“I expected one of those answers you get from airline pilots about plane crashes,” Mactaggart ­recalls. “You know — ‘Oh, there’s nothing to worry about.’ ” Instead, his friend told him there was plenty to worry about. If people really knew what we had on them, the Google ­engineer said, they would flip out.

Mactaggart had spent most of his adult life in the Bay Area, running a family real estate business with his uncle. The rise of the tech industry had filled his condo ­developments with ambitious ­engi­neers and entrepreneurs, making Mactaggart a wealthy man. But he never really thought about how companies such as Google or Facebook got so big so fast. The vast pools of data they collected and monetised were ­abstractions, something he knew existed but, as with plane crashes, rarely dwelt on.

Now he began to think about tech companies a lot. He started reading about online tracking and data mining. He discovered that the US, unlike some countries, had no single, comprehensive law regulating the collection and use of personal data. The rules that did exist were largely established by the companies that most ­relied on your data, in privacy policies and end-user agreements most people never actually read. Mactaggart began to scrutinise these policies closely, the way he read loan contracts and pored over offering plans. He learned there was no real limit on the ­infor­mation companies could collect or buy about him — and that just about everything they could collect or buy, they did. They knew things like his shoe size, of course, and where he lived, but also roughly how much money he made and whether he was in the market for a new car. With the spread of smartphones and health apps, they also could track his movements or whether he had a good night’s sleep. Once facial-recognition technology was widely adopted, they could track him even if he never turned on a smartphone.

No one knew more about what people did or were going to do than Facebook and Google. They knew what you “liked” and who your friends were. They knew not just what you typed into the search bar late on a Friday night but also what you started to type and then thought better of. Facebook and Google were following people around the rest of the internet, too, using an elaborate and invisible network of browsing bugs — they had, within little more than a decade, created a private surveillance apparatus of extraordinary reach and sophistication. Mactaggart thought that something ought to be done. He began to wonder if he should be the one to do it.

Mactaggart, who is 52 but boyish, did not think of himself as a radical. He often describes himself as a capitalist but his research on privacy had stirred something in him. “It’s like that Buddhist thing, where you walk past a mess and a mop and say, ‘Someone ought to clean up that mess’,” he says. “And eventually you realise you have to pick up the mop.”

Over evening walks around his neighbourhood, Mactaggart batted around ideas for a new state law with his friend Rick Arney, a ­finance executive. But Arney, who worked in the California legislature after business school, suggested a different approach. Instead of going through the state government in Sacramento, Arney suggested, they could use California’s citizen-initiated referendum system, putting the question directly to the people and gathering signatures for a statewide ballot. Mactaggart liked the idea. He also had the money to do something with it. Early last year, he hired a small staff, set them up in a two-room office in Oakland and began cold-calling privacy ­experts to figure out just what his initiative should say.

Almost by accident Mactaggart had thrust himself into the greatest resource grab of the 21st century. To Silicon Valley, personal information had become a kind of limitless natural deposit, formed in the digital ether by ordinary people as they browsed, used apps and messaged their friends. Like the oil barons before them, tech companies had collected and refined that ­resource to build some of the most valuable companies in the world, including Facebook and Google, an emerging duopoly that today controls more than half of the worldwide market in online advertising. But the entire business model — what philosopher and business theorist Shoshana Zuboff calls “surveillance capitalism” — rests on untrammelled ­access to your personal data.

For most of its relatively brief existence, Silicon Valley has been more lightly regulated than almost any other major industry. The technology that drove the business was complex, and few politicians wanted to be seen as standing in the way of a new kind of wealth creation, one that seemed to carry no messy downsides such as pollution or global economic collapse. Most of the biggest tech companies could simply ­ignore Washington — until they grew too big for Washington to ­ignore. When regulators finally threatened to intervene, the companies did what they were best at: they scaled up, this time not with software and servers but with phalanxes of lobbyists and lawyers.

