When state Senator Bob Hertzberg learned that an ambitious privacy initiative had gotten enough signatures to qualify for the ballot in California, he knew he had to act quickly.
“My objective,” he says, “was to get the damn thing off the ballot.”
It was the spring of 2018. Facebooks emerging Cambridge Analytica scandal had cast a harsh light on the tech giants data-gathering practices, spurring calls for more consumer privacy protections. The initiative was the brainchild of Alastair Mactaggart, a wealthy San Francisco real estate developer, who had the idea in the shower in 2015 and funded the effort out of pocket. Mactaggart enlisted his neighbor Rick Arney and Mary Stone Ross, a former CIA analyst and lawyer, to help craft the ballot measure. None had any background in data privacy or, for that matter, anything related to the tech industry.
“No one knew who Alastair was,” says Hertzberg, a longtime fixture of California politics whose district includes parts of Los Angeles. “Who is this guy, and where is he coming from? All of a sudden he writes a check, spends a couple years, does some homework, and does a ballot initiative.” If enough voters approved the initiative that fall, it would put in place extensive new regulations that could only be amended if the legislature mustered a 70 percent supermajority.
The prospect alarmed Hertzberg and some of his colleagues. “The reason we thought it was horrible wasnt because he didnt do a lot of good things that were consumer-facing; of course he did. But he put a 70 percent threshold. And in my world, a 70 percent threshold basically gives the other party all the power.”
Much better, he thought, to address the problem of data privacy through the legislative process. So Hertzberg approached Mactaggart with a deal: work with him to craft a bill and, once it passes, withdraw the ballot initiative. Mactaggart agreed. That June, after a few months of intense negotiation, the legislature unanimously passed the California Consumer Privacy Act. It was the most ambitious data privacy law in the nation—but it quickly proved inadequate. The rushed and contentious drafting process left enormous loopholes in the law, and it didnt provide the resources necessary for its own enforcement. Legislators spent the early part of 2019 introducing bills to fix those flaws before the law took effect but didnt get anywhere. (There was also a series of bills that tried, and failed, to pare back the law further.)
So, about a year after the CCPA was passed—but before it had gone into effect—Hertzberg, who by then was majority leader of the California State Senate, pitched a new idea to Mactaggart. In a total reversal from his earlier stance, Hertzberg urged Mactaggart to bypass the legislative process. Instead, he should fund and draft a new ballot initiative to improve upon the CCPA. And this one wouldnt be a bargaining chip. It would go all the way to a vote by the people of California. Thus was born the California Privacy Rights Act, which will appear on Californians ballots this fall as Proposition 24.
“We have to go back to the ballot”
“The only way were going to do this is, we have to go back to the ballot,” Hertzberg recalls saying. Legislation looked like a dead end. “Because we had made mistakes—not horrible mistakes, but mistakes—in CCPA, all the business people were using it to cut up our credibility. Washington people were saying, See, California doesnt know what theyre doing. Given the timing, given the speed, we realized that we had to do another initiative.”
Hertzbergs flip-flop on the ballot initiative question is just one way in which Proposition 24 has scrambled political dynamics in California. The initiative has also divided privacy advocates who previously fought on the same side. Mactaggarts former ally, Ross, is leading the opposition and has enlisted allies that include the American Civil Liberties Union and consumer-advocacy groups. “The CCPA was a lot weaker than the [original] initiative, but at the same time it was, and still is, the strongest consumer privacy law in the nation,” she says. “And this initiative weakens it.”
Whenever regulation is on the table, members of the affected industry can be expected to line up in opposition. But privacy advocates resisting a privacy initiative is less intuitive. How did Proposition 24 upend these alliances? The answer is: its complicated. Not just the situation, but the measure itself.
Problematic predecessor
You can't understand Proposition 24 without first understanding how lame the CCPA turned out to be.
