Implementation of state’s privacy act is off to slow start

The state of California has moved boldly into attempting to regulate online privacy. But how much can any state do on its own?

A state law signed in 2018 to give consumers more control over their data, AB 375, has been in effect since Jan. 1. It gives them expansive new powers to determine what information companies are gathering about them and to opt-out in some cases.

Yet the regulations around the law known as the California Consumer Privacy Act have still not been fully promulgated. Last Wednesday the nation's five largest advertising associations published a letter to Attorney General Xavier Becerra asking him to delay the July 1 deadline to start enforcing of the law "until at least six months from the date of finalization of the rules."

"Business attempts to comply with an incomplete legal regime risks causing significant consumer frustration and the implementation of inadequate or duplicative compliance tools," stated the letter.

A spokesman for the coalition said he could not comment on the possibility of legal action against the law, saying such a decision would need to come from each individual organization. A spokesman for one of the organizations that signed the letter, the Association of National Advertisers, said he was unable to comment on potential legal action at this point.

But some say any push for real change from industry giants like Facebook Inc. or Twitter will need to come from the federal level -- and potentially through the courts.

"I think until a lot of people start to sue these companies for faulty products and damages, they're just going to write off all the fines," Hany Farid, a professor at the UC Berkeley School of Information, said at a privacy panel at the state Capitol in January. "The reasons cars don't explode anymore when they back up into a fire hydrants is we were suing the automotive industry."

He added: "That requires reform of 230 at the federal level."

This was a reference to Section 230 of the Communications Decency Act, a law passed by Congress in 1996. Section 230 generally protects companies from legal action over statements made by third parties on their platforms. For instance, Facebook and Twitter can't be sued for defamatory statements made by others on their forums.

Farid has testified in front of Congressional committeess. He said there is bipartisan support for changes that would transform Section 230 from a right to a "privilege."

"You would have to have a duty of care in order to get the liability protection," Farid said.

Several companies have successfully used Section 230 defenses. A notable example occurred in 2016 when three executives of Backpage.com used it to fend off pimping and conspiracy charges brought by California Attorney General Kamala D. Harris even though the now-shuttered website is widely believed to have been used for prostitution.

Section 230 rarely came up during the debate over AB 375, or when the Legislature passed several bills last year to help clean up and clarify provisions of the law. But California's law is littered with prohibitions on selling user data to "third parties." Some of these would appear to create potential liability for platform companies like Facebook based on actions undertaken by such third parties -- raising the possibility Section 230 could be invoked in a suit to block the law from taking effect.

The law could have other legal vulnerabilities. AB 375 was passed on a compressed schedule in order to fend off a 2018 initiative from wealthy real estate investor Alastair Mactaggart, though Mactaggart has refiled a similar initiative for this November.

In a December post on his Technology & Marketing Law blog, Santa Clara University School of Law Eric Goldman wrote "the passed law contained numerous embarrassing typos and errors consistent with a closed-door rush job." Despite some efforts in subsequent bills to clean up definitions of key terms and avoid conflicts with federal law, he wrote "the CCPA remains substantially the same as when it initially passed."

The passage of AB 375 appears to have sparked increased interest in the topic at the federal level, including by Republicans who want to avoid patchwork legislation across the country. But lobbying spending against such a law or a change to Section 230 would be intense. An August report from the Information Technology and Innovation Foundation estimated a national version of AB 375 or the European Union's General Data Protection Regulation "could cost the U.S. economy about $122 billion per year," largely through increased prices and stifling innovation.

Speaking on the same panel as Farid, Roger McNamee emphasized the importance of keeping most of the Communications Decency Act in place in order to protect innovation and allow small companies to grow. An early investor in Facebook, McNamee wrote about his growing frustration with the company's practices in the 2019 book "Zucked: Waking Up to the Facebook Catastrophe."

Any real solution to the problems privacy and free speech advocates will involve getting technology giants to negotiate in good faith, he said.

"We need to get them to be much more honest and sincere when they're at the negotiating table," McNamee said. "Right now, they don't believe you guys have any power. They don't believe the feds have any power. You know what? So far the evidence is that's correct."