By last year, Google’s parent, Alphabet, was spending more money on lobbyists than any other corporation in America. Starting in 2011, Facebook doubled the amount of money it spent on lobbying in Washington, then doubled it again. The company employed just 10 lobbyists in state capitals around the country in 2012, according to my analysis of data collected by the National ­Institute on Money in Politics. By the time Mactaggart and Arney began work on their privacy ­initiative, it had 67.

But until recently, companies such as Facebook and Google had something that Wall Street and Big Oil and the cable companies didn’t. To many people in Washington, they were the good guys. Through the Obama years, the tech industry enjoyed extraordinary cachet in Washington, not only among Republicans but also among Democrats.

As Mactaggart considered how to take on the data industry, he faced an American political establishment that saw the key to its ­future in companies such as Google and Facebook — not because of whom they supported but because of what they did. The surveillance capitalists didn’t just sell more ­deodorant; they had built one of the most powerful tools invented for winning elections. Roughly the same suite of technologies helped elect presidents Barack Obama and Donald Trump.

Last northern autumn, Mac­taggart was introduced to a former graduate student named Ashkan Soltani, a highly regarded privacy researcher and consultant. The two men quickly struck up an ­intense email correspondence. Soltani had devoted most of his adult life to understanding digital surveillance and privacy, and he closely observed how the tech ­industry exerted its will in Washington. Soltani told Mactaggart his privacy initiative would need a lot of work if he wanted it to survive. Mactaggart decided to hire him.

Soltani knew exactly how hard Facebook and Google would fight to protect their business model because he had watched them do it before. In February 2012, senior ­officials from the Obama administration unveiled what some of them hoped would become a signature initiative of the president’s second term: a “consumer-privacy bill of rights”. The proposal called for limits on the data that companies were collecting and more control for consumers over how it was used, and the tech industry had at least some incentive to consider it: the previous year Facebook and Google each entered into consent decrees with the Federal Trade Commission after regulators found that the companies had ­deceived users about their privacy policies. Soltani, then serving as an FTC technologist, worked on both investigations, and his efforts helped highlight a more pervasive problem: most consumers simply didn’t have the time or experience to navigate the personal-data economy on their own. “Silicon Valley’s model puts the onus on the user to decide if the bargain is fair,” Soltani says. “It’s like selling you coffee and making it your job to decide if the coffee has lead in it.” When it comes to privacy, he says, “we have no baseline law that says you can’t put lead in coffee”.

White House officials believed at first that many tech companies were open to the administration’s ideas. But the following year, as a team of experts at Obama’s Commerce Department worked on drafting a detailed privacy bill, The Guardian and The Washington Post began publishing an explosive series of articles about US government surveillance programs. Relying on thousands of documents provided by Edward Snowden, a former contractor for the National Security Agency, the articles ­revealed how the NSA was collecting rivers of personal data — emails, photos, instant-message conversations — from nine leading internet companies, including Google, Facebook, Yahoo and Microsoft. Soltani by then had left the FTC and joined the Post as a consultant on the series, working on articles that showed how the NSA had collected hundreds of thousands of user address books from email providers and hacked into the private networks that companies such as Google and Yahoo used to transport their data.

The Snowden scandal robbed Obama’s consumer proposal of both momentum and moral authority. Stung by the perception that it had colluded with US spy agencies, Silicon Valley demanded that the government regulate itself ­instead, allying with civil liberties groups to push for legislation reining in the NSA. During the next several months, scores of tech executives flew to Washington for high-level meetings with Obama, including Facebook’s chief operating officer, Sheryl Sandberg, who also sat with Obama’s new commerce secretary, Penny Pritzker, the Chicago billionaire who was the co-chairwoman of his re-­election campaign.

When the Obama administration finally returned to its con­sumer privacy bill the following autumn, Pritzker and her team voiced concerns about its sweep and scope, according to former Obama officials I spoke with. Pritzker wanted to make sure the bill could win industry support and, with it, Republican support. In January 2015 her office persuaded the White House to delay public release of the draft. Facebook and Google, in particular, ­objected to how many kinds of data the rules covered, which ­included not only conventional personal information such as Social Security numbers but also data linked to particular devices, which was critical to compiling the digital dossiers relied on by the advertising industry.

