The day the California Consumer Privacy Act of 2018 was passed, Alastair Mactaggart's kids, ages 7, 6 and 4, got ice cream for dessert. On a weeknight. 

That never happens. Dessert is only for weekends in Mactaggart's Bay Area home. But this was a really big deal. A landmark privacy bill had passed California's legislature, one that never would have passed without a grassroots effort by three obscure civilians, Mactaggart as financier, who felt it was time consumers had more control over their own data. 

But, depending on who you ask, the ice cream celebrations could have been premature. 

Late last week, legislators in California published their agreed technical amendments to the California Consumer Privacy Act of 2018, aka AB 375. It's the first round of changes to the controversial law in what's sure to be a very long list in the end. But everyone involved in getting the legislation to the governor's desk knew that would happen. It was the trade-off friends Mary Stone Ross, Alastair Mactaggart and Rick Arny faced when they decided in June to pull their ballot initiative from the table and allow it to be replaced with a similar bill, which would pass through California's legislature unanimously.  

The question now is how much of the law will change between now and when its effectuated in 2020 — especially given an Aug. 6 letter written to Sen. Bill Dodd by more than 30 industry groups asking for "immediate" and significant "clean up" to AB 375 — and whether the trio of Bay Area civilians who led the charge will look back at their decision to pull the initiative with satisfaction or regret. 

To hear Alastair Mactaggart talk about it, his team did the right thing. Speaking over the phone from his vacation spot in the U.K. around midnight on a recent summer night, careful not to wake his sleeping children, Mactaggart's voice is soft but unwavering. He, the real-estate-mogul-turned-privacy-activist, did the right thing.

"I actually like where it ended up. I actually prefer it," he said of AB 375. "From my perspective, this is part of a process. Is it a risk? Sure, it’s a risk, but it’s ... a fast-moving area. And I do think it’s more appropriate to pass laws to regulate this area. And sure, [the legislature] never would have done it without the threat of this initiative. But now that it’s there, I’m willing to take a risk and see what happens."

But Ross, an attorney and Mactaggart's legislative co-author, isn't so sure they did the right thing. It's clear the decision to put the measure through the legislative process rather than send it straight to the California voters didn't have everyone on board. But they made a pact early on in the process, and it would, in the end, be the tiebreaker. 

Ross met Mactaggart socially, through her husband, upon their move from Washington to the Bay Area. But she first became interested in privacy during her time as an intelligence analyst for the Central Intelligence Agency and, before that, as a staffer for the U.S. House of Representative's committee on intelligence. It was she who did the heavy lifting of drafting the bill's initial language, and she's disappointed in how some of it was modified in the end. 

"I’m glad something got through. But I’m just very apprehensive about what’s going to happen next," she said. "These companies are very powerful and they have a lot of money."

Private right of action was a deal breaker

The decision to pull the ballot initiative came down to the wire, with just hours to spare before the state's deadline. But in the end, the industry groups who'd launched a financially mighty campaign against the initiative, The Committee To Protect California Jobs, which raised more than $2 million to fight it, were scared enough of its success that they agreed to work with Sen. Bob Hertzberg, who Mactaggart calls "an absolute force of nature," and Assemblyman Ed Chau to draft something the initiative's authors could live with in order to get the ballot initiative off the table. 

What really had industry scared, it seems, was the private right of action provision contained within the initiative, which would have allowed plaintiffs to sue for $1,000 per violation. 

"I think every single industry person I ever talked to, many of them said some version of the following, 'We don’t mind most of what you’ve written; we hate your private right of action,'" Mactaggart recalled. 

"Am I heartbroken I don’t have private right of action? Of course not," Mactaggart said. "I think of them as a tool to make sure enforcement happens. This is the first law of this kind of significance in the country where the violation is the harm. Previously, in all privacy legislation you had to prove your damages. And in this law, regardless if it's the AG or a private right of action, it's a huge departure."

Ross said the team knew it would always face intense pressure from industry on that, which is why it built in strong provisions on the state attorney general's role, as a precaution. The AG, under AB 375, will be the law's primary enforcer, has rule-making authority, and will serve to advise companies on compliance, among other tasks.

In the end, the trio agreed to modify the private right of action to only apply to data breaches, versus violations of the law at large, "as long as there was strict AG enforcement and they had funds to enforce the legislation."

Negotiating with tech giants ain't easy

Hertzberg said his approach in communicating with Silicon Valley was to start with the initiative's text and go from there. He and Chau "presented it to stakeholders, asking them: 'Where would you change this? What could you live with? What would make you walk away from a deal?'"

And while it seemed to outsiders the bill's legislative process was incredibly fast moving, it had been in the works for some time.

"Although the time between the bill going into print and passing both houses was short, the process of negotiating, drafting language, perfecting and emailing back and forth, in fact, took place over a number of months," Hertzberg said.

