A California ballot initiative currently gaining momentum through the legislative process has some saying it has the potential to cripple business across the U.S. and would have ramifications, unintended or not, far more reaching than the European Union's newly enacted and expansive data protection law, the General Data Protection Regulation. 

The proposal comes from an unlikely candidate: a real estate mogul based in San Francisco. Alastair Mactaggart was casually talking to an engineer at Google at a social event and said something like, “Hey, should we be worried about privacy?” 

The engineer’s response startled him.

“If you ever talk to a commercial pilot [about the danger of flying] and the pilot is like, ‘Ah, you’re at the airport, the most dangerous part is over,'” was the kind of response Mactaggart expected. Like: Everything is under control! But the engineer told him nothing of the kind. In fact, he told him that if consumers knew the kind of information companies had about them, they'd be worried.

That got Mactaggart thinking: “You should be able to stop companies from selling your information.”

Two years later, and with the help of a couple of savvy friends, Mactaggart has put up a reported $2 million to fund a ballot initiative that has the potential to rock the online marketplace yet again. And, as he told The Privacy Advisor, it's an initiative he's putting faith in the California voters to push through.

The initiative

At a high level, the initiative, officially called the “California Consumer Privacy Act of 2018,” aims to give consumers the right to control the data collected and sold about them by companies, including the choice to opt out of the sale of that data. It would allow California consumers the right to know what categories of personal data that has been collected about them, and their children, within 45 days of such a request; provide the right to know to whom that data has been sold or disclosed; provide the right to tell a business to stop selling that information; and it would prevent businesses from treating consumers who opt out of such sales differently, in terms of pricing or service denial. 

It would also require businesses, both online and brick-and-mortar, to include a “clear and conspicuous link on the business’s homepage” that says, “Do not sell my personal information.” A California business captured by the law is one that collects consumers' personal information and whose gross annual revenue exceeds $50,000,000; sells the personal information of 100,000 or more consumers or devices; or makes 50 percent or more of annual revenue via selling personal information. 

So, a lot of the businesses that have made the internet what it is today. 

And that has some folks very concerned about the operational impact that could have. Specifically, critics are concerned with the new expansive restrictions on data sharing and data selling, the extreme penalties for data breaches, and a broader definition of personal information than even the GDPR follows. 

Leigh Freund, president and CEO at the NAI, said she’s very concerned with the way in which the initiative could re-write California data protection law, specifically the impact it could have on advertising models. She says it would be far more burdensome than the GDPR, and that many companies still don’t see what’s coming:

“Many folks have been focused on the GDPR up until two weeks ago, and this kind of snuck up on everybody, like ‘Wait a second, woah, right here in our backyard this has been percolating.'”

Freund said the ad tech industry’s best practices follow that as the sensitivity of the data increases, so do the restrictions around the use of that data. It's that risk-based approach you hear about so often with the GDPR. But under the California initiative, “all this information that we would have considered as personal information is all lumped into one bucket … This makes it impossible for us to distinguish between someone’s email address and an anonymized ping from a cellphone that includes geolocation and any inferences derived from it. The GDPR’s definition of personal information is quite broad, but this takes it one step further,” she said. 

She’s also concerned about the initiative’s allowance for a private right of action over data breaches, damages for which could include $1,000 per violation per person.

“So a small data breach of 100,000 records with any of the defined personal information could mean 100 million dollars for a company. That’s a boon for trial lawyers, and there are some significant penalties for things that don’t give any consideration to whether consumers are actually harmed,” she said.

That’s because under the provision, a violation itself constitutes injury.

“So you can see how trial lawyers are sort of salivating on this," she said, "and that represents a big threat, and it definitely represents a threat to smaller companies. Maybe bigger companies we all know have the funds for this, but smaller companies do not.”

But Justin Brookman of Consumers Union, which supports the initiative, said that’s not really how things work. He points to U.S. Federal Trade Commission and attorneys general settlements. 

“[They] can also get thousands of dollars per instance," he said. "There are already statutes out there that have really high fines. But in practice, there’s always been some proportionality. Constitutionally, the Eighth Amendment limits overly high fines, so, a court would not necessarily uphold a 500 million penalty for a small business who made a bad choice.” 

More than that, Brookman says this law is needed generally because consumers should have more expansive rights than they're currently afforded. It shouldn't be assumed that because a consumer does business with a company, that their data is then fair game to a host of others for uses unknown. He said ideally privacy policies would be covered by federal law, anyway. But this California bill is a step in the right direction.

