The CA Legislature passed the California Consumer Privacy Act in a heated rush a year ago and just beat the clock for a planned statewide ballot initiative by a matter of hours. Consumer privacy advocates grumbled that the bill could be a bit better, industry groups promised to challenge it in 2019, and the one thing everyone agreed on was that some changes would happen. But on July 9th, the best efforts of the business lobby …. failed.

SF Chronicle: Fight To Change CA’s Landmark Privacy Law Fizzles

The first 2019 skirmishes happened when consumer advocates and the CA Attorney General tried to make CCPA, the only comprehensive consumer privacy law in the United States after the Republican congress rolled back FCC consumer privacy regulations in April of 2017, a bit stronger.

Assembly Bill 1760, authored by SF Bay Area assemblyperson Buffy Wicks, would have changed the CCPA protocol from “opt-out” to “opt-in”, a change recommended by most privacy experts since it shifts the burden from the consumer to take action to protect their personal information. AB 1760 did not even get a legislative hearing in the CA Assembly’s Privacy and Consumer Protection committee.

The Attorney General’s turn came when California’s top law enforcement official sponsored Senate Bill 561, which created a full private right of action (the ability to file a lawsuit) for every privacy right contained in the CCPA. SB 561, which would have open sourced the enforcement of the CCPA’s disclosure and consent requirements to all Californians, was stopped in the Senate’s Appropriations committee.

But industry was not done yet. It had introduced over a dozen bills to chip away at the privacy rights the new law promised to provide. Slowly, consumer and privacy advocates worked on each one, navigating amendments to blunt the brute force industry attack, but come July 9th, a little more than a year after CCPA’s passage, three significant bills that weakened privacy protections remained as threats.

Assembly Bill 1416 from Sacramento rep Ken Cooley, tried to exempt from consumer opt-out all data sales from private companies to any government agency carrying out any government program. Yeah, you heard that right. Any government agency carrying out any government program. Including ICE and including deportation. And on the bill’s list of supporters: Canadian multinational corporation Thomson Reuters, a million-dollar ICE data broker. Oakland Privacy swung into action with an alert that poured 500 emails into 17 Assembly offices in a day. The bill crawled out of the Assembly after a struggle to get enough votes and expired a few weeks later at the July 9th Senate Judiciary hearing, where it was withdrawn.

The second bill, Assembly Bill 873 from Thousand Oaks rep Jacqui Irwin, proposed to alter the definition of personal information by removing lightly anonymized information that can be, way too easily, re-identified. After the bill author defiantly refused to add suggested amendments that would have reduced the bill’s damaging aspects, it failed committee passage in Senate Judiciary on July 9th. Opposition testimony was provided by Jake Snow of ACLU Norcal and Ariel Fox Johnson with Common Sense Media, the original sponsors of the CCPA. Voting in opposition to the bill were committee chair Hannah-Beth Jackson, LA senator Maria Elena Durazo, and San Luis Obispo/Monterey senator Bill Monning. They were joined by abstainers Fresno senator Andreas Borgeas, Long Beach senator Lena Gonzalez and Alameda County senator Bob Wieckowski in the narrow defeat of the bill.

The third big threat to consumer privacy protections was Assembly Bill 846, which under the guise of protecting “loyalty programs” like Safeway discount cards and frequent flyer plans, proposed to institutionalize discriminatory pricing for consumers who chose to opt out of data sales and let companies that provide services for free, like Facebook, start charging consumers who exercised their new rights. Opposition testimony from Maureen Mahoney at Consumers Union and Media Alliance ED Tracy Rosenberg emphasized how the bill was a wolf in sheep’s clothing and authorized companies to call pretty much anything a “loyalty program”. After industry loudly denied that “loyalty programs” sell consumer personal data to third parties, they were forced to take an amendment that prevented the programs from doing so, thus removing the need for consumers to opt out. As the Intl Association of Privacy Professionals noted, the impromptu amendment is actually more restrictive than existing CCPA language and now strengthens, rather than weakens, the law.

The statewide privacy coalition, which has been meeting weekly for months to try to fend off the onslaught of CCPA-weakening bills, scored a remarkable set of victories that preserves intact the nation’s only comprehensive consumer privacy bill, the US GDPR so to speak, in the lead up to the CCPA implementation date of January 1, 2020.