As technology companies have grown from dot-com upstarts to the most powerful entities in America, U.S. legislators have done virtually nothing to establish new laws that regulate the companies and their products, even as negative effects ripple throughout society daily.
That is beginning to change. Nationally, antitrust actions announced in 2020 seek to undercut some of the power of these now-entrenched giants, with suits seeking to break up Facebook Inc.
rein in Alphabet Inc.’s
The most expansive efforts to regulate Big Tech, however, have come from the state that birthed most of the world’s largest tech companies, California. The Golden State has introduced a series of laws that seek to temper the worst elements — a lack of data privacy and security, exploitation of an underclass of low-paid workers, and homogenous, club-like leadership that perpetuates systemic sexism and racism in the technology industry.
Those laws, though, are controversial and face an uncertain future, amid both industry-backed efforts to establish friendlier standards and lawsuits seeking to abolish or hamper regulation. While that is already damaging some of California’s efforts in the short term, the issues these laws face should offer other states and the incoming Biden administration examples of the legal challenges ahead.
As we head into 2021, there is finally momentum on a federal level to address the negative effects of letting Big Tech to run rampant in the past decade. Hopefully, lessons learned in California will help guide other states and federal legislators in crafting fair laws that protect Americans while still allowing tech companies to flourish.
In 2018, California was the first state in the U.S. to adopt data-privacy legislation that in many ways mirrored the European Union’s General Data Protection Regulation that was implemented in 2018. The resulting California Consumer Privacy Act , which went into effect in January 2020, created significant new data protection obligations for businesses based in the state and new privacy rights for Californians.
But before the CCPA, as it is referred to, went into effect, there was concern that it did not go far enough and that there was no real instrument to enforce the law. That led to Proposition 24, an initiative led by San Francisco investor and privacy advocate Alastair Mactaggart that passed with 53% of the vote in November. Known as the California Privacy Rights and Enforcement Act of 2020, or CPRA, Prop. 24 amended the CCPA with stricter regulations for companies and the creation of an enforcement agency.
“CCPA really changed a lot, for California law, and for the world,” said Paul Schwartz, a professor at the Berkeley Law School and director of the Berkeley Center for Law and Technology at U.C. Berkeley. “Both CCPA and CPRA govern businesses based in California and processing information of California residents. Since California is the fifth largest economy in the world, that is a lot of information. It’s a wide reach.”
The CPRA, he said, is an elaborate amendment to the CCPA. Enforcement of the new law will not begin until July 2023, giving businesses some time to address the new requirements, which provide more consumer protections.
In a November article in the San Francisco legal newspaper The Recorder, a trio of attorneys at Gibson, Dunn & Crutcher spelled out some of the biggest additions to the CPRA for companies. One is determining the difference between a consumer’s personal information and sensitive information, which requires more compliance measures. Businesses will also have to again analyze their internet advertising practices and reconsider if they are selling personal data, what is the definition of a sale, evaluate their data minimization and retention practices, update their disclosures and review third-party relationships, to name a few additions.
“As the new law comes closer, there will be even more overlapping considerations for companies to review in light of expanding obligations across the globe,” said Cassandra Gaedt-Sheckter, of Gibson, Dunn, in an interview. “For example, the CPRA adds concepts of data minimization and data retention—that is, only collecting what is truly needed, only using the data for the purpose for which it was collected, and only retaining for as long as necessary—which are considerations that companies may have needed to consider for other laws, such as GDPR in the EU. ”
The existence of the CCPA led to at least 20 class-action lawsuits filed in 2020 against a range of companies, for either failing to protect customer data in data breaches, a lack of notification of data collection, or no opt-out options for the customer, according to a list compiled by the nonprofit International Association of Privacy Professionals, or IAPP.
Some cases are in arbitration, and a few have already been dismissed. Four cases against Zoom Video Communications Inc.
have been consolidated into one. This month, Zoom responded with a motion to dismiss, contending that the plaintiffs do not allege that their own personal data was disclosed and instead, allege that Zoom disclosed device data of unspecified users. Zoom also added that invasion of privacy claims contain only a “passing reference” to the CCPA.
Since most class-action suits filed by individual parties tend to settle out of court, it’s not likely these current cases will impact future interpretations of the law. The key will be any actions brought to enforce the new data privacy laws by the state, which will establish precedent for enforcing the new law.
So far, California Attorney General Xavier Becerra has not filed any cases seeking to enforce the CCPA, with other urgent issues taking precedence during the pandemic. Becerra has since been selected by President-elect Biden as secretary for health and human services, delaying any tests more.
