The results are in… and California’s GDPR-ish digital privacy law has survived onslaught by Google and friends
Five amendments to law approved before deadline, none undercut core goals
Analysis California’s landmark digital privacy law will remain “largely intact” despite a year of determined lobbying by Google and other tech giants to undermine it.
That’s the conclusion of privacy rights groups that have been carefully tracking the legislation since it was signed into law in June 2018 and us due to come into effect in January 2020.
Thanks to the unusual way in which the law was passed, lawmakers were given an entire year to approve amendments to it. That left the door open to tech lobbyists, who have been doing everything in their power to undermine the law’s main goals.
However, Friday was the deadline for amendments and of the five that made it through the process, none managed to introduce the legislative loopholes that Google, Facebook, and friends have been pushing for.
A joint statement by Consumer Reports and the Electronic Frontier Foundation made no bones about the year-long battle. They made a point of praising lawmakers for resisting tech industry pressure to “insert last-minute loopholes” and celebrate the fact that the law has been left "largely intact."
The American Civil Liberties Union of Northern California reiterated the same point when it said in its own statement that “industry tried and failed this session to weaken or eliminate the key protections of the CCPA,” adding that it wished to “applaud the legislature for holding the line against big technology companies.”
All three organizations stress that the “fight is not over” in the effort to regain privacy rights back from Big Tech but in privacy terms it’s a case of this battle being won but a larger war still going on.
The last time we checked in on the process, there were nine proposed amendments that had made it through the legislative process, none of which expanded privacy rights. Four of the amendments were benign in that were intended to clean up the law. But that left five that has been clearly designed by the tech companies – and in some cases, written by them too – to create specific loopholes.
Of those five, three made it through as legislative amendments – Assembly Bills 25, 874 and 1564 – and one was put off until next year (AB 846). But in the final text of each, none of them undercut the main goal of the legislation: to give Californians the right to view the data that companies like Google and Facebook hold on them, and, critically, request that it be deleted and not sold to third parties.
That GDPR-like law gives the state’s 40 million inhabitants the right to demand and delete private information and it applies to any company that holds data on more than 50,000 people, with each violation carrying a hefty $7,500 fine.
The amendments themselves (those above plus AB 1146 and 1355) will put a one-year moratorium on employee data as well as let companies use data published by the government. The car industry got an effective exemption thanks to warranties. And the requirement to provide a toll-free number to explain their rights to consumers was pulled; now an email is sufficient.
But the tech industry had really pushed hard for changes that have not made it through, including exempting “targeted advertising” – which is basically Google and Facebook’s entire business model – and expanding the type of datasets that are exempt from the law to cover, you guessed it, the data that Facebook and Google sell. The tech companies tried multiple different creative ways to jam through loopholes – such as a novel definition of what “social media” actually is – however, lawmakers, assisted by eagle-eyed privacy advocates, beat them back.
Still not done
This isn’t the end of it, however. Even though the law will come in effect on January 1, enforcement won’t begin until mid-2020 and the final regulations that companies will have to follow are being drawn up by California’s attorney general. That process could swing either way, with tech companies required to do more than they envisioned, or possibly less.
The first draft of the regulations is expected next month with subsequent comment and review periods. Which means more battles.
It is clear Big Tech has admitted defeat in this case. Don’t imagine for a second that that means you will regain rights over your private data, however: Google et al have already joined up with other companies and moved the fight to Washington DC, where lawmakers have suddenly discovered a newfound passion for federal privacy legislation.
Such legislation would, of course, override this California Consumer Privacy Act. ®