When consumer advocates were finally shown the new draft, they were furious. The bill now had a welter of exceptions and carve-outs. It drastically scaled back financial penalties and did not specifically protect location data. More broadly, it seemed to retreat from the idea of consumer privacy as an inherent right. Most of the protections applied only if collecting or using a given piece of information posed a serious risk of economic or emotional harm.

That June a working group that the administration had convened to address concerns about facial recognition collapsed. Industry representatives had refused to ­endorse the principle that companies would need to secure people’s consent before scanning their faces on a public street. Any notion that Washington would produce wide-ranging privacy reform was dead. Silicon Valley had won.

Last November Mactaggart and Soltani finalised the language of the ballot initiative, drawing on lessons from the failure of Obama privacy’s initiative. It wasn’t called a “bill of rights”. And, on its face, it was not a frontal ­attack on the giants of Silicon Valley. Mactaggart’s proposal instead took aim at the so-called third-party market for personal data, in which companies trade and sell your information to one another, mostly without your knowing about it.

Under the proposed law, every California consumer could ­demand, from most large businesses, an outline of their digital dossier, showing what cate­gories of personal information the company had collected. Mactaggart and Soltani included nearly every category of personal information they could think of: not only whether the companies had collected your name and ­address but also if they had collected your browsing history, your fingerprints, your face scans or your location data. They also would be required to inform consumers if they were drawing ­“inferences”, the sophisticated guesses companies make about, say, your dating habits or your taste in convertibles. And if consumers didn’t like the deal, they could “opt out”, demanding that companies no longer sold or shared any data in a given category.

The ballot initiative had significant implications for the Silicon Valley giants, however. If adopted, Mactaggart and Arney hoped, it would cripple the tech industry’s “notice and choice” consent model, where companies dictated all the terms of service up front, forcing consumers to agree or find a different app. As more people opted out of data sharing, they believed, the rules would slowly dry up the supply of personal information that companies could buy or trade on the open market.

“Third-party tracking would essentially end,” Mactaggart says. “So when you log in to Spotify, you wouldn’t be logging into, like, 100 partners. You wouldn’t have 75 per cent of the websites in the world looking over your shoulder.”

Still, Mactaggart and Soltani imagined their rules to be comparatively light-touch, a way to ­inhibit only the most invasive and creepy kinds of commercial surveillance while leaving Silicon Valley to thrive. Imposing them in California, the beating heart of the tech industry, offered another ­advantage. Through California’s referendum process, they could end-run the entire tangle of interests that had stymied the Obama bill in Washington. And if they succeeded, the effect would ripple far beyond the state’s borders: any company in the world that wanted to do business with California’s 40 million residents would need to follow California’s rules.

But Soltani also knew how ­aggressively the tech companies used their connections in state capitals.

In 2015, a Facebook user named Carlo Licata filed suit in ­Illinois, arguing that the company’s photo “tagging” feature, which automatically identified Facebook users in photos up­loaded to the site, violated his privacy rights. Illinois is among the few states in the country with a strict law governing biometric data, the 2008 Illinois Biometric Information Privacy Act, which ­requires companies to obtain ­explicit consent before collecting fingerprints, voiceprints or a “scan of hand or face geometry.” (“Illinois only has this law because it recognised the need to protect biometrics before Silicon Valley began trying to control state legislation,” says Jay Edelson, a plaintiff’s lawyer in Chicago who represents Licata.)

Other Facebook users in Illinois filed similar suits, which were consolidated and transferred to a federal court in California. Facebook argued that the Illinois law did not specifically apply to its methods for identifying people in photographs. The judge disagreed, ruling in May 2016 that the lawsuit could proceed.