The law was intended to give Californians the right to know what data businesses are collecting about them, to opt out of the sale of that data, and to make businesses delete the data theyve already gathered. But those rights are mostly theoretical, thanks to a handful of missteps by the laws drafters. First, the CCPA specifies that users have the right to opt out of the “sale” of their data. But tech companies argue that many transfers of user information that seem to raise privacy concerns arent sales at all, because no one is paying for data: websites commonly give user data to third parties like Facebook in order to more effectively sell subscriptions and advertising.
“We did all this work and Google can still take all your information, Facebook can still put a pixel on a website.”
Second, the CCPA ended up including an exception for “service providers” who need user data to perform a “business purpose.” Companies like Facebook and Google have seized on that language, arguing that they provide the service of microtargeted advertising. Taken together, the two provisions essentially exempt targeted advertising from the privacy law—which, given how central advertising is to all the tracking of users online, is a bit like exempting coal plants from a law promoting clean air.
“The sale and the service provider issue are two huge loopholes that companies are currently exploiting,” says Justin Brookman, the director of consumer privacy and technology policy at Consumer Reports. “If you say, Do not sell today, many companies are doing nothing.”
Mactaggart rues the fact that, as he sees it, tech lobbyists managed to get the service provider clause into the bill. “I caught a bunch of the things they were trying to do, but I didnt catch this one.” As a result, he says, when it comes to cutting down on the biggest sources of online tracking, “We literally didnt do anything. We did all this work and Google can still take all your information, Facebook can still put a pixel on a website. All they have to do is have a contract with that website, and one of the business purposes says advertising and marketing, and boom.”
The other big CCPA shortcoming is enforcement. The original ballot-initiative version of the law would have let any Californian sue a company that violated its provisions—a so-called private right of action. But that provision, which tech companies vehemently opposed, got killed in the negotiation process. In the end, the law gives the state attorney general the exclusive power to enforce it. (Ross disagreed so bitterly with that concession, along with giving up on the 70 percent threshold, that she and Mactaggart stopped speaking.)
Enter the attorney general
“One decision we made was, were just going to give the power to oversee this to the California attorney general,” says Hertzberg. That position is currently held by Xavier Becerra, a fellow Democrat. “I thought I was doing him a big favor by giving him the power to ultimately decide all these issues in privacy,” Hertzberg says. In fact, Becerra has said his office only has the resources to bring a handful of cases a year. Even if he had more, the law lets businesses avoid punishment if they “cure” a violation that gets flagged. There is little reason for businesses to take it very seriously.
Data from the first six months of the laws existence suggests that it hasnt changed the privacy game for consumers all that much, either. According to an analysis by DataGrail, a company that helps businesses comply with privacy laws, there were only 82 “Do not sell” requests for every million consumer records in that timespan.
The point of Proposition 24 is to patch the holes currently making the CCPA such a leaky privacy vessel. If approved by California voters, the initiative would change the laws “Do not sell” provision to “Do not sell or share” to eliminate any wiggle room for unremunerated data transfers, and it clarifies that targeted advertising does not count as a “business purpose” that exempts companies from complying with user opt-outs. It also aims to beef up enforcement by requiring the legislature to appropriate $10 million in annual spending for an entire new privacy-protection agency. And unlike the 2018 ballot initiative, Proposition 24 allows the legislature to make future changes with a simple majority vote—but only if those changes enhance, rather than weaken, the purposes of the law.
“Were not trying to create a new ceiling, were trying to raise the floor,” says Andrew Yang, the former presidential candidate. Yang, who chairs the advisory board for Mactaggarts Californians for Consumer Privacy, is one of several prominent supporters of the initiative, along with congressman Ro Khanna and tech theorist Shoshana Zuboff. “It preempts tech companies ability to water down the CCPA and make it toothless. And it leaves up to all of us how we want to continue to develop peoples privacy rights and data rights. If it doesnt include everything that you want, fantastic—lets get this one in place and then champion something else that continues to raise the floor.”
