This month, the corporate-backed, legislative battle against California privacy met a blockade, as one Senate committee voted down and negotiated changes to several bills that, as originally written, could have weakened the state’s data privacy law, the California Consumer Privacy Act.
Though the bills’ authors have raked in thousands of dollars in campaign contributions from companies including Facebook, AT&T, and Google, records portray broader donor networks, which include Political Action Committees (PACs) for real estate, engineering, carpentry, construction, electrical, and municipal workers.
Instead, Big Tech relied on advocacy and lobbying groups to help push favorable legislative measures forward. For example, one bill that aimed to lower restrictions if companies provide consumer data to government agencies was supported by TechNet and Internet Association.
Those two groups alone represent the interests of Amazon—which was caught offering a corporate job to a Pentagon official involved in a $10 billion Department of Defense contract that the company is currently seeking—and Microsoft—another competitor in the same $10 billion contract—along with Google, Twitter, Lyft, Uber, PayPal, Accenture, and Airbnb.
Below is a snapshot of five CCPA-focused bills that were all scheduled for a vote during a July 9 hearing by the California Senate Judiciary Committee. The committee chair, Senator Hannah-Beth Jackson, pulled a 12-hour-plus shift that day, trying to clear through more than 40 bills.
Yet another day in politics.
We hope to provide readers with a look at both the support and opposition to these bills, along with a view of who wrote the bills and what groups have donated to their authors. It is important to remember that lawmaking is rarely a straight line, and a campaign contribution is far from an endorsement.
AB 1416 would have created a new exception to the CCPA for any business that “provides a consumer’s personal information to a government agency solely for the purposes of carrying out a government program, if specified requirements are met.”
The bill would have granted companies the option to neglect a consumer’s decision to opt-out of having their data sold to another party, so long as the sale of that consumer’s data was “for the sole purpose of detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity.”
According to multiple privacy groups, those exceptions were too broad. In a letter signed by ACLU of California, EFF, Common Sense Kids Action, and Privacy Rights Clearinghouse, the groups wrote:
“Given the breath of these categories, especially with the increasing use of machine learning and other data-driven algorithms, there is no practical limit on the kinds of data that might be sold for these purposes. It would even allow sales based on the purchaser’s asserted purpose, increasing the potential for abuse, much like the disclosure of millions of Facebook user records by Cambridge Analytica.”
These challenges were never tested with a vote, though, as Asm. Cooley pulled the bill before the committee hearing ended.
AB 873 would have narrowed the scope for what CCPA protects—“personal information”—by broadening the definition of something that CCPA currently does not protect—“deidentified” information.
According to the bill, the definition of “deidentified” information would now include “information that does not identify, and is not_ reasonably_ linkable, directly or indirectly, to a particular consumer.”
Privacy advocates claimed the bill had too broad a reach. In a letter, several opponents wrote that AB 873 “would allow businesses to track, profile, recognize, target, and manipulate consumers as they encountered them in both online and offline settings while entirely exempting those practices from the scope of the CCPA, as long as the information used to do so was not tied to a person’s ‘real name,’ ‘SSN’ or similar traditional identifiers.”
During the Senate committee hearing, Asm. Irwin defended her bill by saying that CCPA’s current definition of deidentified information was “unworkable.” She then rebuffed suggestions by the committee chair to add amendments to her bill.
The bill failed to pass on the committee’s 3–3 vote.
AB 25, as originally written, would have removed CCPA protections for some types of data that employers collect both on their employees and their job applicants.
Hayley Tsukayama, legislative analyst for EFF, said that a concern she and other privacy advocates had with the bill was that employers are beginning to collect more information on their employees that more often resemble consumer-type data.
“We are seeing a lot more of these workplace surveillance programs pop up,” Tsukayama said over the phone, giving a hypothetical example of a fitness tracker for employees where the data could be shared with health insurance companies. “The ways that this collection is being introduced into the workplace, it’s not necessary for the employer-employee relationship, and it is more in the vain of consumer data.”
After Chau agreed to add amendments to his bill, the Senate committee passed it. The bill, if it becomes law, will sunset in one year, giving legislators and labor groups another opportunity to review its impact in a short time.
AB 846 targets CCPA’s current non-discrimination clause that prohibits companies from offering incentives—like lowered prices—to customers based on their data practices.
The bill would clarify that CCPA’s regulations are not violated when businesses offer “a different price, rate, level, or quality of goods or services to a consumer if the offering is in connection with a consumer’s voluntary participation in a loyalty, rewards, premium features, discount, or club card program.”
The bill received so many changes though, that some groups were puzzled over what it allows.
“There was a point at which [AB 846] said any service that has a functionality directly related to the collection of, and use, of personal information was exempt,” Tsukayama said. “We spent a lot of time going ‘Well, what does that mean?’ We never got a satisfactory answer.”
She continued: “We were concerned that this would cover a lot of ad tech, or invasive company programs, to collect more data.”
With additional amendments to be added, the Senate committee passed the bill.
CCPA allows Californians to contact the companies that collect their data and make requests about that data, including accessing it, changing it, and deleting it. The law states that companies must provide at least two methods of contact, including one toll-free telephone number, for those requests.
AB 1564 would allow online-only businesses to provide their direct consumers with just one method of contact—an email address—for data requests.
Privacy advocates previously warned that the bill could make it harder for those with limited Internet access to assert their privacy rights.
The bill, which will be amended, passed the Senate committee.
The California Senate is currently in a summer recess, scheduled to return August 12. The bills that passed the Senate Judiciary Committee—ABs 25, 846, and 1564, regarding employee data, loyalty programs, and email address contacts—will next be heard by the Senate Appropriations Committee, a separate committee of lawmakers who oversee and move forward bills that have a fiscal component.
That committee has until August 30 to move bills to the floor.
Afterwards, either chamber of the state has until September 13 to send a bill to Governor Gavin Newsom’s desk for signature.
The post Changing California’s privacy law: A snapshot at the support and opposition appeared first on Malwarebytes Labs.