That said, he added, “Sensible companies realize this regulation is coming. This is not a burn-down-the-whole-world law. This is not a law that, you know, puts anybody out of business.”
The real estate developer turned data privacy advocate has given a lot of thought in recent years to the surveillance economy that’s sprung up around consumer data. And he recognizes he’s not alone in feeling concerned about it: About 81% of the public say they feel “the potential risks they face because of data collection by companies outweigh the benefits,” according to the Pew Research Center.
But unlike most of us, Mactaggart had the money to launch a political and legal conversation in California, although “conversation” is perhaps too polite a term.
In 2018, Mactaggart launched a ballot initiative to tackle consumer data privacy. Business interests, data privacy advocates and members of the state Legislature were able to persuade him to drop it in favor of hastily written — and passed — legislation.
At that point, all sides declared open season on “fixing” it as the legislative year progressed. More than a couple dozen bills were launched, some trying to tighten the language of the CCPA to favor consumers, more trying to loosen the law to favor businesses.
“I expected some pushing and shoving, but I didn’t expect this wholesale assault to try to like wipe it out,” Mactaggart said.
Most of the measures failed to pass, thanks in large part to state Sen. Hannah-Beth Jackson, D-Santa Barbara, who chairs the Senate Judiciary Committee in Sacramento. After the smoke cleared, what was left of the CCPA was still the strongest law of its kind in the country.
That may be because “it’s the only privacy act in the country,” said Jackson.
She said she appreciates that Mactaggart now wants to make the law even tougher, although she hasn’t had the chance to comprehensively review the fine print.
“This is such a new area. There are probably going to be a lot of different interpretations to it,” Jackson said.
But a number of other data privacy advocates like Mary Stone Ross with the Electronic Privacy Information Center in Washington, D.C., are concerned about the fine print. Ross co-authored the earlier initiative, but says the new one includes giveaways to business interests.
“For example, there’s this definition of ‘de-identified information,’ ” she said. “It’s actually a really big deal because by definition, de-identified information is not personal information, and so if that definition is weakened, then it weakens the scope of the entire law.”
“Sure enough, in this new initiative is a weakened definition of de-identified,” Ross added.
In other areas of the fine print, the Act raises the threshold for when the rules apply: only companies that buy, sell or share the personal information of more than 100,000 consumers or households need comply. The current standard kicks in for 50,000 consumers or more.
And yet more fine print: A business is exempt from disclosing information in response to rights requests if it requires disclosing “trade secrets.” The definition of a trade secret is very broad and could create a significant hurdle for prosecutors, regulators, or consumers trying to exercise their rights under CCPA.
It’s hard for data privacy advocates to ignore these provisions, even amid other language that tightens other elements of CCPA in favor of consumers. Last October, 11 privacy groups wrote an open letter to Mactaggart, urging 45 ways to strengthen the language of his new initiative. Only seven of their suggestions were incorporated into the final version.
“There are steps forward. There are steps back. There are missed opportunities,” said Hayley Tsukayama, a legislative activist for the Electronic Frontier Foundation. Noting that EFF has not officially come out against the new initiative, she added, “We have publicly pointed out the flaws that we see in the initiative. He didn’t take all of our suggestions.”
Beyond California
In the absence of federal data privacy law, Ross says other states are looking to California for direction. “There’s legislation that’s going to be introduced in Florida, in Colorado, potentially in New York,” she said.
For Jim Halpert, a corporate attorney with DLA Piper who advises companies about data privacy, the new initiative is a step in the right direction.
The new language, he said, is “addressing some of the practical compliance issues that drove efforts to amend the law by the business community in 2019.”
California’s groundbreaking data privacy regulation constitutes “a sea change in regulation of privacy in the U.S.,” Halpert added.
