Recent headlines have suggested that California lawmakers are considering a bill that would give Californians “unprecedented control over their data.” This is true but that is not the whole story.
What’s really happening is that California lawmakers have 48 hours to pass such a bill or the policy shit is going to hit the direct democracy fan. Because if lawmakers in the California Senate and House don’t pass this bill Thursday morning, and if California governor Jerry Brown doesn’t sign this bill into law Thursday afternoon, a stronger version of it will be on the state ballot in November. Then the 17 million or so people who actually vote in California would decide for themselves whether they should have the right to force companies to stop selling their data out the back door. Polls predict they would vote yes, despite the claims of tech companies that passage of the law would lead to businesses fleeing California. And laws passed via the ballot initiative process, rather than the legislative process, are almost impossible to change, so California would likely have this one on its books for a very long time.
This, more than, say, an urgent need to address the data scandals that have dominated the tech industry so far this year, is why lawmakers are scrambling to get a bill passed. (A press secretary for Senator Bob Hertzberg, a sponsor of the bill, says that it’s happening at the last minute because it was a “long and tortured negotiating process” to come up with “an agreement that everybody 70% agrees with.”) It’s an absurd scenario out of Armando Iannucci, motivated more by arbitrary deadlines and the arcane mechanics of the legislative process than by a sudden passionate response to the kind of careless data practices that facilitated a foreign power’s interference in a presidential election.
How did we get here? It mostly has to do with one guy with a lot of money deciding he was willing to drop a few million dollars to make life harder for data brokers.
“I want to be able to go to Amazon and find out who they sold my information to,” Alastair MacTaggart told me earlier this year.
MacTaggart, a real estate developer in the San Francisco Bay Area, has spent $3 million to create and fund a campaign for the California Consumer Privacy Act, a law that would force companies to tell people what personal data they’re selling and stop if asked. The work of creating the ballot initiative started over two years ago. Over the last year, more than 600,000 Californians signed a petition in support of it—thanks to $1 million spent with signature-collection firms—and so MacTaggart now has the ability to put it on the ballot in November.
He just has to decide whether he wants to do it or not by June 28—this Thursday. Hence the scramble by lawmakers to pass a bill that will get him to drop the Act.
“If the bill passes before [Thursday], we will withdraw our initiative. If it doesn’t, we will proceed to the November election,” said MacTaggart in a statement. “We are content either way, as we feel that both the legislative solution, and our initiative, provide tremendously increased privacy rights to Californians.”
MacTaggart says that his interests in this are esoteric and that he’s never experienced a major privacy violation himself. He traces his desire to spend an obscene amount of money on privacy protections for his fellow citizens to a cocktail party conversation a few years ago with a guy from Google who told him that “if people knew how much we knew about them, they’d be really freaked out.”
Under both MacTaggart’s initiative and the lawmakers’ proposed bill, Californians could ask any large business they patronize—their grocery store, their pharmacy, their gym, their credit card company, their phone carrier, their car maintenance shop—what categories of information the business has collected about them and whether the business has sold that data to anyone; a response would be required within 45 days.
Contact the Special Projects Desk
This post was produced by the Special Projects Desk of Gizmodo Media. Reach our team by phone, text, Signal, or WhatsApp at (917) 999-6143, email us at tips@gizmodomedia.com, or contact us securely using SecureDrop.
A person taking advantage of this law might find out data brokers have access to surprising trails of their life: how often they buy ice cream, the medications they’re taking, where and how often they play games on their phone, or how many miles they’ve racked up on their car.
Beyond that new transparency, the passage of the law would mean that a citizen could tell these businesses they’re not allowed to sell that information anymore. Companies would be required to put a “clear and conspicuous link” on their website that says, “Do not sell my personal information.”
The tech industry hates the ballot initiative and has poured $2 million into an association, “The Committee to Protect California Jobs,” formed to fight it. Among those who have donated to the anti-privacy cause are Google, Facebook, Amazon, Verizon, Comcast, Cox Communications, AT&T, Microsoft, Uber, advertising associations, and industry groups for people who make and sell cars.
Car dealers don’t want to lose access to any bit of intel that tells them when someone might be ready to drop five-plus figures on a new set of wheels. As for the other companies, their opposition reveals the extent to which their business models depend on the free market for data. (Facebook withdrew from the Committee earlier this year, as the appearance of opposing new privacy legislation became unseemly in the wake of the Cambridge Analytica scandal.) MacTaggart says political consultants have told him that the Committee to Protect California Jobs would spend up to $100 million to try to kill the bill, an amount he wouldn’t be able to match.
It’s a classic David vs. Goliath scenario, except David is a multi-millionaire and Goliath is a consortium of the wealthiest companies that have ever existed. And it looks like David is going to be victorious once again, either by forcing lawmakers to pass a bill this week or by getting his law in front of voters in November.
During a rushed hearing about the bill on Tuesday, lawmakers lamented “the process” that was forcing them to hurriedly pass the bill.
“It’s a Hobson’s choice. Either we pass the bill or this goes to the ballot,” said California Senate Judiciary Committee chair Hannah-Beth Jackson. “If this initiative passes [via the ballot], we in the legislature would be helpless to do anything.”
The bill proposed by Senator Bob Hertzberg and Representative Edward Chau adopts much of the language from MacTaggart’s ballot initiative, though there are some key differences:
- The major one is how much it would cost companies who break the law. MacTaggart’s law would hit offending businesses with $1,000 to $7,500 in fines for unauthorized exposure of their information; the lawmakers’ bill would bring the fines down tenfold to $100-$750.
- The ballot initiative requires companies to tell you about any sharing or selling of your data while the bill specifies selling, which means that a company won’t have to tell you about data that gets passed around within their family of companies, and those families can be pretty big.