Just weeks later, the original sponsor of the Illinois privacy act, a genial Chicago-area politician named Terry Link, abruptly proposed an amendment to his own law. The amendment clarified that digital photographs did not count as a source of biometric information and that the law protected only facial scans conducted “in person”. A Facebook official told me the company had provided Link with suggestions for clarifying the law, not the language itself. But in a recent interview, Link ­recalled that the amendment language was given to him directly by a lawyer for Facebook. Indeed, the amendment, introduced with only a few days left in the year’s legislative session, seemed tailored to buttress Facebook’s arguments in the California lawsuit, leaving Facebook and other companies free to create face scans from digital pictures without consent.

Link had attached his amendment to a bill that was already sailing through the legislature, an otherwise bland measure dealing with state procedures for unclaimed property. After national privacy groups leapt into action, Link withdrew the amendment. This April, the judge certified ­Licata’s case as a class action, ­applying to as many as eight million Facebook users in Illinois. If Facebook loses, the company could face a judgment as high as $US40 billion ($54bn).

Elsewhere, the tech industry has had more success fending off efforts to regulate facial recognition. Last year, at least five other states considered passing legislation regulating the commercial use of biometrics. Only one, Washington, actually passed a law — and it includes precisely the loophole that tech interests sought to carve out in Illinois, excluding “a physical or digital photograph, video or audio recording or data generated therefrom”. The exception covers facial scans and even voiceprints — the kind of technology that Amazon, based in Washington, uses to power Alexa, the virtual assistant that has a microphone in millions of US homes.

Almost immediately after Mactaggart and Arney submitted their final ballot language to the state in November, officials at Facebook and Google sent identical requests: could they meet in person to discuss the proposal? It was the first time Mactaggart and Arney had heard from either company and the alacrity of the response was a little intimidating. They decided to talk.

Arney met three Google representatives, including Mufaddal Ezzy, a former aide in the state legislature who runs Google’s California lobbying operation. They had lunch in a private room at San Francisco’s Wayfare Tavern, a trendy downtown restaurant with taxidermied heads of wild game on the walls. The executives were friendly, Arney recalls, but mostly they were confused, even a little disconcerted. “Google’s angle was, No 1, ‘Who are you?’ ” he says with a chuckle. No one in tech had ever heard of Arney and Mactaggart. They didn’t understand why a ­finance guy and a real estate developer cared so much about privacy. One asked whether either of the two men were planning to run for office. Eventually, the idea was floated that they all work together on an alternative to Mactaggart’s initiative — a piece of legislation in Sacramento, where they could all have input. “Their idea was that we could fix this in the state legislature,” Arney says.

Facebook seemed to have different worries, Mactaggart says. Mactaggart’s uncle was friends with a former San Francisco city official who had gone to work for Facebook. The friend reached out to arrange a meeting with Facebook’s vice-president for state and local policy: Will Castleberry, a gravel-voiced veteran of the tech and telecom industry. When Castle­berry met Mactaggart and Arney at a different San Francisco restaurant in December, Mactaggart found him charming and sincere. “A lot of people who we talked to told us these were evil people,” Mactaggart says. “But they seemed nice.”

Castleberry praised Mactaggart’s proposal but asked whether he was willing to rewrite it. Facebook’s chief concern, he said, was a feature called a “private right of ­action”. Unlike the Obama bill, which left most enforcement to the FTC, Mactaggart proposed letting consumers sue companies that violated the law. (Illinois had included such a right in its bio­metrics law, allowing Licata to sue Facebook.) Facebook feared that if interpretation of the new rules was left to juries, rather than regulators, it would take years just to ­determine what the company’s compliance obligations were. “We support more disclosure in principle,” Castleberry says. “But the stakes are just much higher with the private right of ­action.”

Mactaggart wanted to make sure his bill had teeth. But as a businessman, he says, he was sympathetic to Facebook’s concerns. He urged Facebook to send him some alternative language. “We thought, gosh, if Facebook came back with something reasonable, and we could get behind it, that would be a win-win,” he recalls.

