentified” information would now include “information that does not identify, and is not reasonably linkable, directly or indirectly, to a particular consumer.”
Privacy advocates claimed the bill had too broad a reach. In a letter, several opponents wrote that AB 873 “would allow businesses to track, profile, recognize, target, and manipulate consumers as they encountered them in both online and offline settings while entirely exempting those practices from the scope of the CCPA, as long as the information used to do so was not tied to a person’s ‘real name,’ ‘SSN’ or similar traditional identifiers.”
During the Senate committee hearing, Asm. Irwin defended her bill by saying that CCPA’s current definition of deidentified information was “unworkable.” She then rebuffed suggestions by the committee chair to add amendments to her bill.
The bill failed to pass on the committee’s 3–3 vote.
- What’s it all about? Exceptions to CCPA for employers that collect data from their employees and job applicants
- Author: Assemblymember Ed Chau
- Author’s top 2018 donors: California State Council of Service Employees ($17,600), the California State Council of Laborers ($13,200) the California State Pipe Trades Council ($10,000).
- Author’s tech donors: Facebook ($4,400), AT&T ($3,900), Hewlett Packard ($3,200), Google ($2,500), Intuit ($2,000)
- Supported by: Internet Association, Technet, California Chamber of Commerce, National Payroll Reporting Consortium, among others
- Opposed, unless amended, by: ACLU of California, EFF, Center for Digital Democracy, Oakland privacy, among others
AB 25, as originally written, would have removed CCPA protections for some types of data that employers collect both on their employees and their job applicants.
Hayley Tsukayama, legislative analyst for EFF, said that a concern she and other privacy advocates had with the bill was that employers are beginning to collect more information on their employees that more often resemble consumer-type data.
“We are seeing a lot more of these workplace surveillance programs pop up,” Tsukayama said over the phone, giving a hypothetical example of a fitness tracker for employees where the data could be shared with health insurance companies. “The ways that this collection is being introduced into the workplace, it’s not necessary for the employer-employee relationship, and it is more in the vain of consumer data.”
After Chau agreed to add amendments to his bill, the Senate committee passed it. The bill, if it becomes law, will sunset in one year, giving legislators and labor groups another opportunity to review its impact in a short time.
- What’s it all about? Customer loyalty programs
- Author: Assemblymember Autumn Burke
- Author’s top 2018 donors: State Building and Construction Trades Council of California PAC ($17,600), SEIU California State Council Small Contributor Committee ($17,600), IBEW Local 18 Water & Power Defense League ($17,600), California State Council of Laborers PAC ($17,600)
- Author’s tech donors: Facebook ($8,800), Technet California Political Action Committee ($8,449), Charter Communications ($7,900), AT&T and its affiliates ($7,300)
- Supported by: California Chamber of Commerce, California Grocers Association, California Hotel & Lodging Association, California Restaurant Association, Ralphs Grocery Company, Wine Institute, among others
- Opposed, unless amended, by: ACLU of California, EFF, Common Sense Kids Action, Privacy Rights Clearinghouse, Access Humboldt
AB 846 targets CCPA’s current non-discrimination clause that prohibits companies from offering incentives—like lowered prices—to customers based on their data practices.
The bill would clarify that CCPA’s regulations are not violated when businesses offer “a different price, rate, level, or quality of goods or services to a consumer if the offering is in connection with a consumer’s voluntary participation in a loyalty, rewards, premium features, discount, or club card program.”
The bill received so many changes though, that some groups were puzzled over what it allows.
“There was a point at which [AB 846] said any service that has a functionality directly related to the collection of, and use, of personal information was exempt,” Tsukayama said. “We spent a lot of time going ‘Well, what does that mean?’ We never got a satisfactory answer.”
She continued: “We were concerned that this would cover a lot of ad tech, or invasive company programs, to collect more data.”
With additional amendments to be added, the Senate committee passed the bill.
- What’s it all about? Whether businesses have to provide a phone number for consumer data requests
- Author: Assemblymember Marc Berman
- Author’s top 2018 donors: California State Council of Service Employees ($26,100), Northern California Carpenters Regional Council SCC ($17,600), American Federation of State, County & Municipal Employees – CA People SCC ($17,600)
- Author’s tech donors: Facebook ($8,800), TechNet PAC ($6,526)
- Supported by: Internet Association (sponsor), Engine, Coalition of Small & Disabled Veteran Businesses, Small Business California, National Federation of Independent Businesses (CA), among others
- Opposed by: ACLU of California, EFF, Center for Digital Democracy, Oakland Privacy, Access Humboldt, Privacy Rights Clearinghouse, among others
CCPA allows Californians to contact the companies that collect their data and make requests about that data, including accessing it, changing it, and deleting it. The law states that companies must provide at least two methods of contact, including one toll-free telephone number, for those requests.
AB 1564 would allow online-only businesses to provide their direct consumers with just one method of contact—an email address—for data requests.
Privacy advocates previously warned that the bill could make it harder for those with limited Internet access to assert their privacy rights.
The bill, which will be amended, passed the Senate committee.
What comes next?
The California Senate is currently in a summer recess, scheduled to return August 12. The bills that passed the Senate Judiciary Committee—ABs 25, 846, and 1564, regarding employee data, loyalty programs, and email address contacts—will next be heard by the Senate Appropriations Committee, a separate committee of lawmakers who oversee and move forward bills that have a fiscal component.
That committee has until August 30 to move bills to the floor.
Afterwards, either chamber of the state has until September 13 to send a bill to Governor Gavin Newsom’s desk for signature.
The post Changing California’s privacy law: A snapshot at the support and opposition appeared first on Malwarebytes Labs.