Another California Data Privacy Law

The California Consumer Privacy Act is a lesson in missed opportunities. It was passed in haste, to stop a ballot initiative that would have been even more restrictive:

In September 2017, Alastair Mactaggart and Mary Ross proposed a statewide ballot initiative entitled the “California Consumer Privacy Act.” Ballot initiatives are a process under California law in which private citizens can propose legislation directly to voters, and pursuant to which such legislation can be enacted through voter approval without any action by the state legislature or the governor. While the proposed privacy initiative was initially met with significant opposition, particularly from large technology companies, some of that opposition faded in the wake of the Cambridge Analytica scandal and Mark Zuckerberg’s April 2018 testimony before Congress. By May 2018, the initiative appeared to have garnered sufficient support to appear on the November 2018 ballot. On June 21, 2018, the sponsors of the ballot initiative and state legislators then struck a deal: in exchange for withdrawing the initiative, the state legislature would pass an agreed version of the California Consumer Privacy Act. The initiative was withdrawn, and the state legislature passed (and the Governor signed) the CCPA on June 28, 2018.

Since then, it was substantially amended—that is, watered down—at the request of various surveillance capitalism companies. Enforcement was supposed to start this year, but we haven’t seen much yet.

And we could have had that ballot initiative.

It looks like Alastair Mactaggart and others are back.

Advocacy group Californians for Consumer Privacy, which started the push for a state-wide data privacy law, announced this week that it has the signatures it needs to get version 2.0 of its privacy rules on the US state’s ballot in November, and submitted its proposal to Sacramento.

This time the goal is to tighten up the rules that its previously ballot measure managed to get into law, despite the determined efforts of internet giants like Google and Facebook to kill it. In return for the legislation being passed, that ballot measure was dropped. Now, it looks like the campaigners are taking their fight to a people’s vote after all.


The new proposal would add more rights, including the use and sale of sensitive personal information, such as health and financial information, racial or ethnic origin, and precise geolocation. It would also triples existing fines for companies caught breaking the rules surrounding data on children (under 16s) and would require an opt-in to even collect such data.

The proposal would also give Californians the right to know when their information is used to make fundamental decisions about them, such as getting credit or employment offers. And it would require political organizations to divulge when they use similar data for campaigns.

And just to push the tech giants from fury into full-blown meltdown the new ballot measure would require any amendments to the law to require a majority vote in the legislature, effectively stripping their vast lobbying powers and cutting off the multitude of different ways the measures and its enforcement can be watered down within the political process.

I don’t know why they accepted the compromise in the first place. It was obvious that the legislative process would be hijacked by the powerful tech companies. I support getting this onto the ballot this year.

EDITED TO ADD(5/17): It looks like this new ballot initiative isn’t going to be an improvement.

Posted on May 11, 2020 at 10:58 AM10 Comments


TimH May 11, 2020 12:27 PM

I suggest an explanation for the compromise. It will be easier to ballot an improvement, showing the bad faith per the watering down, than to get a tight privacy law in one step.

Look at the CV19 tracking nonsense. I’m sure that the cell phone surveillance provided by that BLE tech will move from optional to mandated in ALL the countries that now insist on a central tracking repository. Why else? But that big step would never pass the grumbling masses right now, so that repository is the baby step.

William Ball May 11, 2020 12:57 PM

It’s ironic that the state that has hosts some of the biggest tech companies is the one doing the most to fight “surveillance capitalism.” I wonder if CA’s direct-democracy “problem” will eventually prompt Big Tech to relocate?

I applaud the CA efforts and I’d like to believe that they will make a difference. But in the long run, I don’t think policy is the answer. The corps are too good at getting around whatever regulation you throw at them. Further, the more regulations you have, the harder it is for any startup to comply with them and compete with the entrenched tech-oligarchs.

In order to successfully oppose the surveillance state (both corporations and gov) we will have to re-architect the Internet to use privacy- and anonymity-focused technologies by default. Imagine if you could one-click download a “perfect server” that hosted email, messaging, web content, etc on a VPS, operating on an overlay network like Tor, with everything end-to-end encrypted. The entire FANG business model would fail overnight.

