Enacted in 2018 over the vigorous objections of Silicon Valley tech giants, California’s first-in-the-nation online privacy law took effect Jan. 1, 2020. But with the staff of state Attorney General Xavier Becerra still far short of finalizing an enforcement framework, it’s unclear what effect the California Consumer Privacy Act will have in the short term.

The law’s most important provisions appear straightforward. Californians can ask companies which collect information online what information they have on them. Companies must delete this information upon request. Websites with third-party trackers must make it easy for consumers to opt out of having their information sold by having a visible button allowing them to quickly do so on their home pages.

But echoing the warnings of the California Chamber of Commerce, there’s confusion on how much information companies can retain on their customers – as opposed to information on those who have visited websites or use phone applications. There are also questions about what constitutes the sort of data that consumers should be able to control.

Facebook, Google have different view of law’s scope

“Companies have different interpretations, and depending on which lawyer they are using, they’re going to get different advice,” privacy software executive Kabir Barday told the New York Times.

This is plain in the contrasting plans of California’s two most high-profile tech firms.

Facebook told advertisers in early December that it had no plans to change data-collection policies because it doesn’t believe that “routine data transfers” about consumers fit the definition of selling data contained in the California law, according to a Wall Street Journal report.

Google, however, has put up a website that says the company welcomes the California law and will fully adhere to its intent of letting consumers control their personal data. The company is telling advertisers that consumer data can only be used for fraud detection or to measure online views of ads – and never to try to ascertain the buying habits or product searches of individuals.

Meanwhile, the Experian credit-reporting service told Becerra’s office that it strongly objected to having to provide consumers with “internally generated data” about them, arguing that such information is proprietary and isn’t akin to snooping on individuals’ online search habits and histories.

The Evite company that lets people send out personalized online invitations to parties or events has taken a different tack: using its privacy policy page to make the case to users that the information it collects is used in benign ways that benefit users and improves the services Evite offers.

The law does not apply to businesses with annual revenue of less than $25 million that do not buy or sell personal information on at least 50,000 people a year.

Becerra expects to have guidelines finished by summer

Becerra issued draft guidelines for how the law would be implemented in October. His office is now evaluating the complaints and comments it got from privacy activists, affected companies and others. The goal is to have the regulations in place by the middle of the year.

A key question going forward is how hard Becerra will come down on the 100-plus “data broker” firms in the U.S. which accumulate and sell the most personal of information yet have managed to escape much attention. An investigation posted by the Fast Company media website last March detailed how “if you use a smartphone or a credit card, it’s not difficult for a company to determine if you’ve just gone through a break-up, if you’re pregnant or trying to lose weight, whether you’re an extrovert [and] what medicine you take.” Jewelry sellers, for example, can get customized lists of which consumers have a history of buying expensive gifts on Valentine’s Day.

The firms’ ability to provide such detailed, specific information could be widely curtailed if enough consumers opt out of sharing their personal information – at least if they’re based in California or a state or nation with similar rules. But since such data mining can be done about Americans by companies based in nations with no such rules, it’s certain to continue. A likely future policy fight is over whether California companies should be banned from obtaining such personal information from firms that don’t honor online privacy laws like the Golden State’s.

With the California Legislature in the final three weeks of its session, big tech companies and business lobbies have so far had little success in getting changes to the California Consumer Privacy Act. The landmark online privacy law – enacted in summer 2018 – takes effect Jan. 1, 2020.

The law parallels a sweeping measure adopted by the European Union that took effect in May 2018. It gives consumers the right to know who is collecting what data on them from their online browsing and provides them the choice of opting out from collection.

Defenders of the state law say the reason it has been targeted so vigorously is because tech firms know that California often influences what other states or even Congress does. These companies prefer the present anything-goes data accumulation landscape allowed under federal law. The Golden State law did appear to inspire 24 states to consider online privacy laws this year, according to Pew’s Stateline research site, though few have been enacted so far.

Critics: Flaws will hurt bottom lines, customers

But critics say they are going after the law because it is poorly crafted and could both drive companies out of business and reduce the ways that online information gathering actually helps consumers by connecting them to goods and services they are likely to want. Among the criticisms offered by the California Chamber of Commerce and the state chapter of the National Federation of Independent Business:

• The limits put on what “personal information” can be gathered are so broadly written that they apply to broad swaths of information that can’t be linked to individuals but that can help businesses develop marketing strategies.

• The provision banning businesses from the sale of information gathered online is so broad it will make it difficult for businesses to use information that it has gathered directly and legitimately from use of their websites to determine what customized content to provide customers.

Legislation that would address these concerns has not advanced. 

Local agencies fear effect on public health, tax collection

The Bay Area News Group also reported on the failure of a bill that would have allowed government agencies to have access to consumer information for a variety of priorities, including helping government officials “to collect child support, find people exposed to infectious diseases, locate foster children’s family members, determine social service eligibility, and collect delinquent taxes and judgments.”

One measure – Assembly Bill 25 by Assemblyman Ed Chau, D-Monterey Park – has made progress. It would make clear that the law doesn’t cover employees acting within the scope of their basic job duties. As a co-sponsor of the original law, Chau had more credibility than some of the lawmakers’ who appeared to be proposing changes at the tech industry’s behest.

AB25 passed the Assembly on a 77-0 vote in May and an amended version was approved by the Senate Judiciary Committee on an 8-0 vote last month. But it has not been considered by the Senate Appropriations Committee since its referral.

Dramatic late-session moves could resurrect some of the more controversial bills seeking to narrow the Consumer Privacy Act. But an official with the Electronic Frontier Foundation told the Bay Area News Group that come Jan. 1, the foundation expected that “the same bill [adopted last year] goes into effect.”

