Big Tech is still fighting to curb California’s privacy law

Google, Pinterest and more are pushing California’s new privacy agency to narrow the California Privacy Rights Act before it goes into effect in January.

graffiti of a surveillance camera

Tech companies are seizing on the chance to shape how the California Privacy Protection Agency defines automated decision-making.

Image: Tobias Tullius/Unsplash

California’s revamped privacy law, the California Privacy Rights Act, goes into effect in January 2023. The law, which passed by ballot proposition in 2020, is the product of years of backroom battles between lawmakers, regulators, businesses and privacy advocates. But even after all these years, it seems Big Tech companies and their lobbyists are still working to limit the law before it’s too late.

Everyone seemed to want to have their say in public comments released this week by California’s new privacy regulator, the California Privacy Protection Agency. Tech giants including Google and Pinterest, as well as top industry groups including TechNet and Internet Association, urged the agency to issue regulations that would narrow the scope of CPRA. One of their top concerns is how the agency plans to define “automated decision making,” which consumers can opt out of under the law. They also asked the agency to limit which companies have to conduct annual cybersecurity audits under the law.

CPRA gave the CPPA broad authority to implement and enforce the law and issue new regulations to go along with it. The agency is now considering these and other comments as it considers how to handle what it called “new and undecided” issues contained in CPRA.

It’s no surprise that tech companies are seizing on the chance to shape how the agency defines automated decision-making. It’s a broad term that isn’t clearly defined in the law, but could implicate just about every tech company in the world — which is precisely what tech companies are arguing.

“Automated decisionmaking technology is not a universally defined term and could encompass a wide range of technology that has been broadly used for many decades, including spreadsheets and nearly all forms of software,” wrote Cameron Demetre, the California and Southwest executive director for TechNet, which represents Meta, Google, Apple and more.

Google in particular argued that the agency should focus its rules on “fully automated decisionmaking that produces legal effects or effects of a similar import, such as a consumer's eligibility for credit, employment, insurance, rental housing, or license or other government benefit.” Such a standard, the company argued, would bring California into alignment with Europe’s General Data Protection Regulation as well as Colorado and Virginia’s recently passed privacy laws, which both take effect in 2023. “These laws' focus on decisionmaking that has the potential to produce substantial harm is well-considered,” Google director of State Policy Cynthia Pantazis wrote.

Pinterest went so far as to argue that “any effort” to regulate automated decision-making, beyond decisions that have legal consequences, would be “overly broad.”

Privacy advocates are pushing the agency to take a wider view. In their joint comments, the Electronic Frontier Foundation, Common Sense Media, the American Civil Liberties Union in California and the National Fair Housing Alliance suggested that the agency should adopt a definition of automated decision-making put forward by Rashida Richardson, the White House’s current senior policy adviser for data and democracy.

Richardson’s definition is broader than what tech companies might want, but narrow enough so as not to encompass all technology. It focuses instead on systems that “aid or replace government decisions, judgments, and/or policy implementation that impact opportunities, access, liberties, rights, and/or safety.”

In addition to defining automated decision-making, tech companies also have concerns about how the agency will handle the part of CPRA that requires companies to undergo regular risk assessments and annual cybersecurity audits if they process consumer data in a way that “presents significant risk to consumers’ privacy or security.”

Right now, it’s unclear what constitutes “significant risk” or what types of companies will be required to submit to audits and assessments. In the comments, tech companies once again urged the agency to take a conservative approach. TechNet, for one, argued that companies should be able to do self-audits because third-party audits are “burdensome and expensive.” Google encouraged the agency to use California’s existing data-breach law as a guide when determining what data could pose a “significant risk.”

“[S]tate data breach reporting laws require businesses to report security breaches with respect to certain categories of information precisely because such information, in the wrong hands, may pose a significant risk to consumers' privacy and security,” Google’s Pantazis wrote.

The Internet Association, meanwhile, argued that data processing should only present a significant risk under the law if it could have a "legal or similarly significant effect" on people.

Tech companies have been fighting to shape California privacy law for years now, beginning with negotiations over the California Consumer Privacy Act in 2018. That work continued when Alastair Mactaggart, the driving force behind CCPA, decided to take another stab at the law and put CPRA forward as a ballot initiative in 2020 following a frenzied consultation process with large tech companies, privacy advocates and other business and consumer groups.

The passage of CPRA all but guaranteed a new round of jockeying among businesses and watchdogs, given the amount of discretion it gives to the new privacy agency. The new head of that agency, Ashkan Soltani, is no stranger to these debates: Soltani is a former chief technologist for the FTC and worked closely with Mactaggart during the development of both CCPA and CPRA. "California is leading the way when it comes to privacy rights and I'm honored to be able to serve its residents," Soltani said when he took the job. "I am eager to get to work to help build the agency's team and begin doing the work required by CCPA and the CPRA."

In addition to soliciting feedback, the agency will also hold informational hearings on these topics and others before beginning its formal rule-making process.



We’ve invested more than $13 billion in teams and technology to stop bad actors and remove illicit content.

Since July, we’ve taken action on:

  • 1.8 billion fake accounts
  • 26.6 million violent and graphic posts
  • 9.8 million terrorism-related posts

Find out how we're working to enhance safety.