Clearly these solutions will have to come from the open-source community, since they are in the interests of neither the corporations nor the government. How do you PRISM the Tor network, if 90% of people are using it? How do you personalize ads when you can’t correlate any two requests from any client, let alone force anyone to use their RealName(TM)?

TL;DR Good for CA, but in the long run, policy won’t work. Only better technology can fix the problem.

Steve May 11, 2020 4:21 PM

@William Ball

Only better technology can fix the problem.

Yeah, that trick always works.

vas pup May 11, 2020 4:39 PM

“Ballot initiatives are a process under California law in which private citizens can propose legislation directly to voters, and pursuant to which such legislation can be enacted through voter approval without any action by the state legislature or the governor.”

Never ever such thing could happened now. That was only done in real democracy – Ancient Greece. Then, gradually democracy was watered down and substituted by republican form of government, i.e. representative democracy.
@Bruce: you do have foot in Harvard, so ask them how many direct democracy mechanisms currently left on state, federal level.
May be on local level they do exist – in small communities, otherwise I doubt.

Petre Peter May 11, 2020 6:15 PM

  1. What information is being collected?

  2. Who has access to it?

  3. How can I delete it?

EvilKiru May 13, 2020 1:46 PM

@Petre Peter:

  1. You’ll never know.
  2. You’ll never find out.
  3. You’ll never be able to.

Mr. Peed Off May 13, 2020 4:52 PM

I would prefer federal legislation. An EULA type agreement, if you will, for corporations. Completely voluntary, sort of like what the corps do to consumers. Of course to get any to comply, a carrot and stick approach would need to be used. Agreement would be mandatory for those wishing to bid on federal contracts, receive funds to build infrastructure, any bailouts, and section 230 protections. Such legislation might even have a side effect of causing some of the large corps to break themselves up into smaller, discrete independent corps.

A Nonny Bunny May 16, 2020 3:48 PM

@vas pup

That was only done in real democracy – Ancient Greece.

You mean the one that excluded women and slaves?

Then, gradually democracy was watered down and substituted by republican form of government, i.e. representative democracy.

I’m fairly sure there wasn’t any gradual watering down, but Sparta simply crushed Athenian democracy without leaving any spiritual successors.
Claims that modern democracies in someway descends from ancient Greek democracy probably has about as much merit as claiming your family descends from the mythical heroes of Troy. But then again, I’m not a historian (or genealogist).

referring May 19, 2020 5:18 AM

@Mr. Peed Off:
“I would prefer federal legislation”

I don’t think you realize that most federal legislation is written by corporate lobbyists.

Sometimes the politicians don’t even read it all before passing it into law.

A dubious person May 19, 2020 12:22 PM

@ Mr. Peed Off, referring

What “referring” said.

The typical progression here is that, once some meaningful state-level legislation gets passed, industry lobbyists who are paid well to protect their masters’ rice bowls1 will throw their efforts into some superseding Federal legislation with more loopholes than a nice mature Swiss cheese.

(It’s this situation that makes me shake my head in dismay when I hear calls for things like a federal anti-SLAPP law.)

For a fairly recent example, you might consider how some US states passed consumer-friendly anti-spam legislation around the turn of the millennium; the instance I’m personally familiar with, in Washington state, even included a “right of private action”2, making it far simpler for abused Internet users to retaliate against the parasites. This situation was clearly unacceptable, and was a major force behind the passage of the federal “CAN-SPAM” act3, which superseded the various state laws with one that was basically useless except for show-trial purposes.

  1. I thank the erudite Clive Robinson for the “protecting the rice bowl” metaphor.

  2. IIRC, this legislation allowed a Washington state citizen to sue spammers in Washington state and get default judgments which included painful levels of damages.

  3. I’ve always thought the ironically tortured name of this legislation was either a Freudian slip or (more likely) taunting. Note that the “P” nominally stands for “Pornography” – the lobbyists were practicing offense-in-depth here to ensure that no congresscritter would dare vote against their plan to formalize the status quo.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.