But as Mactaggart waited, the tech companies — and other ­industries dependent on free data — were preparing to crush him. In January, California’s Chamber of Commerce filed paperwork to register a group called the Committee to Protect California Jobs. The committee soon collected six-­figure contributions from Facebook, Google and three of the country’s biggest internet service providers: Comcast, Verizon and AT&T. The money paid for polling that showed Californians indeed had ample concerns about privacy, and to retain Gale Kaufman, a ­respected Democratic referendum specialist with close ties to the state’s labour unions. The group also hired Steven Maviglio, a prominent Democratic public relations consultant whose clients included the Democratic speaker of the California low er house. Silicon Valley was girding for war.

Mactaggart and his team didn’t find out what was happening until March, when the Committee to Protect California Jobs was ­required to disclose its donors and spending. He and Arney believed the opposition had made a blunder: They had shown their hand before Mactaggart’s initiative had even qualified for the autumn ballot. But the battle ahead looked to be ugly. “ ‘Full employment for trial lawyers’ — and that’s just the tip of the iceberg of this poorly-written-by-a-multi-millionaire’s measure,” Maviglio tweeted. Within a few weeks, the committee was circulating talking points to California sheriffs and prosecutors, claiming Mactaggart’s proposal would make it harder for cops to foil kidnappings or quickly track down criminals such as the San Bernardino shooter. “It was like, ‘Welcome to the (National Football League)’,” Mactaggart recalls. “It was a reminder of how small we were. These were the biggest corporations in the world.”

Mactaggart also knew the tech and cable money, while less than the $US2 million he had so far put into his own campaign, was only just the start. His own consultants warned him that the Committee to Protect California Jobs would most likely raise $100m or more by election day. Mactaggart was rich. But he wasn’t that rich.

In March, as Mactaggart’s canvassers were gathering signatures to qualify for the November ballot, Facebook made a surprise ­announcement — one that would change everything. In a statement posted on its website late one Friday evening, the company said it was suspending a political analy­tics firm called Cambridge Analy­tica from its platform after it had “received reports” Cambridge had improperly obtained and held data about Facebook users. The source of those reports became clear the following day, when ­reporters at London news­papers The Times and The ­Observer revealed that a contractor for Cambridge had harvested private information from more than 50 million Facebook users, exploiting the social media ­activity of a huge swathe of the US electorate and potentially violating US election laws. Within weeks, Facebook acknowledged that up to 87 million users might have been affected, marking one of the biggest known data leaks in the company’s history.

The Cambridge Analytica scandal engulfed Facebook, sending its stock price plunging and setting in motion the worst crisis in the company’s history. Cambridge executives had long bragged about deploying powerful “psychographic” voter profiles to manipulate voters. Now Facebook was forced to acknowledge Cambridge had used voters’ own Facebook data to do it. The damage was not only legal and political — Facebook faced lawsuits and inquiries by regulators in Brussels, London and Washington — but also reputational. Silicon Valley’s public image had survived the Snowden revelations. But tech companies, already implicated in the spread of “fake news” and Russian interference in the 2016 election, were no longer the good guys. When Arney took one his son canvassing on the train, it was suddenly easy to get people to sign their ballot petition. “After the Cambridge Analytica scandal, all we had to say was ‘data privacy’,” he says.

The scandal forced Facebook to take complaints about privacy more seriously — or, at least, to sound as if it did. “I’m not sure we shouldn’t be regulated,” Mark Zuckerberg, the company’s chief executive, told CNN. Mactaggart pressed the advantage, posting an open letter accusing Zuckerberg of misleading Facebook users, then calling up media outlets to remind them that Zuckerberg’s company was, at that moment, financing a campaign to stop new privacy regulations in California. When Zuckerberg appeared before US congress in April, he again ­appeared contrite. “We didn’t take a broad-enough view of our ­responsibility, and that was a big mistake,” Zuckerberg told legislators. The next day, Facebook ­announced it would no longer contribute money to the Committee to Protect California Jobs.