Learn more


The West’s drought could bring about a data center reckoning

When it comes to water use, data centers are the tech industry’s secret water hogs — and they could soon come under increased scrutiny.

Lake Mead, North America's largest artificial reservoir, has dropped to about 1,052 feet above sea level, the lowest it's been since being filled in 1937.

Photo: Mario Tama/Getty Images

The West is parched, and getting more so by the day. Lake Mead — the country’s largest reservoir — is nearing “dead pool” levels, meaning it may soon be too low to flow downstream. The entirety of the Four Corners plus California is mired in megadrought.

Amid this desiccation, hundreds of the country’s data centers use vast amounts of water to hum along. Dozens cluster around major metro centers, including those with mandatory or voluntary water restrictions in place to curtail residential and agricultural use.

Keep Reading Show less
Lisa Martine Jenkins

Lisa Martine Jenkins is a senior reporter at Protocol covering climate. Lisa previously wrote for Morning Consult, Chemical Watch and the Associated Press. Lisa is currently based in Brooklyn, and is originally from the Bay Area. Find her on Twitter ( @l_m_j_) or reach out via email (ljenkins@protocol.com).

Every day, millions of us press the “order” button on our favorite coffee store's mobile application: Our chosen brew will be on the counter when we arrive. It’s a personalized, seamless experience that we have all come to expect. What we don’t know is what’s happening behind the scenes. The mobile application is sourcing data from a database that stores information about each customer and what their favorite coffee drinks are. It is also leveraging event-streaming data in real time to ensure the ingredients for your personal coffee are in supply at your local store.

Applications like this power our daily lives, and if they can’t access massive amounts of data stored in a database as well as stream data “in motion” instantaneously, you — and millions of customers — won’t have these in-the-moment experiences.

Keep Reading Show less
Jennifer Goforth Gregory
Jennifer Goforth Gregory has worked in the B2B technology industry for over 20 years. As a freelance writer she writes for top technology brands, including IBM, HPE, Adobe, AT&T, Verizon, Epson, Oracle, Intel and Square. She specializes in a wide range of technology, such as AI, IoT, cloud, cybersecurity, and CX. Jennifer also wrote a bestselling book The Freelance Content Marketing Writer to help other writers launch a high earning freelance business.

Indeed is hiring 4,000 workers despite industry layoffs

Indeed’s new CPO, Priscilla Koranteng, spoke to Protocol about her first 100 days in the role and the changing nature of HR.

"[Y]ou are serving the people. And everything that's happening around us in the world is … impacting their professional lives."

Image: Protocol

Priscilla Koranteng's plans are ambitious. Koranteng, who was appointed chief people officer of Indeed in June, has already enhanced the company’s abortion travel policies and reinforced its goal to hire 4,000 people in 2022.

She’s joined the HR tech company in a time when many other tech companies are enacting layoffs and cutbacks, but said she sees this precarious time as an opportunity for growth companies to really get ahead. Koranteng, who comes from an HR and diversity VP role at Kellogg, is working on embedding her hybrid set of expertise in her new role at Indeed.

Keep Reading Show less
Amber Burton

Amber Burton (@amberbburton) is a reporter at Protocol. Previously, she covered personal finance and diversity in business at The Wall Street Journal. She earned an M.S. in Strategic Communications from Columbia University and B.A. in English and Journalism from Wake Forest University. She lives in North Carolina.


New Jersey could become an ocean energy hub

A first-in-the-nation bill would support wave and tidal energy as a way to meet the Garden State's climate goals.

Technological challenges mean wave and tidal power remain generally more expensive than their other renewable counterparts. But government support could help spur more innovation that brings down cost.

Photo: Jeremy Bishop via Unsplash

Move over, solar and wind. There’s a new kid on the renewable energy block: waves and tides.

Harnessing the ocean’s power is still in its early stages, but the industry is poised for a big legislative boost, with the potential for real investment down the line.

Keep Reading Show less
Lisa Martine Jenkins

Lisa Martine Jenkins is a senior reporter at Protocol covering climate. Lisa previously wrote for Morning Consult, Chemical Watch and the Associated Press. Lisa is currently based in Brooklyn, and is originally from the Bay Area. Find her on Twitter ( @l_m_j_) or reach out via email (ljenkins@protocol.com).


Watch 'Stranger Things,' play Neon White and more weekend recs

Don’t know what to do this weekend? We’ve got you covered.

Here are our picks for your long weekend.

Image: Annapurna Interactive; Wizard of the Coast; Netflix

Kick off your long weekend with an extra-long two-part “Stranger Things” finale; a deep dive into the deckbuilding games like Magic: The Gathering; and Neon White, which mashes up several genres, including a dating sim.

Keep Reading Show less
Nick Statt

Nick Statt is Protocol's video game reporter. Prior to joining Protocol, he was news editor at The Verge covering the gaming industry, mobile apps and antitrust out of San Francisco, in addition to managing coverage of Silicon Valley tech giants and startups. He now resides in Rochester, New York, home of the garbage plate and, completely coincidentally, the World Video Game Hall of Fame. He can be reached at nstatt@protocol.com.

Latest Stories