“In California, you have this launching of a new law,” said Lee Tien, legislative director at the Electronic Frontier Foundation. “But we haven’t been in the best situation to enforce it, between the jobs that the AG had [to fill] and the coronavirus pandemic.”
And now, that may be a moot point, as the new California Privacy Protection Agency takes over enforcement when the CPRA goes into effect in 2023. The pandemic, change in the AG role and delay in implementing the new law likely means that nobody will know how California’s massive data-privacy efforts are going to work in practice for years to come, which could delay pushes elsewhere for similar legislation.
A few other states, such as New York and Washington, have been looking at introducing data-privacy laws, though not as comprehensive as CCPA. There have been numerous failed attempts at a federal data privacy law in congress.
“When you go state to state, there is no question that after CCPA was passed, there was a lot of discussion. ‘The biggest state in the country just passed this law, maybe something can happen here,’” Tien said. But he doesn’t have any expectations of any congressional consensus on any kind of federal law anytime soon.
“Nothing will happen until the new administration comes in,” said Sundeep Kapur, an associate in the privacy and cybersecurity practice at Paul Hastings in Washington. “There has been talk about a federal law. I do think privacy is on the table, whereas if you had asked a privacy prof a few years ago, they would say no way. Whether it passes is going to be a guessing game.”
Establishing rules for the ‘gig economy’
California’s effort to stem the unfair labor practices of the so-called gig economy hit its biggest roadblock in 2020.
The legislature in California approved Assembly Bill 5, or AB5, in 2019, to codify a recently established judicial standard for what constitutes an employee in the state. The law reclassified many areas of contract workers as employees, giving them protections such as minimum wage guarantees, sick leave, unemployment insurance, overtime pay and other benefits.
But the gig companies — which have built multibillion-dollar valuations on the back of gig workers who receive no guarantees of a minimum wage nor any benefits —- overturned the law by spending millions to sway (and confuse) voters about the issue. Proposition 22, which won with 58% of the vote in November, was funded in a mega-effort by ride-hailing services and food delivery companies like Uber Technologies Inc.
Instacart and DoorDash, which collectively spent $200 million in a relentless ad campaign.
Read more about Uber and Lyft’s day of reckoning
“Their campaign was so robust and so well done and replete with false information,” said Veena Dubal, a law professor at UC Hastings Law, San Francisco, and vocal critic of how companies treat contractors in the gig economy who was a target of a harassment campaign during the election . “I saw a number of ads saying it would be giving drivers minimum wage. Which is just untrue.”
Proposition 22 gives drivers some wage increases and workers who log on 15 hours or more a week can receive subsidies towards health insurance, but the benefits are “far below what the law assures for other workers,” Dubal said.
Companies like Uber and Lyft have already been talking about replicating their success in California in other states.
“Our drivers are on our side and we will have the proper dialogue and it will take time with other state regulators, city regulators, and we think that the regulators over the long-term will do the right thing,” Uber Chief Executive Dara Khosrowshahi said at an RBC Capital Markets virtual investor conference last month, when asked about the implications of Prop. 22. The CEO even termed his efforts to take Prop. 22 nationwide as “IC+” in an earnings conference call just after the election.
Uber and Lyft were successful in the campaign to take on AB 5 because they convinced California voters that the law would force them to halt their services in the state and increase their prices. Despite the victory of their sponsored proposition, the ride-hailing companies are already upping their prices due to the small concessions included in Prop. 22, after steadily increasing the cost of ride-hailing and other delivery services since both companies went public in 2019.
Dubal and other critics of the exemptions allowed by Prop. 22 believe that the new law is a legalization of the once-reviled notion of “piecework,” where workers were paid for each piece completed and not for the hours they labored.
Under the new exemption, “I can drive around for 10 hours, and lose money on insurance, fuel, and Uber owes me nothing, they don’t owe me any money until I get a ping and I start my work,” Dubal said. “They have legalized piecework, which was outlawed during the New Deal in the garment industry.”
“The fear is that what happens in California becomes sanctified, and then spreads,” Dubal added, a notion that may apply to the other laws as well, for better or worse.
Right now, the only hope for new laws that provide protections for app-based workers is that the Biden Administration proposes new federal legislation or that President-elect Biden could issue an executive order to pre-empt the California law. However, members of the transition team came from Uber and Lyft, and it is a foregone conclusion that any battles in other states or at the federal level will be fought hard with millions and millions of dollars.
