Inside the closed-door campaigns to rewrite California privacy law, again
The last time Alastair Mactaggart tried to write the rules on internet privacy in California, tech giants like Facebook, Google and Microsoft mostly ignored him and then tried to crush him — spending millions of dollars in a fight that ultimately led to the passage of the California Consumer Privacy Act.
No one's ignoring him now.
In late September, the real estate developer turned privacy champion unveiled a draft of a second California privacy measure, one he says is aimed at blocking lobbyists' attempts to gut the first one. The announcement stunned the tech community and set off a mad dash of lobbying efforts — what Mactaggart estimates were hundreds of calls and meetings with everyone from constitutional lawyers to privacy advocates to regulators to labor groups to executives from Google, Facebook and other tech giants.
"We talked to everybody we could, just to say: What are the points of interest for you?" Mactaggart says. Many of these conversations included California Senate Majority Leader Bob Hertzberg, who lent his support to the initiative. "It's not a normal process to do it this way, but we were trying to do the best we could with limited time," Mactaggart says.
The result is Mactaggart's new California Privacy Rights Act, a juggling act of promises kept, concessions made, power flexed and deals struck. Interviews with more than 20 people involved in that process reveal how at least half a dozen provisions within the new initiative — from the limits on sensitive personal information to the treatment of employee data — trace directly back to Mactaggart's private negotiations.
Mactaggart, founder of the group Californians for Consumer Privacy, says Facebook and others complained that his initial draft prohibited businesses from using misleading interfaces called "dark patterns" to get consent from their users. "A whole bunch of businesses didn't love our definition of 'consent' because now consent really means you actually want to give your consent," Mactaggart says. "Too bad. We kept it in."
Facebook declined to comment on these negotiations. Spokesman Andy Stone wrote in a statement, "We've advocated for privacy laws that give people more rights over their data and are glad to see that this initiative is raising a discussion about how to expand privacy rights in California."
A whole bunch of businesses didn't love our definition of 'consent' because now consent really means you actually want to give your consent. Too bad. We kept it in. — Alastair Mactaggart
Google, meanwhile, offered Mactaggart feedback regarding letting people limit businesses' use of their sensitive personal information, like their ethnicity or health data. Mactaggart hoped to prevent advertisers from, for example, bombarding a cancer patient with ads for treatment because the advertiser knows the diagnosis. But Google wanted to ensure such a rule wouldn't also prohibit contextual ads for a hospital on a site like Cancer Today.
That made sense to Mactaggart. "None of your personal information was necessary for that transaction to take place, and, if you forbid that transaction, then you would stop advertising revenue going to that site to allow it to keep operating," he says.
Initially, CPRA would have allowed people to opt out of the use of their sensitive personal information in advertising and marketing only. But in the final version of the initiative, Mactaggart replaced that with a provision that allows people to limit all use of their sensitive data, with a handful of exceptions. One of those exceptions is for contextual advertising in sensitive areas.
Twitter had concerns about the status of tweets under CCPA, concerns that Mactaggart was aware of before he began drafting the initiative. Under CCPA, consumers can delete or opt out of the sale of their personal information, as long as it's not considered "publicly available." That term is currently defined to mean, essentially, lawfully obtained government records. In a two-page handout circulated in meetings about CCPA over the summer, Twitter argued that this definition could apply to tweets and torpedo basic functionality, an issue it dubbed "The Jimmy Kimmel Problem."
"If Tweets are now considered private data, are citizens in violation of the CCPA for sharing (or retweeting) tweets?" reads the handout, which was drafted by Twitter's senior public policy manager, Tom Tarantino. "When Jimmy Kimmel has public figures read mean tweets, is he or the readers violating the CCPA?"
The definition of "publicly available" could also interfere with Twitter's APIs. If a user tells Twitter to stop selling their information, that might require Twitter to stop sharing it with developers, some of whom pay to access Twitter's API. Twitter wanted to change the definition of "publicly available" so it would exempt information "that is made available to the general public by the consumer."
Over the summer, according to emails reviewed by Protocol, Twitter's director of public policy, Carlos Monje, was seeking buy-in from privacy advocates.
"We're always working to ensure our services meet applicable regulations including the CCPA, and Mr. Mactaggart deserves credit for being open to feedback and pushing for a state law that can be a model for the nation," a Twitter spokesperson said in a statement.
The final version of CPRA includes language that satisfies Twitter's concerns. But Mactaggart says that had less to do with Twitter and more to do with feedback he received from First Amendment scholars like Margot Kaminski at the University of Colorado Law School.
Mactaggart asked Kaminski to scour the initiative for anything she thought would make the law vulnerable to a constitutional challenge. The old definition of publicly available was, for Kaminski, a glaring problem. Once information is shared with the general public, in say a Tweet or a news article, it's hard to make the case under the First Amendment that the government can force a company or person to stop sharing it.
