In their public statements, appearances before Congress, and so many recent op-eds, tech leaders like Mark Zuckerberg and Tim Cook have professed their commitment to privacy. But in their home state of California, the lobbying groups and trade associations that represent these same companies have quietly backed legislation that privacy experts say would severely weaken a sweeping privacy law that's set to take effect in January.

The California Consumer Privacy Act, or CCPA, gives residents of California the ability to request the data that businesses collect on them, demand that it be deleted, and opt out of having that data sold to third parties, among other things. But last week, the California Assembly's Committee on Privacy and Consumer Protection advanced a series of bills that would either amend CCPA or carve out exemptions for certain categories of businesses. These bills received widespread backing from business groups, including the California Chamber of Commerce, as well as leading tech lobbying firms that represent the likes of Facebook, Google, Amazon, and Apple. But privacy groups almost unanimously opposed them, stoking fears that state lawmakers are about to strip the country's meatiest privacy law to the bone.

"Numerous stakeholders have urged further refinement of [CCPA]—from addressing workability issues from a business compliance standpoint, to strengthening the law from a consumer and privacy protection standpoint," Assemblymember Ed Chau, who chairs the committee and also cosponsored CCPA, told WIRED in a statement. Chau says the committee plans to "review and analyze all bills," and "give every author an opportunity to make their case before our membership."

Issie Lapowsky covers the intersection of tech, politics, and national affairs for WIRED.

But privacy advocates worry that this process risks watering down the rights consumers have under the law. The only bill that privacy advocates supported in the Assembly, called the Privacy for All Act, was pulled by its author at the last minute. "All of these industry interests are trying to weaken privacy in California," says Jacob Snow, staff attorney with the ACLU of California. "The Privacy Committee members who were present revealed their constituency are tech companies."

From the day CCPA was passed in June 2018, voices on both sides of the privacy debate agreed that it required some fine-tuning. Legislators had hurried it through to prevent a stricter ballot initiative from being put before voters in November. That ballot initiative had widespread public support but faced stiff opposition from the same companies and trade groups that are now trying to amend CCPA.

Mary Stone Ross, who helped draft the initiative when she was president of Californians for Consumer Privacy, describes the subsequent attempts to erode the California law as "painful" to watch. "We forced the hand of the legislature, but now it’s shifted back again," she says.

A Parade of Bills

The proposed bills all aim to make the law easier for businesses to comply with and less disruptive to their operations—even if that means giving them more control over people's data than privacy advocates would like. Several pieces of legislation received widespread support from the tech industry's top lobbying firms, including the Internet Association, TechNet, and the Consumer Technology Association. One such bill, which Chau introduced, would change the way CCPA regulates employee data. The way the law is written, rights under CCPA apply to all California residents. Chau's bill, known as AB 25, would exclude data that businesses collect on employees, job applicants, and contractors, as long as the businesses use that data “solely within the context” of that relationship.

Privacy groups acknowledge that employers need more freedom to collect data on the people who work for them than, say, a company like Facebook needs to collect on its users. But they fear the wording of AB 25 would allow companies to go too far.