Ever since it passed an aggressive new data-privacy law last year, privacy proponents have held up California as the model for lawmakers in Washington D.C. to emulate.
But after the events of this week, advocates are now hoping Capitol Hill ignores Sacramento’s unexpected pushback against a new round of privacy rules.
A bill that would have dramatically expanded California’s already powerful privacy regime was unceremoniously pulled from consideration in the State Assembly on Monday, surprising most privacy groups. Another blow came Tuesday, when a slew of industry-backed bills that advocates say will weaken the current rules sailed through the Assembly’s committee on privacy.
“Legislatively, I think we’ve reached the high-water mark from the perspective of progressive privacy advocates,” said Ian Adams, the vice president of policy at libertarian tech group TechFreedom and a longtime veteran of California state politics.
Several experts on all sides of the privacy debate said the defeat of a new slate of privacy rules in California will almost certainly reverberate on Capitol Hill. Because if Sacramento—with its Democratic supermajorities in both legislative chambers—can’t pass tough new requirements for opt-in consent or data minimization, what possible hope does Washington have?
“I think it’s pretty obvious that anything that California decides will establish the parameters of the federal debate, which is why there’s so much effort from industry here,” said Ernesto Falcon, the legislative council at the pro-privacy Electronic Frontier Foundation. “They understand this will establish those borders, the boundaries.”
Falcon and other privacy advocates believe Facebook and Google, operating primarily through the California wing of tech lobbying group the Internet Association, were behind the abrupt withdrawal of freshman Assemblymember Buffy Wicks’ bill on Monday.
That bill, AB 1760, would have made several tough measures passed as part of last year’s California Consumer Privacy Act even tougher. Most notably, the bill included a requirement that consumers must affirmatively opt into any corporate data collection (current rules only provide most users with the ability to opt out). The legislation would have also brought corporate data-sharing practices—think Facebook and Cambridge Analytica—under the same rules that govern data sales.
Advocates say tech lobbyists successfully pressured Ed Chau, the chairman of the Assembly Privacy Committee, to recommend that his members vote against the bill. That left Wicks no choice but to pull it in the hopes of trying again next year.
“Big change is hard,” Wicks said in a statement provided to National Journal. “I am committed to continue fighting for effective legislation that puts Californians’ consumer privacy first.”
Speaking for many privacy advocates, Falcon said he was “definitely surprised and dismayed” by Chau’s decision to spike the bill—particularly given his strong support for a privacy bill that targeted internet service providers in 2017. Others were even more upset by Chau’s green-lighting of a series of industry-friendly bills on Tuesday.
“Unfortunately, the Privacy Committee is much more interested in listening to industry interests than privacy interests,” said Jacob Snow, a technology and civil-liberties attorney at the American Civil Liberties Union of Northern California.
Chau’s office did not respond to a request for comment. But during Tuesday’s hearing, the chairman said his primary interest was “to basically hold the line” on California’s new privacy legislation, not to extend it further.
“I am open to doing cleanup work, as well as fine-tuning the law,” Chau added, referencing the industry-backed bills his committee approved.
Snow scoffed at Chau’s characterization of the new bills, which he said include significant exemptions in the definition of sensitive and personal information. “These aren’t cleanup amendments,” he said. “They’re harming privacy under the guise of housekeeping.”
Tech industry representatives, unsurprisingly, take issue with that characterization. They argue that it’s AB 1760, and not their “cleanup” bills, that represented a dramatic departure from the spirit of California’s new privacy regime.
“AB 1760 was really a fringe bill that did not have legislative leadership support,” said Alan Friel, a Los Angeles-based privacy lawyer with Baker Hostetler who often represents technology firms. “[It] would have radically modified the CCPA.”
One industry lobbyist closely engaged in discussions on AB 1760, who requested anonymity in order to speak frankly, said the now-tabled bill “completely turned the [CCPA] on its head.”
“Look, we passed a monumental law that combines privacy laws that used to be segmented off by industry or types of data into one universal law for 40 million people and this massive economy,” the lobbyist said. “Let’s see how this plays out a little bit. It’s not in force yet; regulations aren’t there. How can we make calculated changes right now?”
But privacy advocates insist there are still major loopholes in California’s new privacy regime. And for the time being, at least, those loopholes will remain unfilled.
“If you’re looking to industry and the tech companies, the time to protect people’s privacy is always later,” Snow said.
Privacy groups in California still see a ray of hope in a state Senate bill, backed by state Attorney General Xavier Becerra, that would further expand a private right of action for consumers who feel violated by a company’s privacy practices.
But the bill remains a nonstarter with the tech industry, which is still fuming over the limited right of action found in the CCPA. And advocates are increasingly nervous about a repeat of this week’s fiasco in the Assembly, which tends to be more conservative than the Senate.
“It would be really tragic if the attorney general himself cannot get his own bill to the floor,” Falcon said.
AB 1760’s defeat will doubtless have an impact on the privacy debate now percolating in Washington. The push for a federal privacy bill began as a reaction to California’s aggressive moves last year, and lawmakers in both parties continue to closely watch Sacramento’s actions on privacy.
Democratic lawmakers, particularly Rep. Ro Khanna and Sen. Ed Markey, have recently floated proposals for the creation of a federal opt-in requirement for corporate data collection. But after the defeat of such an effort in a heavily Democratic stronghold, it’s hard to see how a similar effort could survive in a divided Congress.
“California not being able to move an opt-in bill is a huge deal,” Adams said. “And we haven’t seen it in any other state. There’s a reason for that. It’s a bridge too far.”
And Silicon Valley is already linking its victory this week in California with the upcoming fight on data privacy in Washington.
“The challenges that California is having with getting some of these additional, broader rules attached to the CCPA, and having issues there, does kind of speak to the broader effort of how difficult it will be to get a national standard, a comprehensive bill at the federal level,” the tech lobbyist said.