But, like Freund, Christin McMeley, CIPP/US, an attorney at Davis Wright Tremaine, is concerned about the impact on business. While Mactaggart says, “I’m a business guy, I have zero interest in doing something that has bad, unintended consequences. If you have an IT professional who’s at least kind of showing up in the morning, you really should be able to do this with zero additional cost,” McMeley thinks differently. She said businesses are going to have to redesign their infrastructures completely to comply with the proposal, should it become law, and that mapping and tracking consumer data at the granular level the proposal would require — especially given the proposal’s broad definition of personal data, but also the data going to third-party service providers — is going to be a heavy lift. 

“I think a lot of companies enter into agreements for a company to do a particular service that restrict the company from doing anything more with the data other than the services contracted, and they are going to have to go in and track all of that information. In a world where all of these small online businesses are doing so much outsourcing, that’s a whole different level of compliance,” she said.

But Mactaggart counters that his law is less restrictive than what companies are already working to comply with given European data protection law. While the GDPR requires companies to disclose to data subjects the actual data being collected on them, his simply calls for the categories of information collected. He says that was partly for reasons of preventing identity theft liability in which someone requests data purporting to be the data subject in order to steal the data and the administrative burden it would place to companies to verify the identities of data subjects. But also, he’s not super concerned about the cost of compliance here. 

“These companies have the smartest behavioral scientists in the world working on this stuff, and I feel like for the big brand names, it’s just going to be a speed bump,” he said. 

The process is a problem

Besides the provisions themselves, Freund is also concerned with the process: Because it’s a ballot initiative and not a piece of legislation, the normal review processes — in which input is solicited by industry, academics, advocates, etc. — do not exist here. The language of the initiative can’t be changed or amended unless 70 percent of both the state’s House and Senate vote to do so, and Freund said legislators are “very hesitant to change [a ballot initiative’s language] because it does represent the voices of the people.”

But Brookman said that's an advantage of the ballot initiative process: It's more lobby proof. 

"That's good and bad. Sometimes lobbying is helpful because you can hear the kinds of things of why it's a bad idea. But also, when they get an army of lobbyists coming in and it's tied to funding, that's led to weakening and killing a lot of privacy legislation," he said. "Alastair [Mactaggart] tried to be thoughtful about not breaking the internet but saying, 'At the end of the day, we should be able to stop companies from selling our data.' Which seems fair." 

At the time of writing, the initiative had 639,000 signatures, well above the 366,000 it needs to make to it the ballot, assuming the signatures are certified as valid. So the only way it wouldn’t survive making it to the ballot is if the California legislature introduced a bill Mactaggart felt was sufficient enough to make his proposal moot. But that doesn’t seem likely, and time is running short. 

“I have to tell you right now I’m not holding my breath,” Mactaggart said. “I feel as a citizen I should be willing to do that if they pass the law, but … I’ve heard this … ‘Do not get yourself in a position where they pass a bill with two hours to go before deadline, because they’ll stick in amendments and you don’t know what hit you.’”

Opt-out is not the default

Brookman cites an important provision of Mactaggart’s bill, one that companies would surely like to see an amendment on: the requirement that companies don’t treat differently consumers who opt out of having their data sold. 

"That's something a lot of companies already offer. Pretty universally, everyone says, 'We have an opt-out, so we're cool.' This is not a universal, global opt-out like do not track, but it still makes it a little more easy to say, 'Hey, we have a relationship, but as part of that I don't expect you to then sell data about me to someone else who I don't know.'" 

Mactaggart said, “What was pretty clear to us was that if you don’t have something addressing pricing discrimination, the big companies will certainly coerce the consumers into the sale of their information.”

Will this catch on more broadly in the US?

As for the broader implications, Mactaggart says he hopes the bill will catch fire and inspire similar bills in other states or even federally, as Brookman does. That said, he’s up against some steep competition, with Amazon, Microsoft and Uber already making contributions to lobby against the bill totaling $445,000, plus financial efforts by the NAI and others. Facebook and Verizon recently stopped publicly opposing the initiative, though not financially. Mactaggart said he's heard estimates that he's got about a combined $100 million of lobbying dollars up against him. 

“At some point you can only spend so much money,” he said. “My thing has got to be and has always been, 'The California voters are going to see through this stuff.’ From day one, I never would have put my money into this if I didn’t believe that. I still believe in the power of California voters.”

But Freund is hoping something changes. While the NAI was founded on the idea of consumer transparency, she doesn't think this particular proposal is the solution. 

“With these bigger tech companies, to treat Californians differently is more difficult from a technology standpoint, so this is a much bigger consideration from Californians alone,” she said. “Companies that think they’re GDPR compliant and therefore will be compliant under the California law are greatly mistaken. This is a far more all-encompassing initiative.”

photo credit: Veselina Dzhingarova via photopin