"Once the cat is out of the bag, you better have a really good reason as a government actor for putting it back in," she says. "Otherwise it's censorship."
For similar reasons, Kaminski urged Mactaggart to abandon a provision in the first draft that would have allowed people to find out if their data was used by a business for its own political purposes. Kaminski warned Mactaggart that such a provision would be especially susceptible to First Amendment challenges.
"Everyone thought including it could throw the entire law into strict scrutiny, which in an ideal world is an outcome anyone would like to avoid," Mactaggart says. "I guess any time you get close to political speech, you are stepping into a minefield."
Experian, meanwhile, had been shopping around changes of its own as part of negotiations in the legislature over the summer. An email obtained by Protocol shows that in August, Paul Gladfelty, a lobbyist for Experian, had been working with Mactaggart on an exemption to CCPA for commercial credit-reporting agencies. Consumer credit reporting data is already regulated under the Fair Credit Reporting Act. Commercial credit reports, which are used to score businesses' creditworthiness, are not. Unless it was amended, CCPA would change that.
At first, Experian asked for a wholesale exemption for commercial credit-reporting agencies, but Mactaggart rejected the request, according to Gladfelty's email. Instead, the email states and Mactaggart confirms, they agreed to more narrowly tailored language, which is included, almost verbatim, in both the first and final versions of the ballot initiative. Under that agreement, these agencies can still process, collect, sell and disclose the names and contact information of business owners and top decision makers. But they're limited in what they can do with that information.
Experian and Gladfelty did not respond to multiple requests for comment.
Mactaggart says this exemption seemed logical to him. If CCPA allowed bankrupt business owners to delete their data, he says, "All of a sudden there's no integrity to the system anymore."
Privacy advocates largely disagreed. Shortly after Mactaggart debuted the new initiative, a coalition of consumer groups including the Electronic Frontier Foundation, ACLU California, Common Sense Kids Action, Consumer Reports and others submitted a letter with dozens of comments and criticisms. The commercial credit reporting carveout was just one of them.
I have no idea what [Mactaggart] was thinking or why he did this. — EFF's Adam Schwartz
The EFF also opposed a so-called "loyalty club" provision that popped up in the final version of the initiative. It allows businesses to offer financial incentives in exchange for the right to collect, share, sell or retain consumer data, as long as the consumer opts in and those incentives aren't "unjust, unreasonable, coercive or usurious in nature." Over the summer, privacy and consumer advocates fought a similar bill in the legislature, arguing that businesses shouldn't be able to turn around and sell loyalty club data. The initiative, however, includes no such limitations.
"I have no idea what [Mactaggart] was thinking or why he did this," says Adam Schwartz, a senior staff attorney with the EFF, who had a chance to review the initiative a few days before Mactaggart debuted it.
Mactaggart says he included that provision because he was "tired of people saying that you couldn't have discount programs" under CCPA. He insists loyalty clubs are already allowed under the law and that his initiative merely states that fact outright. "This absolutely changes zero," he says.
The privacy coalition also tried and failed to convince Mactaggart to remove an exemption that says businesses don't have to comply with certain data requests if the data helps "ensure security and integrity." Schwartz worries that ad tech firms could use that as an excuse to hoard data in the name of preventing click fraud.
"On the whole, I think the initiative is a mixed bag with some steps forward, steps backward, some missed opportunities, and half steps," Schwartz says.
Mactaggart did make a few concessions to the privacy groups. In the initial draft, he included an exemption that would have allowed businesses to retain data in order to respond to government requests concerning child welfare.
"They were like, 'We don't like that. Take it out,'" Mactaggart says of the privacy groups. "We tried."
Schwartz called that a "bullet dodged," saying it would have opened up too wide a loophole, even if the intent was noble. He says privacy groups considered that provision to be "destroying the village to save it."
The privacy coalition and labor groups similarly persuaded Mactaggart to change course on a wholesale exemption of employee data. As it stands, CCPA gives employers a one-year exemption from having to comply with data requests from their employees. This window was designed to give the legislature more time to work out the thorny issue. CPRA would have extended that exemption indefinitely.
Activists and lobbyists on both sides of this debate feel an overwhelming sense of resentment that Mactaggart has thrown California's privacy law into doubt all over again.
After the first draft was published, Mactaggart met with representatives of the California Labor Federation and the California Employment Lawyers Association, who stressed that workplace surveillance was a pervasive problem. Together, they landed on a three-year exemption for employers, rather than an indefinite one. Mactaggart also added language that explicitly protects workers' rights to organize and prohibits retaliation against them for exercising their data rights.
"He understood where we were coming from. We were really pleasantly surprised," says Mariko Yoshihara, legislative counsel and policy director for CELA.