Why focus is likely to shift from Sacramento to Albany

The tech companies and lobbying groups could soon shift their attention from California, the richest state in terms of GDP, to New York, the third richest.

In 2020, lawmakers there are expected to consider perhaps the most far-reaching online privacy law in the world. One likely provision would make it a “fiduciary duty” for companies to use the data they accumulate in ways that advance the customer’s best interests. Depending on how this is interpreted, this could mean the end of the present model of micro-targeting of consumers through information gained from their online searches and activity – at least in New York state.

A far-reaching online privacy bill that got next-to-no vetting or legislative debate was

Assembly Bill 375 – the California Consumer Privacy Act of 2018 – would change the playing field in the relationship between users of some online services and the companies that provide the services. It would allow users to ask companies to delete their personal information and to be informed what information about them that the companies were collecting and selling. It would also allow online consumers to sue over some unauthorized breaches of their information – but only for up to $750.

The San Francisco developer who reportedly spent more than $3 million to gather signatures for his ballot measure told the Sacramento Bee that AB375 – while not as far-reaching as his proposal – was more than good enough. Alastair Mactaggart said he was willing to compromise and gain “certainty” of online privacy reforms rather than take on tech giants in a heavy spending free-for-all in the fall election. He pulled his initiative after AB375 was signed by Gov. Jerry Brown on Thursday afternoon – just before the deadline for its possible withdrawal with the Secretary of State’s Office. Brown’s signing came after the bill won unanimous approval from both the Assembly and Senate.

The process under which a measure that qualified for the ballot could be pulled if proponents were satisfied with the Legislature’s alternative was established in a 2014 state law that was billed as an important refinement to the state’s system of direct democracy. The bill was championed by then-Senate President pro Tem Darrell Steinberg, D-Sacramento.

The most important differences between Mactaggart’s proposal and AB375 is that it gives tech companies more certainty of their own that there would be legal limits on their exposure to damage claims from those using their services.

The bill quickly made it to Brown’s desk despite warning from key players.

Tech lobbyist: At least ‘even worse’ measure is dead

The Internet Association, a lobbying group for tech firms with significant online presence, issued a statement decrying “many problematic provisions” in the bill and “the unprecedented lack of debate or full legislative process.” But the association said it would not “obstruct or block AB375 … because it prevents the even worse ballot initiative from becoming law in California.”

The state Senate Judiciary Committee, which approved AB375 on Tuesday, did so even though chairwoman Hannah-Beth Jackson, D-Santa Barbara, expressed “grave, grave concerns about this legislation” to the San Francisco Chronicle. But she also praised its consumer-friendly elements, which take effect in 2020.

While California, as the nation’s largest and wealthiest state, often finds its policies emulated by other states, it’s not clear if AB375 will be copied in other capitals. Companies like Google, Amazon, Comcast and AT&T have steadily increased lobbying and campaign contributions in many states and may try to get what they consider model online privacy legislation passed elsewhere – so it could in theory compete with California’s version.

However, Facebook voiced its support for the state bill. “While not perfect, we support AB375 and look forward to working with policymakers on an approach that protects consumers and promotes responsible innovation,” a Facebook official told the Sacramento Bee.

The California Legislature is considering effectively restoring internet privacy regulations in America’s largest state that were adopted for the entire nation under the Obama administration but were repealed in April.

The measure by Assemblyman Ed Chau – Assembly Bill 375  – is meant to counter President Trump’s signing of a resolution passed by congressional Republicans allowing internet service providers to sell most of the information they have on customers’ browsing habits. Chau, a Monterey Park Democrat, would only allow such information to be sold after ISP customers “opt in.”

Large telecommunications firms like AT&T, Comcast, Sprint, T-Mobile and Verizon argue that it’s unfair that Google and Facebook are allowed to capitalize on the browsing histories of their users with targeted ads if the telecom firms don’t have the same rights. Chau joins privacy and consumer advocates in contending it’s wrong to equate how Google and Facebook pay the bills while offering popular free applications with internet service providers which generate tens of billions of dollars in monthly fees from their customers – companies which for years have been among the least popular businesses in the United States.

AB375 would also forbid ISPs from offering lower rates in return for being able to use browsing histories for marketing purposes and would mandate that ISP contracts be written in clear, plain language.

Chau gutted and amended the bill last month. In its original version, it was an uncontroversial measure related to video game arcades that won unanimous Assembly approval in May without a negative vote.

At the news conference unveiling the revised bill, it won the strong support of Richard Holober, executive director of the Consumer Federation of California: “It’s based on a simple demand of the people: Ask me first before you use or share my personal information,” he said, according to a Bay Area News Group report. Representatives of the ACLU and other civil liberties groups also praised the measure.

California hailed for privacy protections in 2015

But while the Bay Area News Group report cast Chau’s bill as reflecting California lawmakers hopes to be a key part of the “Resistance” movement opposing the Trump White House, it’s actually in keeping with the Golden State’s history. In 2015, Wired magazine wrote that California “now has the nation’s best digital privacy laws.”

Chau’s bill could prove popular with the public. In the wake of a series of hacking scandals, internet privacy appears to be an increasingly important priority for Americans. This was borne out by a Consumer Reports survey of 1,007 adults in April that found a steady erosion of confidence in government’s ability to protect their data privacy. Some 65 percent had no faith the government was up to the job – and 92 percent said their browsing histories should only be sold after they “opt in.”

The Los Angeles Times reported that California was the 20th state to consider adopting laws responding to the repeal of the Obama internet privacy rules. The article downplayed fears that this was an area where state law would be superseded by federal law because “communications law has traditionally allowed a division of responsibilities between the state and federal government,” according to a lawyer for the Electronic Frontier Foundation.