Problems with the solution
Not everyone thinks its so fantastic. Mary Stone Ross, Mactaggarts erstwhile partner, has gone so far as to found a group called California Consumer and Privacy Advocates Against Proposition 24. At times, the rivalry has gotten a little personal. The “No on 24” website warns that “a wealthy San Francisco developer” is spending millions to “weaken Californias recent landmark privacy law,” without mentioning that its the same developer who helped create the law in the first place. The two have traded barbs in the press. Mactaggart is incredulous that Ross sent a fundraising prospectus to tech companies, among others. Ross counters that her only funding to date comes from the California Nurses Association, who donated $20,000, and that Mactaggart himself met with tech companies and incorporated some of their concerns into the initiative.
Ross other allies include the ACLU of Northern California, the Consumer Federation of California, and Color of Change. Some organizations that carry clout on the issue, like Consumer Reports and the Electronic Frontier Foundation, have declined to endorse the initiative, declaring that they cant decide if the good parts outweigh the bad. What is the bad? One common complaint is that Proposition 24 allows what is pejoratively known as “pay for privacy”: businesses can charge users more if they opt out of sharing their information. (They can only charge the value they would have derived from that data.) Thats already allowed under the CCPA, but critics say Proposition 24 entrenches it further.
“If you look at the people who need privacy the most, I think those are often people who are economically struggling,” says Jacob Snow, a technology and civil liberties attorney at the ACLU of Northern California. “But if people have to pay for their privacy rights, then privacy becomes a luxury that rich people have but poor or economically struggling folks dont have access to.”
Pay for privacy
Mactaggart defends the pay-for-privacy option as a compromise intended, in part, to protect news medias ability to monetize through advertising. “We didnt want to put a law into effect thats going to crush an already crushed business,” he says. “They call it pay for privacy; we call it preserve the free press.”
The biggest disagreements over Proposition 24 are interpretive. The initiative comprises 52 pages of dense legal language, addressing highly technical concepts, with subsections and intricate cross-references that even experts admit they struggle to follow. That convoluted language has led to sharply different opinions about what the initiative would actually do—whether, in crucial respects, it would expand consumer privacy or restrict it.
Perhaps the most important example of this revolves around so-called global opt-outs. The final regulations implementing the CCPA require companies to honor a “Do not sell” request thats automatically sent by someones browser or device—a browser extension or phone setting, say, that would save people the trouble of opting out of every site one by one.
At first glance, Proposition 24 seems to go backwards on that. Beginning at the bottom of page 17, it appears to offer businesses a choice: Option (a) is to have a “Do Not Sell or Share My Personal Information” button on their homepage, and option (b) is to comply with global opt-out requests.
“The implication is that, under Proposition 24, its likely people will have to go website by website, app by app, data broker by data broker, to try to get companies to respect their choices,” says Snow. “There are 300 data brokers in the California data broker registry, and its totally unacceptable to put the burden of opting out of each one of those individually on consumers.”
“The opt-out needs to be global”
Mactaggart completely agrees—with that last part. “That would be the single dumbest thing,” he said, of letting businesses ignore browser opt-outs. “I would actually oppose this law if that was the case. The opt-out needs to be global; it needs to be set-it-and-forget-it.”
On this count, Mactaggart makes the more compelling case. A few paragraphs down, the text of the initiative clarifies that all businesses will be required to comply with a global opt-out, “regardless of whether the business has elected to comply with subdivision (a) or (b).” To understand the actual options businesses would have if Proposition 24 passes, you have to follow the other sections cross-referenced under (a) and (b). The choice, it turns out, is actually between having a “Do Not Sell or Share” button—and being able to charge users more for opting out—versus getting to skip the annoying pop-up notice if you agree to not treat users who opt out any differently, among other detailed requirements.
Like I said, its complicated. Heres another example. Recall that Proposition 24 is supposed to prevent a future legislature from weakening privacy protections while giving the legislature freedom to strengthen them. To do this, the initiative specifies that any legislative amendments must be “consistent with and further the purpose and intent of this Act,” which is “to further protect consumers' rights, including the constitutional right of privacy.” The tricky thing is that the initiative lists 23 specific principles underneath that broad purpose, a couple of which are not Read More – Source
[contf] [contfnew]
arstechnica
[contfnewc] [contfnewc]