Read more about the Biden Administration’s plans to help gig workers
Ultimately, Prop. 22 is a framework for a new approach to gig economy work that provides some benefits, but still does not pay into unemployment nor provide full health benefits for workers. As the gig companies attempt to spread these new rules, it will be interesting to see if they fill in the obvious holes that California will be dealing with for years.
Diversity on corporate boards
Tech companies, like most of corporate America, have struggled to develop work forces that resemble the gender and racial makeup of the country. For tech, that is a bigger problem, as the companies develop platforms and devices used by all, but developed largely by white and Asian males.
California has aimed at the top of companies, in the hopes that changes at the board level will filter down, with the state legislature passing a law in 2020 that will require corporations based in California to have a member of under-represented communities on their boards. It is a follow-on to a law passed in 2018 that requires women directors on boards.
“The data show that the more diversity on a corporate board the better the company performs for shareholders,” said Jennifer Rubin, a partner with the Mintz law firm. “It’s proven true. Better decisions are made, there is a better return on investment for investors. It’s better all around. ”
The new law — Assembly Bill 979, or AB 979 — was signed in September by Gov. Gavin Newsom, and requires that all California-based publicly traded companies have at least one director who is from an underrepresented community by the end of 2021. Those directors are defined as “an individual who self‑identifies as Black, African American, Hispanic, Latino, Asian, Pacific Islander, Native American, Native Hawaiian, or Alaska Native, or who self‑identifies as gay, lesbian, bisexual, or transgender.”
Even though some believe that quotas are not a good way to improve diversity, the general consensus has been that the first law has helped improved the proportion of women on corporate boards. Proponents say that racial diversity on boards will help lead to change in many industries where there is systemic racism, including in the technology business, which is so key to California’s economy.
“The traditional board has the retired CEOs, which is why you ended up with so many grey-haired white men,” said Teresa Jacques, partner, technology and board practice at Major Executive Search in Rancho Santa Fe, Calif. But as companies are addressing and becoming more active in social issues, boards need to reflect all stakeholders, not just investors.
“With what’s going on in society at large, it’s shifting to a more stakeholder approach,” Jacques added. “We want to know more about how the CEO’s comp compares with the ratio of others in the company. What’s your culture? What is your diversity practice? These things are shifting the role of the board director to ask different questions, that is different than the standard CEO.”
So far, the California Secretary of State has monitored compliance of the women on boards law, but its report in March is incomplete, with 282 companies of the 625 public companies in California saying they were in compliance, while another 300 did not report.
Both the gender and racial diversity laws are being challenged by a conservative group called Judicial Watch. In October, the group filed a lawsuit in Superior Court in Los Angeles, calling the new law suspect, and one that raises “constitutional issues.”
“California’s government has a penchant for quotas that are brazenly unconstitutional,” Judicial Watch President Tom Fitton said in a statement. “Gender quotas and now new quotas for numerous other groups for corporate boards are slaps in the face to the core American value of equal protection under the law.”
Supporters of the new laws believe that the resulting change on boards will continue to have positive impact throughout corporate America. The issue has received attention from shareholder groups such as the California Public Employees’ Retirement System, or CalPERS, and Institutional Shareholder Services, or ISS.
“CalPERS were involved in writing letters to companies they invest in, saying you don’t have diversity on your boards, how are you going to respond?” said Jacques, adding pressure from those groups helped the Women on Boards 2020 advocacy campaign. The current racial diversity law is also getting attention from other states, such as New York and New Jersey, she said. In August, 2019, the state of Illinois passed a law requiring Illinois-based corporations to report data on their diversity, after pushback on a proposed bill to require diversity. “But what we are doing I think the rest will follow,” she said.
In early December, the NASDAQ followed suit, filing a proposal with the Securities and Exchange Commission, proposing new listing rules, aiming to require board diversity and disclosure of its companies. A few years earlier, large funds State Street Global Advisors, followed by Vanguard, began calling attention to the lack of gender diversity on boards.
Requiring diversity on corporate boards currently has the most support to go nationwide, while data privacy may be placed on the back burner, as the new Biden administration confronts plenty of other larger issues. And as long as Uber and Lyft and others are willing to spend ferociously, gig economy laws may continue to stay in their favor.
But as other states and the U.S. government watch the different legal battlegrounds in California, hopefully the mistakes made in the incubator will not repeated on a national level. Ultimately, there is hope that guinea-pig laws in California will lead to more robust laws that will protect U.S. consumers, give gig workers more protection, and help end the homogeneity of American corporations.