Heavyweight Privacy Battle: California Legislators vs. Tech & Telecom Giants


Tyler Whitney[*]

I. Introduction

California enacted legislation on June 28, 2018, that has been called “one of the most significant regulations overseeing the data-collection practices of technology companies in the United States”[1] and “arguably the most far-reaching data protection law ever enacted in the United States.”[2] The law in question is the California Consumer Privacy Act (CCPA).[3] The passage of the CCPA was seen as a huge victory for privacy advocates because the law “makes it easier for consumers to sue companies for not adhering to [the law’s] privacy requirements,” and “it gives the [California] attorney general more authority to fine companies that don’t adhere to the new regulations.”[4]

The proposed legislation does not go into effect until January 1, 2020, and the eighteen-month gap following enactment has created opportunities for the bill’s opponents to try to water the bill down or lobby for federal legislation to preempt it and make it go away altogether.[5] A representative for the Internet Association (which includes Google, Facebook, and Amazon) said that the new law contains many “problematic provisions,” and they will seek “to correct the inevitable, negative policy and compliance ramifications” the CCPA creates.[6] Even legislators have said they expect “to pass ‘cleanup bills,’” [7] which would fix “several errors and inconsistencies, as well as many vague provisions, presumably as the result of [the CCPA’s] hasty drafting.”[8] One thing is for sure: the bill will require changes before going into effect. The question is who the driving force behind these changes will be. Privacy advocates or lobbyists for major tech and telecom corporations?

II. The CCPA – Background & History

It should be no surprise that the CCPA came about as a result of corporations’ misuse of personal information. The language of the CCPA specifically mentions the Cambridge Analytica incident,[9] where “the personal data of up to 87 million [Facebook] users . . . was obtained” by Cambridge Analytica and arguably misused to influence audience voting behavior.[10] Even amid the ever-increasing fear about privacy concerns and misuse of data, the CCPA’s passage was an oddity. The bill was “unanimously approved”[11] and “went from draft to law in one week.”[12] This occurred because opponents of the bill were more worried about a ballot measure that they viewed as worse. The ballot contained “even tougher oversight over technology companies” than the CCPA did.[13] The ballot measure would have gone straight to voters if the legislation had not passed, and the measure “had been polling [at] around 80 percent” in favor of approval.[14] One of the authors of the CCPA previously tried to pass a similar law without a ballot initiative, and the bill did not even make it out of the committee[15] as a proposal to the California legislature at large.[16]

The CCPA contains many key provisions, including, at a general level, consumer rights to:

1) “Know the types of personal information companies collect from them. 2) Know whether their personal information is sold or disclosed and to whom. 3) Prevent the sale of their personal information. 4) Have access to their personal information. 5) Receive equal service and price, which prohibits discrimination against those who exercise their privacy rights under the statute.”[17]

The bill applies to companies based on their annual revenue ($25 million or more), the amount of personal data they possess (50,000 consumer records), or the portion of annual revenue derived from selling personal data (over 50%).[18] According to a review by the International Association of Privacy Professionals (IAPP) regarding the language of this portion of the CCPA as applied to recent census data, the CCPA “will apply to more than 500,000 U.S. companies.”[19]

Also worth noting is that, in the event of a violation, a company could face damages of “an amount not less than [$100] and not greater than [$750] per consumer per incident.”[20] In the event of a major breach, like the 87 million consumers affected by the Cambridge Analytica incident,[21] this could amount to significant damages if a successful class action was filed. Importantly, consumer is defined in the CCPA as “a natural person who is a California resident,”[22] so not all 87 million consumers affected would be able to collect damages under the CCPA, only California residents. The California Attorney General can also fine a business $2,500 per violation or $7,500 for each intentional violation.[23]

The backlash from Tech and Telecom Companies

Some of the companies that opposed the initial ballot measure included big names like Google, Facebook, Verizon, Comcast, and AT&T.[24] The many corporate giants did not even try to oppose the CCPA from passing, however, because “it prevent[ed] the even worse ballot initiative from becoming law in California.”[25] The only reason the legislation passed unopposed and so quickly is because the voter initiative was “worse.”[26] Calling the CCPA a “last-minute deal,” industry giants vowed to correct the “negative policy and compliance ramifications” of the new legislation.[27]

Tech and telecom companies will have ample opportunity to lobby for change in the 18 months following enactment, which has privacy advocates worried that these companies “will use that time to water [the CCPA] down.”[28] There will be changes to the CCPA, as the drafters of the bill have admitted there will need to be “cleanup bills.”[29] One such bill, SB-1121,[30] has already passed; primarily to fix drafting errors, but it also includes important changes including a narrower definition of “personal information” and delays the California Attorney General’s ability to enforce the CCPA by six months.[31]

The primary concern for companies is the CCPA potentially exposes them to civil liability.[32] One company, Intel, has even drafted a privacy bill[33] of its own in the hopes of creating a shield from possible fines. This shield would be granted in exchange for “attest[ing] to the [FTC] annually that [companies] take strong measures to protect consumer data.”[34] Notably, Intel is “seeking a sponsor in Congress”[35] for its privacy bill, most likely to entice federal legislation that preempts and invalidates the CCPA. Lobbying for preemption through federal legislation is likely to be the primary focus of CCPA opponents because the CCPA is so popular among California voters it is unlikely that legislators will be able to weaken the law significantly.[36]

Marc Groman, the former White House senior adviser on privacy, believes Intel’s propose is worth taking seriously.[37] The Intel proposal contains protection from fines via revocable safe harbor (and limits fines to $1 billion if the safe harbor is revoked), but grants rulemaking authority to the FTC, and “executives who falsely certify their compliance could face criminal prosecution.”[38] Quite convincingly, Intel’s global privacy officer claims that “executive’s fear of imprisonment would drive ‘the best privacy protection you can get.’”[39] While it is hard to argue with Intel’s reasoning, it may prove challenging to get the executives of major corporations to willingly agree to potential criminal liability over privacy issues.