Yet even as his canvassers racked up petition signatures from voters in the state, Mactaggart was being spurned by almost every prominent privacy group in the country. Like any other movement, the world of privacy experts has its radicals and moderates, feuds and schisms. In the wake of the Cambridge revelations, some advocates in Washington and California called for laws similar to Europe’s General Data Protection Regulation, which were much more sweeping than what Mac­taggart proposed; some privacy advocates say they feared his ­initiative would crowd out their own, more sweeping proposals. (Whereas Mactaggart’s initiative allowed consumers to “opt out” of data sales between companies, GDPR, which went into effect across the continent in May, ­required companies to obtain consumers’ permission for collecting the data in the first place.) Once voters approved Mactaggart’s ­initiative, these critics pointed out, California legislators would need to muster an almost unobtainable supermajority to amend it.

The Electronic Frontier Foundation, the storied advocacy group based in San Francisco, did not ­endorse Mactaggart’s proposal. Neither did the American Civil Liberties Union or Common Sense Kids Action, an influential group also headquartered in San Francisco, that has pressed for ­restrictions on the collection of children’s data.

Facebook, for its part, contacted the Washington-based Centre for Democracy and Technology, asking the organisations’s top ­expert on data-privacy protection, Michelle De Mooy, to help ­develop an alternative to Mactaggart’s proposal — language that could be submitted to legislators in Sacramento, replacing or pre-empting Mactaggart’s proposal. De Mooy says that after some initial discussions she turned them down, in part because Mactaggart did not seem inter­ested in further compromise but also because he seemed likely to succeed. “They were looking for options,” De Mooy says of Facebook. “Ultim­ately, we said that wasn’t something we were going to do.” But CDT also ­remained neutral.

Facebook chose that moment to make another direct appeal to Mactaggart. The company had ­developed a legislative counter-proposal, which in April Castleberry emailed to Mactaggart, copying De Mooy. Mactaggart read it on a plane flying back from a memorial service in Canada. He wasn’t impressed. It was vague about data collected from mobile phones and it appeared to exclude Facebook’s own network of “like” and “share” buttons around the web, one of the company’s chief means of tracking consumers when they weren’t on Facebook. And while it limited the sale of data, it seemed to allow companies to make deals to swap data back and forth, potentially a major loophole.

But Mactaggart didn’t want to waste his money on a ballot fight if he could get a deal in Sacramento — and now that his initiative looked sure to get on the ballot, politicians in Sacramento had taken a renewed interest in passing their own privacy bill. Some privacy groups, including Common Sense Kids Action, were ­already negotiating with them.

“I’m a real estate developer,” Mactaggart says, describing his thinking. “I’ve never gotten everything I want, ever. If the legislature passed my entire bill, I’m fine. And if it was almost as good — sure. Who needs to have a fight for the sake of having a fight?”

A few weeks later, I had lunch with Mactaggart and Arney at a sushi place near the Capitol. We were joined by Robin Swanson, Mactaggart’s campaign consultant, herself a former senior aide in the legislature. Everyone was in a good mood. They had recently submitted more than 629,000 signatures to qualify Mactaggart’s ­initiative for the ballot, nearly twice the required minimum, and a Republican candidate for governor had endorsed his proposal during a public debate, surprising even Mactaggart.

“Zuckerberg ­testifying helped us,” he says. “He has the name, he has the face. He ripped off 87 million people.”

‘It felt like a moment — people didn’t want to be on the wrong side of this issue’

Alastair Mactaggart

-

Nevertheless, Mactaggart was willing to compromise. He had told California legislators he would drop his campaign if they could pass a reasonable privacy bill by June 28, the legal point of no ­return for formally withdrawing his initiative from the ballot. Mac­taggart and his team were scheduled to meet Ed Chau, a mild-mannered legislator from outside Los Angeles who leads the lower house’s committee on privacy and consumer protection. Chau had been designated as the house’s chief negotiator on a potential deal between industry and privacy ­advocates. After lunch, we all walked over to the Capitol and filed into Chau’s fifth-floor office, where staff members had promised Mactaggart an update on the negotiations.