Chris Hoofnagle, a privacy law professor at University of California, Berkeley, was recruited early on in the process to consult on the ballot initiative. He says much of the hype about the frenetic pace at which the bill was conceived is just that: hype. 

"I think some of the 'it got negotiated in 72 hours' messaging is a bunch of D.C. lawyers who didn’t pay attention and who are sore for lacking a seat at the table," he said. "But I also think that many of the D.C. lawyers lack authority to actually negotiate terms. Their role instead is to put anti-regulatory arguments on auto-repeat. This means that there is a principal-agent problem. One gets a very different negotiation when speaking to companies’ in-house lawyers and technologists."

In that way, this process was much more organic. 

"What ended up happening is I took our initiative and I got back text from the legislature, and I basically, with our attorney, redlined what we were willing to accept," Mactaggart explained. "I sent that back to those guys, and that’s how we did it. I didn’t want to start negotiating with a whole bunch of tech companies, so it was me negotiating with the legislature." 

While companies looking to start operational compliance on the CCPA resent its to-be-filled-in blanks, Hoofnagle said those gaps are largely why the bill made it through California legislature. 

"Because the leadership has promised clean-up amendments, I think everyone was on board voting yes. It gives them a rhetorical posture of 'Hey I voted for this, but I think it needs fixing,'" he said. 

Additionally, passing the law allowed the government to take some agency back.

"The legislature hates the ballot initiative because it commandeers legislators’ power and because fixes take such a large majority," Hoofnagle said, noting changes to initiatives require two-thirds votes from both houses of the legislature. "But in a large sense that is the point. Ballot initiatives came about because of the hammerlock the robber barons had on legislatures; the process is a product of the progressive-era reform of lawmaking. Today, Silicon Valley has the state legislature in a headlock, and for years, no consequential consumer privacy law has passed. The legislators are addicted to tech money and were willing to vote for the bill on command of the leadership."

And that's exactly what Ross laments. There's no longer an incentive for lawmakers and the lobbyists breathing down their backs to acquiesce to the most privacy-protective provisions. 

"AB 375 as it’s written, it doesn’t go nearly as far as the initiative," Ross said. "It does do a lot to protect consumer’s privacy, but the problem right now is kind of, when we were negotiating over AB 375, we had the hammer of the initiative. But now that hammer isn’t there."

A compromise

Ross didn't like the way the campaign ended. She saw trouble ahead. But it was two against one. And so, during a heated phone call among Mactaggart, Arny and herself in late June, she relented. The three had made a promise, in writing. 

"I didn’t want to pull it," she said. "But I agreed, it was in the bylaws, that if I was outvoted I would sign the letter to pull the initiative. We always said if we got 90 percent of what we wanted to, it would be done through the legislature."

So she'd made her own bed and had to lie in it. But what scares her now is the bill's vagueness. Even without the ways in which she fears the bill will be watered down from now until 2020, she's already disappointed with some of the language. 

"It wasn’t just the private right of action that was eliminated," Ross said. "It was things fundamental, in my view, to an effective piece of privacy legislation." 

For example, the definitions. In the initiative, the definition of a data sale included the sharing of consumer data for third-parties' commercial purposes. "And in AB 375, it’s just a very traditional definition of 'sell,'" Ross said. "The problem is most of these companies aren't selling this information, they're just sharing it, so that doesn’t stop a lot of bad behavior."

But Mactaggart is more optimistic. 

"The way it is right now I don’t think its’ at all weaker than the initiative. I’m operating on behalf of the fact that if there's an attempt to gut the thing, there’s gonna be a cry from privacy advocates," he said. The Democrats control the California House, for now, so, "I think we’ll be able to fight back on the egregious stuff. At some point, you just take a risk. This was a risk I was willing to live with."

Despite Ross's disappointment, she'd do it all over again.

"It’s very powerful, the initiative process," she said. "Three people could change privacy law in the United States. It was kind of the perfect use of the initiative process. Tech companies and telecom companies have so much money that they were very effectively able to lobby against any regulation both at the state and at the national level. Here, we took the lobbying out of it. We took away their power. And that’s the thing, if you don’t want anything from them, or you’re not depending on them for campaign contributions, it levels the playing field." 

Mactaggart has similar reflections on what it means to push a citizen's initiative through the democratic process, especially a cause like privacy.

"Everyone calls me a privacy advocate, and I guess maybe I am. But it feels to me this is a really important area for the future of our society to focus on if you think about privacy with respect to democracy," he said. "I don’t want to sound like a total kook here, but I also think there's a really fundamental direction for our society. If you look at how much power is being concentrated in a relatively few number of hands, there are potential consequences." 

He did what he could, and if, in the end, it means nothing? Well, he tried. 

"If the feds come along and pre-empt this with some kind of innocuous piece of legislation, a whitewash legislation that removes any consequences, well fine," he said. "I’m still kind of pinching myself saying, 'I can’t believe this actually happened.'"

photo credit: davidyuweb San Francisco Morning Fog via photopin (license)