Last year, California passed the California Consumer Privacy Act (CCPA), which allows state residents to request to see the data that businesses collect on them, ask that it be deleted, opt out of having that data sold to third parties, and more.
But the California Assembly’s Committee on Privacy and Consumer Protection advanced a series of bills last week that would either amend CCPA or create exemptions for certain businesses. These bills are supported by business groups, as well as tech lobbying firms that represent companies including Facebook, Google, Amazon, and Apple.
As they work to get the new legislation passed, privacy groups have warned that these proposed changes could severely weaken the CCPA.
“All of these industry interests are trying to weaken privacy in California,” says Jacob Snow, staff attorney with the ACLU of California, according to WIRED. “The Privacy Committee members who were present revealed their constituency are tech companies.”
One of the bills, AB 25, would change the way the CCPA regulates employee data, excluding the information that businesses collect on employees, job applicants, and contractors, as long as it is used “solely within the context” of that relationship. While privacy groups acknowledge that businesses need to be able to collect data on their employees, the wording of AB 25 worries them.
“Absent a safeguard of privacy for workers in the workplace, the bill opens the door to highly intrusive data collection by companies of their employees,” a coalition of privacy groups wrote in a letter in early April.
In addition, another bill, AB 846, would change restrictions on loyalty card programs. Under CCPA, businesses cannot charge higher prices or offer different services to customers who request that their data not be collected or sold. But AB 846 would create an exemption for businesses that offer voluntary customer loyalty cards. And while a requirement under CCPA requires businesses to provide a toll-free phone number for people to make data requests, AB 1564 would have businesses provide a toll-free number or an email address.
“Many businesses covered in the CCPA do not currently have toll-free numbers, and obtaining one would be a cost driver,” industry groups, including the Internet Association, wrote in a letter of support. “Second, receiving and verifying consumer requests via phone calls would present security concerns in many cases.”
In a statement to WIRED, Facebook vice president of state and local policy Will Castleberry said that giving people more control of their data and allowing them to its sale are “core principles to strong privacy protections.”
“We support technical efforts as long as they do not weaken CCPA’s underlying principles,” he added.
But Snow pointed out that the major tech companies have been absent from these conversations, even as the lobbying firms that represent them negotiate on their behalf. “I think they’re using that to maintain plausible deniability,” he said.