SAN FRANCISCO — California is embarking on a new era of privacy on the internet, and Xavier Becerra can’t stop thinking about the failed debut of Obamacare.
Back in 2013, Becerra, then a Democratic congressman from Los Angeles, watched as technical problems with the website marred the rollout of President Barack Obama’s signature law, delaying sign-ups for health insurance and denting the public’s faith in the new offering.
Now, as California’s attorney general, Becerra is worried that a similarly halting start awaits the California Consumer Privacy Act, a far-reaching law that would put some of the world's strictest rules on how tech companies — many of which call the state home — handle and collect user data.
The rest of the country is watching closely. No other state has attempted such an ambitious privacy law, and since before the dawn of the internet, Congress hasn’t either.
The law has numerous parts. It forces companies to reveal what data they collect. It gives users the right to delete that data and prevent its sale. And it will likely restrict how data can be used for online ads.
Becerra, whose office will be responsible for enforcing the law when it goes into effect Jan. 1, 2020, said he might not have enough staff to carry out the job, and that as a result the law could collapse under its own weight.
“I don’t think you ever want to give people a reason to believe that you hoodwinked them,” Becerra said in an interview. “Think back to the launch of the Affordable Care Act’s website. That really depressed people’s belief that this was going to work.”
The tension around California’s law, which passed in June 2018, comes amid growing public and political agreement that the big consumer tech companies, now global powers with valuable data on billions of users, require more oversight. But how to regulate and who should enforce new rules remain open questions. The European Union’s General Data Protection Regulation, or GDPR, which took effect last year and was seen as a landmark for privacy protection, has so far resulted in few tangible gains for consumers.
California’s law goes well beyond requiring pop-up notifications on websites, an annoyance that became synonymous with GDPR. The European law and the pop-ups that followed were intended to inform consumers what data would be collected and ask their consent.
California is going several steps further, giving people a clear opportunity to opt out of the sale of their data, in addition to letting them know what a company like Google knows about them. With 40 million California residents, that could be a lot of requests, if companies comply.
Already, a scramble is on among lobbyists, advocacy groups and politicians to try to ensure the California law will work, and lawmakers in Sacramento have weighed scores of proposed amendments to refine or rewrite parts of the law. Lobbyists for tech companies are looking to blunt the law’s impact, while privacy advocates want to add to it, so the law’s future — including how it will be enforced — is still unclear.
The outcome could have far-reaching consequences. Consumer advocates say the law could meaningfully improve online privacy without losing what people like best about the internet. Industry experts, however, warn that if the law is watered down before it takes effect, companies will find ways around the requirements — or even cut free, ad-supported service.
“I think we can help set the standard for the nation,” said California Assembly member James Gallagher, a Republican from Yuba City in Northern California and a supporter of the law. “I think mostly the tech world is, on the surface, asking for some clarification and changes to the law that they feel are gray areas for companies to figure out how or whether they need to comply.”
“But I have a skeptical eye,” Gallagher added. “Look, I want to make sure that whatever is being proposed as a cleanup measure isn’t a gaping hole.”
‘Do not sell’ signs
The law also has a broad definition of what is meant by “sell.” It covers numerous other broad-strokes actions including “disclosing, disseminating, making available, transferring” personal data, and more. Many large companies, notably Facebook, insist that they do not sell user data, instead serving as a kind of all-knowing intermediary that tries to pair up advertisers and consumers with complicated targeting algorithms.
Sales of data aside, companies will be required to proactively explain their practices in handling user data, explain consumers’ rights and list the categories of personal information that the company has collected, disclosed or sold within the previous year.
The law is intended to target only large businesses, defined as having annual gross revenues in excess of $25 million, or having received personal information for 50,000 consumers. In short, Facebook would be affected, but probably not most startups, depending on the details of their business.
Proponents believe that California, as the most populous state in the nation, will set a standard for companies operating nationwide, because companies will not want to make different versions of their websites and related online services for different states.
At least nine other states, including North Dakota and Hawaii, are now considering their own versions of the California law.
Federal legislation that might override California’s law has so far failed to materialize. Some Democrats in Congress say they’ll oppose any federal bill that stops short of the protections in California’s law.
Businesses have a simple way to make nationwide compliance easy, said Alastair Mactaggart, a real estate developer who spearheaded the California law’s creation: give all Americans the same rights as Californians.
“This is a made-in-tech-world problem to foment fear,” Mactaggart said. Tech companies “could make it go away by saying that they're going to extend California rights for everybody.”
Some of the provisions in the law have been criticized as too broad or vague, such as one that appears to prohibit the personalized pricing of goods and services and then later allows the practice.
“The bill looks like philosophy, and when a company implements, it doesn’t make any sense,” said Stu Ingis, a lawyer working with Privacy for America, a coalition of advertising industry trade groups. Ingis called the law “sloppy” and “not well-drafted.”
