(CN) – Privacy advocates rejoiced last year when California lawmakers passed a landmark data-protection bill giving consumers more understanding and control over how companies use, disseminate and sell their personal information.
But a crucial committee vote on a raft of bills in the state Senate on Tuesday could all but eviscerate that law and its basic privacy protections before it takes effect – with loopholes for the tech industry.
“The opposition to this is huge. And basically everyone wants an exception for anything they’re doing,” said Ariel Fox Johnson, senior counsel for Policy and Privacy at Common Sense Media.
Speaking to reporters on a press call Monday, Fox Johnson said her organization had heard from many businesses looking to be exempted from the California Consumer Privacy Act – including tech companies, commercial credit reporters and insurance companies.
“They all want to basically be carved out of the law and if they can’t get that they want to limit its reach as much as possible,” she said.
The California Consumer Privacy Act doesn’t take effect until Jan. 1, 2020, but several bills are already targeting its protections, including one aimed at weakening a consumer’s right to opt out of the sale of their personal information. For this reason, Lee Tien, senior staff attorney at the Electronic Frontier Foundation, called Assembly Bill 1416 “the worst of the bills we’re looking at.”
Under various anti-fraud carveouts, the bill allows businesses to sell a person’s data to third parties, including the government, without even telling that person even if they’ve already asked businesses not to.
“They basically are able to keep your data even though you had asked for it to be gone. The CCPA would be effectively meaningless,” Tien said, referring to the privacy law by its acronym. Tien said the bill is especially malicious because it allows business to sell that information to government agencies like U.S. Immigration and Customs Enforcement.
“This is nuts because CCPA already allows businesses to cooperate with law enforcement,” he said. “The government already has access to records made public lawfully.”
Assembly Bill 873 would allow businesses to track consumers using “deidentified” information like IP addresses and location data on various apps, potentially exposing a persons’ political and religious affiliations, health problems and interests.
According to ACLU attorney Jacob Snow, AB 873 would allow businesses like Facebook, Google and Amazon to commit massive privacy violations so long as the data it collects aren’t tied directly to a specific person. This includes data from household smart speakers like Amazon’s Echo, commonly known as Alexa.
“That is a loophole perfect for big technology companies whose business is built on tracking people on the internet,” Snow said.
Assembly Bill 846 would essentially allow businesses to force people to pay for asserting right to privacy by incentivizing loyalty programs for consumers who are fine with their data being shared.
Meanwhile, Assembly Bill 25 would permit businesses to track and collect data on their employees through apps, spyware and other intrusive surveillance techniques. And Assembly Bill 1564 eliminates the requirement for businesses to provide two ways for consumers to submit requests to access their personal information, potentially making it harder for people without access to the internet to exercise their privacy rights.
Fox Johnson said any of these bills that pass out of the Senate Judiciary Committee will probably head straight for a floor vote. Negotiations are still underway, however, and she said anyone remotely familiar with the legislative process “would expect people will still try to ram through changes up until the last minute.”
She declined to speculate as to which bills are most likely to pass.
“We’re hopeful some of them certainly don’t make it out of committee,” she said.
One bill on Tuesday’s agenda may actually strengthen privacy protections. Assembly Bill 1395 would prohibit Amazon, Google and other companies that make smart speakers from storing transcripts of consumers’ recorded conversations unless they obtain written permission.