Efforts to Gut Consumer Privacy Act Largely Fail

SACRAMENTO (CN) — At a marathon hearing that stretched into the wee hours Tuesday, lawmakers passed a flurry of amendments to the landmark California Consumer Privacy Act.

Legislators on the state Senate Judiciary Committee labored until nearly midnight to meet its mandatory deadline to vote on dozens of bills. Among them were several that critics said would gut the privacy act before it can go into effect.

But the contentious Assembly Bill 1416, excoriated by opponents as one of the more tech industry-friendly measures, was absent from the agenda.

Hayley Tsukayama, a legislative analyst with opponent Electronic Frontier Foundation, confirmed that it had been pulled by the author, Assemblyman Ken Cooley, at the last minute. The bill would have allowed businesses to sell personal data to third parties, even if a consumer specifically opted out of such practices. It also carved out an exception to the CCPA that would allow businesses to provide a person’s data to the government if used for carrying out a government program.

The bill will be dropped from this year’s legislative session and will likely re-emerge next year. “We are pleased that this bill, which would have opened a major loophole in the CCPA, will not move forward this session,” Tsukayama said in an email.

Cooley’s office did not return phone calls seeking comment.

Under the CCPA, California residents will soon have a right to know when a business has collected and/or sold their personal information; the power to forbid a business from selling their information to third parties; and the ability to demand a business delete stored information. The law is the result of deal between lawmakers and real estate magnate Alastair Mactaggart, who spent millions to qualify a statewide measure for the November ballot. In exchange for the bill’s passage, Mactaggart agreed to pull his measure days before an election deadline.
Brown signed the CCPA in 2018 with the understanding that lawmakers would continue to tweak and mold it before it goes into effect on Jan. 1, 2020.

Another of those tweaks, Assembly Bill 25, advanced out of the committee Tuesday, but with amendments that led opponents to take a neutral position. The bill, by Assemblyman Ed Chau, allows employers to collect data on workers without telling them. Chau amended the bill Monday to require employers to tell employees what type of information they are collecting and the reason for doing so.

“This will create a layer of transparency not provided by the language of the bill in print,” said an analysis of the proposed change.

Mactaggart, founder of Californians for Consumer Privacy, on Tuesday called the privacy act “historic” and “sweeping” and said he’s keeping a close eye on the proposed amendments.

“The power of California law will hold the world’s largest corporations accountable for how they are using our personal data. But make no mistake: Last year’s David-versus-Goliath fight for consumer privacy rights continues, and we’re as dedicated as ever to making sure every consumer has control over what happens to their personal information,” Mactaggart said in an email.

Privacy groups also opposed Assembly Bill 1564, which removes a requirement that businesses provide a phone number for people requesting access to their personal information, as it makes it harder for people without internet access to exercise their privacy rights. The bill passed after an amendment restored the phone number requirement for some businesses.

“If a business has a brick and mortar store and a direct in-person relationship with a customer, then they have to have a telephone number, but if they exist only online then they can have an email,” said Assemblyman Marc Berman, the bill’s author.

Late into the night, the committee reached the strongly contested Assembly Bill 873, which changes the definition of “personal information” and expands the definition of “deidentified” information — private data not tied to y specific individual —  so that more private data falls outside the protections of the CCPA.

Essentially, it takes what was once personal information and depersonalizes it so businesses can use it in any way they want.

Ariel Fox Johnson, senior counsel for policy and privacy at Common Sense Media, said AB 873 “represents an erosion” of the landmark privacy law by lowering the threshold of what qualifies as deidentified information to include I.P. addresses and even browser fingerprints, which potentially can be used to identify people and track their online activity.

Committee chair Sen. Hannah Beth Jackson said she proposed amendments but they were rejected by the bill’s author, Assemblywoman Jacqui Irwin. The amendments would have exempted a business from complying with a consumer request to delete personal information if it meets three conditions: it is not reasonably capable of linking a request with the personal information, the business doesn’t sell the information to third parties, and the business does not use the information to identify a specific consumer.
Irwin said she could not support amendments that would weaken the bill, saying its current form makes the CCPA more understandable and workable for small businesses. She noted that Mactaggart’s group, Californians for Consumer Privacy, is neutral on the bill without the amendments.

“It is crucially important that California get it right; that we make CCPA workable for not only our Googles, but workable for small businesses. We want to make sure every business understands how important it is to protect our privacy,” Irwin said. “If we do not get it right, there will be federal pre-emption.”

Jackson, who called the bill a “jail-break” of the CCPA, said she was not surprised that it enjoys strong backing from the tech industry.

“The less personal information there is, the more opportunity there is for them to take that ‘deidentified’ information and sell it without the consumer protections of the CCPA,” she said. “Had the author taken amendments we would have had a good bill.”

Jackson added: “I think this is a dangerous bill. The CCPA, from my perspective, is a pretty weak cup of tea but it’s what we’ve got. If we start undercutting it now by expanding a definition that pulls that information outside the protection of the CCPA, we will take what is a weak cup of tea and turns it into water.”

The committee vote was 3-3, so the measure failed. But Irwin asked for reconsideration, which means there is still a chance it could pass if Irwin can drum up more support from colleagues.

The bills that passed will head to the Senate Appropriations Committee, and if they pass, to the floor for a full Senate vote.

%d bloggers like this: