Lobbyists Descend On California To Shape A Rushed New Privacy Law
from the if-at-first-you-don't-succeed dept
Last year, the GOP and Trump administration used the Congressional Review Act to dismantle FCC consumer broadband privacy protections before they could take effect last March. While AT&T and Comcast whined incessantly about the rules, the FCC’s guidelines were relatively modest; they required that ISPs and mobile carriers be transparent about what data is being collected and sold, and get express consumer opt-in consent before ISPs can share more private financial or location data. Such rules could have gone a long way in protecting consumers in the wake of the recent Securus and Locationsmart location data scandals.
Following the ISP-funded attack on FCC authority and consumer protections, states have begun exploring their own privacy protections (mirroring what we’re also seeing on the net neutrality front). For example, California last year considered passing a state-level copy of the FCC’s gutted privacy rules. But those efforts hit a political brick wall thanks to the collective lobbying muscle of Comcast, Verizon, AT&T, Google and Facebook, which killed that effort by lying repeatedly about what the proposal actually did, including claims the proposal would “aid extremism.”
Verizon and Facebook both pretended to back away from those attacks once their efforts gained press exposure, but those promises don’t appear to be worth much.
In the wake of the successful attack on FCC privacy rules, California privacy advocates have been pushing a new ballot initiative, this time dubbed the California Consumer Privacy Act of 2018. The initiative would require that companies be fully transparent about what data is being collected and sold (and to whom), as well as mandating mandatory opt-out tools. The proposal goes further than the FCC’s discarded rules, in that it would ban ISPs from trying to charge consumers more for privacy, something that has already been previously implemented by AT&T and considered by Comcast.
The new initiative is scheduled to appear on this November’s ballot, and Google, Facebook, and large ISPs are once again working in concert to ensure that doesn’t happen ahead of a looming Thursday afternoon deadline. They’re collectively now pushing for quickly-hacked together “compromise legislation,” AB 375, they’re hoping will be significantly weaker than the looming November ballot initiative.
“In addition to Facebook, Google, AT&T, Microsoft, Amazon, Verizon, and the California New Car Dealers Association have each contributed six figure donations to the Chamber account set up to defeat CCPA. Uber, the Data & Marketing Association, Cox Communications, and the Interactive Advertising Bureau have each contributed $50,000 to the account, according to disclosures.”
Recall, Facebook recently made a big show earlier this year about how it wouldn’t be working to undermine such privacy proposals in the wake of the Cambridge scandal:
“The inclusion of a Facebook representative is notable, given the company?s well-publicized announcement earlier this year that it would end its opposition to the initiative. In February, the company provided $200,000 to an account set up by the California Chamber of Commerce designed to defeat the CCPA initiative. But in April, following revelations about the extent to which British consulting firm Cambridge Analytica provided the Donald Trump campaign with illicit access to Facebook user data, Facebook announced that it would withdraw its opposition to CCPA and not provide additional funding to the Chamber account.”
As the GDPR clearly illustrates, there’s some real peril in pushing through solutions before ironing out all of the potential pitfalls. Both the scotch-taped together AB 375 and the California Consumer Privacy Act (a pet side project of San Francisco real estate developer Alastair Mactaggart) have some notable problems that would have been aided by a longer, more transparent and inclusive discussion. Though the problems with AB 375 (which, again, if passed would eliminate the latter from contention) are notably worse, in large part because the bill was quickly cobbled together in just under a week behind closed doors:
“By tomorrow, the California legislature likely will pass a sweeping, lengthy, overly-complicated, and poorly-constructed privacy law that will have ripple effects throughout the world. While not quite as comprehensive as the GDPR, it copies some aspects of the GDPR and will squarely impact every Internet service in California (some of whom may be not currently be complying GDPR due to their US-only operations). The GDPR took 4 years to develop; in contrast, the California legislature will spend a grand total of 7 days working on this major bill.”
Not only was AB 375 a rush job, the bill has been steadily eroded since introduction by this super group of telecom and Silicon Valley lobbying giants. AB 375 just passed out of the out of the Senate Judiciary Committee, meaning it’s most likely going to be the California privacy proposal of choice. And the fact that it’s a rush job is not apparently of much concern to the bill’s backer:
“Assemblyman Ed Chau, an Arcadia Democrat and the chief bill author, said he doesn’t like the rushed process forced by the ballot measure deadline, but he stressed that his bill gives Californians important privacy protections.”
With that mindset, it’s easy to wind up with a privacy law that sounds good (“look ma, I “fixed” privacy!”) but doesn’t actually do anything. And when you’ve got lobbyists from AT&T, Comcast, Verizon, Facebook, Google, Amazon and Microsoft disproportionally dictating the overall trajectory of the law, the chances that you’re going to end up with weak-kneed “privacy rules” in name only is pretty monumental. Adding speed for speed’s sake — combined with an overall lack of transparency — only adds to the potential that the rules you end up with are toothless or packed with unintended consequences.
That said, doing nothing isn’t an option. This isn’t a problem that magically fixes itself.
Modern consumer privacy oversight in the internet-era currently consists of little more than pinky swears and winks, a point driven home repeatedly by the Cambridge, LocationSmart and Securus scandals. We need to have a lengthy, transparent, adult conversation about what a potential solution might look like. The problem is that the larger companies dictating the conversation have an absolutely abysmal track record on these issues, so while they may have valuable insight on the complicated scope of a particular proposal’s impact, they’ve managed, repeatedly, to shoot their credibility squarely in the foot on this subject.
And while ISPs and Silicon Valley giants like to go on at length about how they’re “open to having a conversation” about more meaningful privacy guidelines, the reality is that most of these larger companies simply aren’t. Any rules worth their salt will cost them money, since an informed, empowered consumer is more likely to opt-out of data monetization schemes, whatever they look like. As a result, you’ll be hard-pressed to find many large ISPs or Silicon Valley giants willing to back truly tough consumer protections, especially rules than mandate express, opt-in consumer consent for things like location or financial data.
Eventually, after we’ve suffered through a few more hacks, breaches and major scandals, some of these companies may shift their thinking toward the idea that compliance with quality, even-handed rules is more profitable than chaos. But as the ham fisted repeal of the FCC privacy rules makes clear, we’re nowhere near that point yet. Meanwhile, on the federal level, the Trump administration is rumored to be considering a broad new privacy plan. And if the administration’s equally heavy-handed net neutrality repeal is any indication, objectivity, hard data and transparency aren’t likely to have much of a seat at the table there, either.