Lawyers, lobbyists and technology experts are attacking the law from all sides, hoping to make industry-friendly changes before it takes effect. The law was passed last June on an expedited schedule to head off a ballot initiative in November.
Becerra and a group of privacy advocates want to add a provision granting consumers the right to sue if, for example, a company ignores a person’s demand to opt out of data sales. The idea is to complement the state’s own enforcement efforts, with civil litigation serving to deter violations of the law.
The California Chamber of Commerce, a business lobby group, has said it thinks giving consumers the right to sue would primarily benefit trial lawyers. It “will not only hurt and possibly bankrupt small businesses in the state, it will kill jobs and innovation,” the Chamber said in a statement.
Many tech companies and their lobbying firms have complained that varying state laws make for an inconsistent playing field and compliance difficult.
The Internet Association, which counts among its members some of Silicon Valley’s biggest firms, including Google, Amazon and Facebook, said in a statement that the tech sector wants to “ensure that California residents have meaningful privacy protections” under one federal law, “not a patchwork of state laws.”
Their lobbying efforts could be effective.
“Silicon Valley has a lot of power,” Justin Brookman, director of tech policy at Consumer Reports, and a former Federal Trade Commission attorney, said in an interview.
“I’m hopeful that it won’t be meaningfully weakened,” he added. “Do I feel confident that it won’t be? No.”
There’s also a small army of lobbyists and lawyers pushing to scale back or narrow the law for specific sectors of the economy. The airline industry, for example, says it’s already regulated by federal transportation agencies, whose power supersedes that of states, while insurance companies say they’re already covered by an existing state law just for them. Automakers are seeking a carve-out, saying the law would hamper their supply chain and complicate dealer services.
Bills to amend the privacy law must pass both houses of the state legislature by September, making the next four months critical in determining how it looks.
But even then, businesses and privacy advocates are trying to change things. Becerra’s office is scheduled this fall to release its detailed rules for enforcing the law, and already it has received 1,305 pages of comments about what it should do, many of them from corporate lawyers.
Changing the ads people see
The California bill’s rules on digital advertising and user tracking have the chance to change the internet and California’s major tech companies, most notably Google and Facebook, which make billions by showing ads online.
User tracking tends to be most apparent when pervasive digital ads leave users with the feeling that ads are following them around, from website to app and back again.
The California law threatens those types of ads by disallowing what the industry calls “third-party behavioral profiling.” If a person reads an article on a news website about the Oakland Athletics, the company behind that website would be able to use that information to advertise about baseball on its own site. But if that person goes to a different website, the initial website cannot transfer behavioral data to the next website to enable more ads from Major League Baseball.
It is not clear, though, how the ad industry will respond in practice, said Ashkan Soltani, a privacy researcher in Oakland and former technologist with the Federal Trade Commission who worked closely on drafting the California law.
“It's a threat because everyone relies on that ecosystem rather than finding alternative ways to monetize,” he said. “The ad technology is a cheap and easy fuel for everyone to use, even though it has a lot of externalities.”
Marla Kaplowitz, CEO of the American Association of Advertising Agencies, a trade group, said in a statement that advertisers want to be sure to preserve certain benefits that require the use of data, such as corporate loyalty programs, as well as “ready access to the wide variety of freely accessible content” on the internet.
Where no state has gone before
The California law may change by the time it goes into effect in less than eight months, and for privacy advocates, there is a hopeful takeaway from Obamacare: Despite its rough technical start, the health care program signed up millions of people for health insurance in its first few months, and has become more popular over the years.
Becerra said he’s determined to try to meet the expectations of people this time around on privacy.
Californians are “being told now they have rights,” Becerra said. “When they come to me, and if I can’t say to them, ‘We’re ready. We’re going to take this on,’ they’re going to get demoralized. They’re going to lose faith.”
Though it would mean less power for his office, Becerra said he hasn’t ruled out the idea of a whole new agency to enforce the law in California, similar to the “data protection authorities” that European governments have had for decades.
“Whatever makes it work,” he said. “You don’t want to have a launch that gives people a reason to lose faith.”
There are other ideas for how to broaden enforcement. Mary Stone Ross, a lawyer and former CIA officer who helped write a ballot initiative that became the California law, has pushed Becerra to allow consumers to authorize a third party, such as a nonprofit, to opt out of the sale of their personal information on their behalf, rather than requiring them to do so themselves. She has also suggested letting district attorneys or city attorneys help enforce the law.
To Becerra, who grew up watching “Star Trek,” the implementation of the law reminds him of his favorite fictional starship hurtling through space.
“This is the Enterprise,” he said. “We’re going where no man or woman has gone before.”
CORRECTION (May 13, 2019, 3:44 p.m. ET): An earlier version of this article misstated in a photo caption the year Becerra was photographed. It was 2018, not 2019.