Outcome Unknown

The outcome and the final look of the forthcoming privacy protections are uncertain, but can roughly be broken down into four possibilities: (1) a “strong” CCPA—considered a win for privacy advocates; (2) a “weak” CCPA—a win for more than 500,000 businesses;[40] (3) federal legislation that preempts the CCPA and is weaker than the current version of the CCPA; or (4) federal legislation that preempts the CCPA but is equal to or stronger than the CCPA. While the gears of the federal government turn slow, it appears enough big names are throwing around enough money to at least get the discussion started. No matter what the outcome, the United States will most likely be receiving the most compressive privacy legislation in its history. If the federal government does not act by July 1, 2020 (the new date when the Attorney General can begin enforcement following SB 1121), companies far and wide will begin to feel the reaches of the CCPA. Whoever wins the day, state law or federal law, privacy advocates or corporations, new privacy law is coming, and it will affect the entire country.

[*] Staff Editor for the Denver Law Review and 2020 J.D. Candidate at the University of Denver Sturm College of Law.

[1] Daisuke Wakabayashi, California Passes Sweeping Law to Protect Online Privacy, N.Y. Times (June 28, 2018), https://www.nytimes.com/2018/06/28/technology/california-online-privacy-law.html.

[2] Kevin F. Cahill et al., California Consumer Privacy Act: Potential Impact and Key Takeaways, 30 No. 12 Intellectual Prop. & Tech. L.J. 11, 11 (2018).

[3] California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.145 (West 2018).

[4] Wakabayashi, supra note 1.

[5] See id. (“Privacy advocates are worried that lobbyists for business and technology groups will use [the 18 months] to water [the law] down.”). Also, opponents are lobbying for federal for federal legislation that will preempt the California law.

[6] Id. (comment by Robert Callahan, Vice President of State Government Affairs for the Internet Association).

[7] Id.

[8] Cahill, supra note 2.

[9] Cal. Civ. Code § 1798.145 note (“Sec. 2 The Legislature finds and declares that . . . (g) In March 2018, it came to light that tens of millions of people had their personal data misused by a data mining firm called Cambridge Analytica. . . . As a result, our desire for privacy control and transparency in data practices is heightened.”).

[10] Facebook Cambridge Analytica Scandal: 10 Questions Answered, Fortune (Apr. 10, 2018) [hereinafter Cambridge Analytica Scandal], http://fortune.com/2018/04/10/facebook-cambridge-analytica-what-happened.

[11] Cahill, supra note 2.

[12] Wakabayashi, supra note 1.

[13] Id.

[14] Id.

[15] California State Assembly, Committee on Privacy and Consumer Protection.

[16] Wakabayashi, supra note 1.

[17] Cahill, supra note 2.

[18] Id. at 12.

[19] Rita Heimes & Sam Pfeifle, New California Privacy Law to Affect more than Half a Million US Companies, IAPP: The Privacy Advisor (July 2,

2018), https://iapp.org/news/a/new-california-privacy-law-to-affect-more-than-half-a-million-us-companies.

[20] Cal. Civ. Code § 1798.150(A).

[21] Cambridge Analytica Scandal, supra note 10.

[22] Cal. Civ. Code § 1798.140(g).

[23] Cal. Civ. Code § 1798.155(b) (as amended by S.B. 1121, 2017-2018 Reg. Sess. (Cal. 2018)).

[24] Wakabayashi, supra note 1.

[25] Id.

[26] Id.

[27] Id.

[28] Id.

[29] Id.

[30] S.B. 1121, 2017-2018 Reg. Sess. (Cal. 2018).

[31] Cahill, supra note 2, at 11–12.

[32] See Stephen Nellis & Paresh Dave, Intel-drafted U.S. Data Privacy Bill Would Protect Firms from Fines, Reuters: Politics (Nov. 6, 2018), https://www.reuters.com/article/us-intel-privacy/intel-drafted-u-s-data-privacy-bill-would-protect-firms-from-fines-idUSKCN1NC05Q (the primary purpose of the Intel bill is to “shield companies from fines”).

[33] Innovative and Ethical Data Use Act of 2018, Intel, https://usprivacybill.intel.com/legislation (last updated Jan. 28, 2019).

[34] Nellis, supra note 31.

[35] Id.

[36] See Wakabayashi, supra note 1 (noting that the much stronger and less flexible ballot measure was polling with 80% of those polled in favor of approval. If 80% were in favor of the much stronger privacy protection, it is very likely that an even greater percentage of voters would be in favor of the relatively weaker CCPA protections).

[37] Nellis, supra note 31.

[38] Id.

[39] Id. (comment by David Hoffman, Global Privacy Officer at Intel).

[40] See Heimes, supra note 19.