The final draft Mactaggart submitted to California's attorney general last November contains a little something for everyone to both thank and blame him for. At the highest level, it calls for a new agency called the California Privacy Protection Agency, which would take rulemaking authority out of the hands of the California attorney general. And it would give Californians some new rights, too, including the right to correct their data, control the use of their sensitive personal information, and opt out of precise geolocation targeting. It includes provisions that require businesses to minimize the amount of data they collect and creates a new option for consumers to opt out of the sale of their data through their browsers. At the same time, it revives some corporate exemptions and carveouts that privacy groups thought they had squashed.
"He was trying to do the right thing and find something everyone can live with and move the ball forward and not be overturned in the courts," says Justin Brookman, Consumer Reports' director of consumer privacy and technology policy, who discussed the initiative with Mactaggart. "That's a hard job."
So far, neither the privacy coalition nor the giant industry groups like TechNet, Internet Association or the California Chamber of Commerce have taken a clear stance on the new initiative. What is clear, however, is that activists and lobbyists on both sides of this debate feel an overwhelming sense of resentment that Mactaggart has thrown California's privacy law into doubt all over again.
By taking this initiative straight to voters, Alastair Mactaggart believes he could shield it from lawmakers or lobbyists who want to weaken it over time.Photo: Al Drago/Bloomberg via Getty Images
As of January, CCPA is the law of the land. The attorney general is still finalizing rules, businesses are still figuring out how to comply, and lawmakers and lobbyists in Sacramento are still working on amendments in the legislature. If CPRA passes in November, and goes into effect in 2023, some fear much of that could be for naught.
"All of this work could be swept away by the ballot initiative, which will change the rules and the playing field for companies yet again," says Kevin McKinley, the Internet Association's director of government affairs for California.
Jim Halpert, a partner at DLA Piper, who represents tech companies through a group called the State Privacy and Security Coalition, said CPRA is, quite simply, too long and complex for the average business to understand. "What I encouraged Alastair to do is to work on something that would be simple, clear, and would be a good model for federal law," Halpert says, calling the final version a "lost opportunity."
Others, like Mary Stone Ross, associate director of the Electronic Information Privacy Center and Mactaggart's co-author on the 2018 ballot initiative, raised questions about California Senate Majority Leader Bob Hertzberg's role in CPRA. In 2018, Hertzberg was the one who negotiated with Mactaggart to drop his first ballot initiative and work with the legislature on what would become CCPA. Ross wondered why, after all this time, Hertzberg would urge Mactaggart to take up another initiative.
"It's just a power play," Ross says. She notes that Hertzberg, who is in his last term in the senate, has already set up a campaign committee for the 2022 state controller race. That campaign has received funding from corporate giants including Facebook and Experian.
Hertzberg, for his part, says the fight over CCPA was far more divisive than he initially anticipated. He didn't see a way to advance some of CPRA's biggest ideas, like the creation of the California Privacy Protection Agency, in that environment. "There was never the big think, if you will, about what we wanted to do with CCPA and where we were going," he says. "People were just trying to get their teeny fixes."
He says he pushed Mactaggart to draft another initiative only after he'd exhausted all his options in the legislature.
Mactaggart, meanwhile, says he had been watching as lobbyists stalked the halls of the Capitol, pushing for amendments that would have left the law, to his mind, toothless. They'd mostly failed. But that didn't give Mactaggart much comfort.
"I remember thinking: This is not sustainable," he says. "At some point it feels like when you let your guard down, one of these changes is going to come through, have a massive impact, and end up gutting the law."
In August, Mactaggart says he and a small circle of advisers began working on what would become CPRA. By taking this initiative straight to voters, Mactaggart believed he could shield it from lawmakers or lobbyists who wanted to weaken it over time. California's quirky ballot initiative process is the only way for a private citizen like Mactaggart to wrest power from the legislature.
Of course, there are still plenty of people who believe this initiative is merely a bargaining chip. "Frankly, I think that it's likely there will be a negotiation before the ballot measure hits the ballot," says state Sen. Hannah-Beth Jackson, the chair of the judiciary committee.
Jackson shut down many of the industry-backed bills that passed through her committee in 2019. But she is also in her last term in office and says she understands why Mactaggart worries about what might happen to the law in her absence.
"The industries will bring members to their offices and wine and dine them and all those things to make my colleagues feel special and cool, and then you have the EFF and the ACLU and other groups like that, and they don't have those resources," Jackson says. "It's simply not a fair fight."
Mactaggart had to have known what he was getting himself into when he made his big announcement in September. He's been in this position before. "It does sometimes feel like I don't have a ton of friends on either side," Mactaggart says.
But he says this time around feels different. This time, he's making his case against the backdrop of a privacy reckoning in America, where giants like Google and Facebook have not only surrendered to the fact that regulation is coming, they're openly asking for it. And this time, the alternative to his initiative isn't the status quo; it's CCPA, a law shaped in his image.
Mactaggart now has until the end of April to collect 623,000 signatures and get on the November ballot. If he does, which he almost certainly will, he says his polling suggests CPRA will pass handily.