In the year's second quarter alone, industry groups spent hundreds of thousands of dollars to influence privacy legislation, according to their lobbying disclosure reports. | Getty Images California privacy law sets national agenda as federal talks fizzle

SACRAMENTO — California is taking center stage, with a federal data privacy deal sputtering in Washington, in the battle over how companies handle consumer data — a familiar role for the giant state with a long history of compelling industry changes.

Just months before the state's new privacy law is set to take effect, Silicon Valley giants and other corporations are facing off against privacy advocates in a last-ditch effort to alter the measure, the California Consumer Privacy Act, in the supermajority Democratic Legislature.


“The stakes are astronomically high because businesses of all sizes across every industry are expected to comply with the letter of this complex law in less than five months,” said Sarah Boot, a lobbyist for the California Chamber of Commerce, which has led a push to narrow the kinds of data covered in the law, among other changes.

So far, the business community — which thought it would get a second chance to tweak the landmark law this year before it takes effect Jan. 1 — has been largely unsuccessful. With four weeks left of the legislative session, trade associations representing Facebook, Google and a host of other corporations are expected to unleash their lobbying firepower to secure exemptions, if not a delay, when lawmakers return to Sacramento on Monday. In the year's second quarter alone, industry groups spent hundreds of thousands of dollars to influence privacy legislation, according to their lobbying disclosure reports.

After two failed bids to strengthen the 2018 law, data-privacy advocates say their goal for the year is simply to keep the Privacy Act intact.

"We’re basically looking to hold the line on everything." said Lee Tien, a senior staff attorney for the Electronic Frontier Foundation, a San Francisco-based group that advocates for stronger consumer protections online. "We’re watching for gut-and-amends and the usual shenanigans on the floor."

Under the law, any company doing business in California, regardless of whether it has a physical presence in the state, must reveal what personal information they have collected about any California resident, upon request. Californians will also be able to ask a business or a data broker to stop selling that information, and to delete it.

The law is more protective for California children under age 16, requiring advance permission from teenagers or parents of younger children before a company can sell their personal information.

Proposals to strengthen or weaken the act have stalled this year, in part over concerns about honoring the privacy deal brokered last summer that led to the law's passage.

Business groups last year were assured they would have a chance to work out changes to the hastily passed law before it took effect in 2020, the CalChamber's Boot said. But, she said, a number of "crucial fixes" sailed through the state Assembly this spring only to be blocked in the state Senate Judiciary Committee last month, days before lawmakers broke for summer recess.

During a late-night hearing, the committee led by data-privacy champion state Sen. Hannah-Beth Jackson (D-Santa Barbara) killed a business-friendly bill to narrow the definition of "personal information," the only type of data covered in the act. Another closely-watched bill that would have created broad exceptions to the law, allowing businesses to provide customer's personal information for purposes including fraud detection, was withdrawn in advance of the hearing.

But some privacy bills remain in play, including CA AB25 (19R), which would allow businesses to authenticate the identities of consumers making information requests. And Sacramento lawmakers have been known to resurrect controversial proposals by inserting them in unrelated legislation that has advanced to the other chamber.

The fight over data rules comes after a string of consumer-privacy scandals and data breaches at Facebook, Equifax and other companies. Each new revelation has stoked a bipartisan public outcry over intrusive tracking practices and the government's failure to protect its citizens from abuses.

The Golden State's Privacy Act, passed not long after the European Union adopted its own set of consumer-data rules, came into being in quintessential California fashion. A multimillionaire developer muscled it through the state Legislature using the threat of a statewide referendum on data privacy. If the referendum had passed, it would have enshrined sweeping consumer protections in the state constitution, including the right for consumers to file class-action suits against alleged violators.

The developer, Alastair Mactaggart, withdrew the ballot measure in exchange for the Privacy Act's passage.

The effects of California's law — which state Attorney General Xavier Becerra is scheduled to enforce beginning next summer, six months after the law takes effect — could ripple far beyond the state's borders.

While Californians are the only ones who will wake up on Jan. 1 with new rights under the state law, some companies might find it impractical or simply a bad public-relations move to deny privacy requests made by people living in other states or countries, said Kristen Mathews, an attorney whose firm, Morrison & Foerster, is advising clients on the law.

The California law also could inspire other state legislatures to take similar steps, said Chris Conley, a technology and civil liberties policy attorney for the American Civil Liberties Union of Northern California.

"It is a proof of concept," Conley said. "If the sky doesn’t fall, it becomes much easier for other states to say, 'Look, California has done this. They have a large percentage of the U.S. population, the California technology economy is still humming right along, this is not actually going to end the internet as we know it, so that's workable.'"

In Washington, lawmakers from both parties say they have not given up on a national standard, despite disagreements. One of the biggest sticking points is whether federal law should block states from adopting additional protections, an idea favored by Republicans but batted down by California Democrats intent on preserving the Privacy Act.

"We want to keep moving forward up here," Sen. John Thune, a South Dakota Republican and GOP whip, told POLITICO. "Our job is to try to put a policy in place that would protect people’s privacy and not allow for a patchwork of state laws to create just a lot of uncertainty."

But business interests hoping the federal government will nullify California's Privacy Act with a single federal standard might be disappointed, said Dan Schnur, a former Republican strategist who now teaches at the University of Southern California’s Annenberg School of Communication.

“For the tech community and for other opponents of the privacy bill, the likelihood of Congress riding to the rescue is beginning to look less and less likely," he said.

Rep. Anna Eshoo (D-Calif.) has been adamant that lawmakers representing Silicon Valley be central to any federal deal, and that any deal doesn't undermine her home state's groundbreaking law.

Still, she said in an interview, it's important for Congress to act alongside California — and soon. The absence of federal regulations has allowed consumer privacy woes to grow "into a monster in some ways," she said. "It's not what people signed up for."

John Hendel and Cristiano Lima contributed to this report.