- The ballot initiative prohibits companies from charging you more for their services if you press that hypothetical new privacy button to stop the sale of your data. The bill says the same thing but then says that a company can offer “financial incentives” to those who let the company monetize their data, so it’s okay to charge some people more because they turned down the “incentives.”
- The ballot initiative requires companies to tell you exactly who they sold your data to; the lawmakers’ bill would just have them tell you the category of company to which they sold your data.
The bill is definitely weaker than the ballot initiative thanks to tech and business lobbyists, and if MacTaggart wanted to play hardball, he could still take his proposal to voters in November, but that would likely mean spending more millions on the campaign. The Committee To Protect California Jobs doesn’t have an official statement on the bill yet, though has called the ballot initiative “unworkable.” It “[requires] the internet in California to operate differently-limiting our choices, hurting our businesses, and cutting our connection to the global economy,” said its spokesperson Steven Maviglio in a statement.
California actually passed something similar to this bill in 2003, but without the threat of direct democracy hanging over its head, it became so watered down as to be ineffective. Called “Shine the Light,” it allows Californians to ask companies if they’ve given personal information to third parties and to request they stop doing that, but it only applies to data given away for marketing purposes (like when the magazine you subscribe to sells your address to charities, resulting in more junk mail coming your way). Incredibly, companies can opt out of complying with the transparency requirement of the law if they simply put a clause in their privacy policy to that effect.
“Shine the Light got watered down because the politicians were looking to score a headline with little attention paid to the actual outcome,” said Steve Peace, a former longtime California state senator as well as an Attack of the Killer Tomatoes writer/producer/actor who is now working on bringing the movie to the stage. “With politics, it’s often about branding more than what’s actually accomplished by the bill.”
In 2013, Peace tried to get a privacy law on the books through California’s ballot initiative process that would make it easier for people to sue when companies exposed their personal data. That was the first time the “Committee to Protect California Jobs” was activated, with Facebook, Google, Verizon, Acxiom, and a few banks donating almost $100,000 to the group. But Peace’s initiative was short-lived, and he dropped it after the legislative analyst projected huge costs to California if the law were passed.
The same year, Bonnie Lowenthal, then a California State Assembly member, tried to push a bill that would make it easier for people to find out what companies were doing with their information, but Silicon Valley “quietly killed” that one too; it never made it out of committee.
“It was a frustrating experience to come up to such a mountain of opposition from the tech industry,” said Commissioner Lowenthal by phone. “There’s a groundswell for privacy now that didn’t exist when I put my bill forward.”
The groundswell is certainly a factor, but privacy also needed a heavyweight in its corner who was willing to spend millions to hijack the legislative process. (Usually, the millions are stacked against privacy legislation.) MacTaggart grew up on the East Coast, went to Harvard Business School, and then embraced the family business of real estate development. He moved to San Francisco in 1996, in part because he knew the technology industry was about to explode and realized the people behind it were going to need somewhere to live. He specialized in condominiums, self storage units, and eventually, apartment buildings. In other words, MacTaggart’s ability to financially support a law detested by the tech industry is a result of that same tech industry’s insane growth over the past two decades, and the resulting Bay area housing boom.
His partners in crafting and pushing the law forward are Mary Ross, a former CIA analyst who worked as a lawyer for the House Intelligence Committee, and Rick Arney, a financial executive. They know each other because they all have kids that are around the same age, and they all have similar concerns about the one-sided power of the tech industry.
“There’s been a real awakening to the dark side of this industry,” said MacTaggart. “When massive amounts of power are concentrated in the hands of a small amount of people, it never ends well.”
If lawmakers don’t manage to get a bill on the books by Thursday, the tech industry will have four months to convince Californians to vote no on privacy. The Committee to Protect California Jobs has hired Gale Kaufman to do it; she’s a renowned consultant who helped get pro-marijuana legislation passed in California and was credited with “demolishing” Governor Schwarzenegger’s ambitious agenda in 2005. MacTaggart, meanwhile, has Robin Swanson running his campaign; she’s a protege of Kaufman’s so it would be like Abby Whelan going up against Olivia Pope in Scandal.
Swanson told me Kaufman would likely spend “ungodly amounts of money on TV ads”—her specialty—and use a variety of scare tactics, from emphasizing MacTaggart’s wealth and political naïveté to saying the bill could threaten public safety by making it harder for law enforcement to get the information it needs to track criminals. One of the bill’s critics said during a legislative hearing that it could threaten retailer loyalty programs, a fate surely worse than death.
The only propaganda from the “Vote No” campaign seen so far was a flier passed out at a Democratic event earlier this year. It tars MacTaggart as a multi-millionaire (true), says the bill would “jeopardize jobs and innovation” (maybe), and quotes the nonpartisan Legislative Analyst as saying the bill would “cost state and local governments ‘tens of millions of dollars’” (partially true; it omits the end of the quote, which says that the cost would be “offset by increased penalty revenue or settlement proceeds authorized by the measure”).
When I spoke to MacTaggart earlier this year, he wasn’t looking forward to the $100 million campaign that might be waged against him, which is why he may be amenable to a bill that’s weaker than what he could put on the ballot.
“I’m terrified. Not that I think anyone should feel sorry for me, but you get yourself into something and you worry what you’ve done,” MacTaggart said to me last month. “All the political people say they’re going to come after me personally. I’m a pretty private person. I think they’re going to portray me as a wealthy guy who doesn’t know what he’s doing.”
MacTaggart has come as close as anyone to getting a blockbuster privacy law passed in the United States. It could become a reality as soon as Thursday. He may not know what he’s doing, but he’s done it incredibly well.
Correction: This story originally stated that the bill did not require companies to tell people about information associated with their devices. That was incorrect.