Many privacy advocates in California regarded Chau as their champion. Last year he tried to pass a bill that would have ­required cable companies and other internet service providers to obtain customers’ consent before selling their browsing history and other sensitive personal data. Known as AB 375, the bill was ­designed to replicate a popular Obama-era regulation that Trump and Republicans in congress overturned during the President’s first months in office. To get it done quickly, Chau used the same tactic the tech ­industry had used in Illinois, gutting a different bill that had ­already passed the lower house and inserting the broadband privacy provisions. “California is going to restore what Washington stripped away,” he pledged at a news conference.

But Chau’s bill had quickly run into a series of roadblocks. The Senate leader at the time was Kevin de Leon, a prominent and ambitious Democrat from Los Angeles. Because Chau had ­replaced his original bill with a ­totally new one, the rules committee led by de Leon initially ­required the legislation to be ­“triple referred”, a rare legislative manoeuvre under which three committees are entitled to inspect and approve the bill. (Ultimately, it was required to clear only two committees.) When the bill survived referral, Democratic leaders took over the legislation and began revising it, largely freezing Chau and the privacy groups out of the process. In the waning days of last year’s legislative session, a huge coalition of industry groups, data brokers and tech companies signed a joint letter ­opposing the privacy legislation.

Some privacy advocates believed de Leon was deliberately setting up Chau’s bill to fail. While de Leon is a progressive Democrat he also has had a long relationship with AT&T, among the most feared and influential companies in Sacramento. As Senate leader, de Leon was responsible for the health and size of the Democratic majority in the chamber, and the telecom and tech industries were a critical source of campaign cash. (AT&T also employed at least one of de Leon’s former top advisers among its swarm of lobbyists.) Most of the chamber’s Democrats declined to go on the record supporting or opposing AB 375, fearful of enraging the state’s most powerful companies or privacy-minded anti-Trump voters. It never reached the floor, sparing them a painful vote. The reason for its demise remains murky. (Dan Reeves, a de Leon aide, says: “We said, if the author wants a vote, we’ll put it up for a vote. We never heard back from them.” Chau says he did ask for a vote. “The response from leadership then was, I didn’t have the support,” he says.) Now Chau had a second chance. Democratic leaders had resurrected his legislation, making a modified AB 375 the vehicle for a potential compromise with Mactaggart.

But when we arrived in his ­office, Chau seemed ill at ease. He had not yet heard from Facebook or Google, he told us, and did not really know what their position was. He spoke in bland generalities. “We’re in the process of reaching out to all the stakeholders to see whether we can build consensus,” Chau said. Mactaggart asked if the tech companies were being reasonable. Chau repeated himself, a nervous smile stuck on his face. “We’re reaching out to all potential stakeholders,” he said. After 15 minutes, Chau’s assistant interrupted to say that he had ­another meeting. We filed out. No one else appeared to be in Chau’s waiting room.

Outside, it was a beautiful California day, so we strolled along a footpath on the Capitol grounds. Mactaggart was struck by Chau’s evasiveness — and worried about the tech companies’ seeming ­silence. “If you are Facebook and Google, and you are serious about legislation and reform,” Mactaggart said, “you would think that it might make sense to go talk to the head of the committee that’s in charge of crafting the legislative response to this initiative.” It was possible the companies had abandoned compromise. It also was possible that everybody was playing a more complex game. State politicians didn’t want to cede policy­making authority to Mac­taggart and tech companies disliked his initiative so much they might be willing to come to a reasonable compromise with the legislature instead. If Democratic leaders were careful, they could devise a win-win bill Mactaggart and the industry would accept, that privacy activists would hail and that politicians could take credit for. But Mactaggart found the delays and secrecy maddening. His deadline was fast approaching. “Daylight’s burning,” he said.

For much of May, Chau and his counterpart in the California Senate, a politician named Robert Hertzberg, quietly tried to negotiate a compromise. Industry lobbyists flatly threatened to kill any bill with a private right of action. They also objected to forcing companies to disclose the names and contact information of every third party they shared data with, claiming it would be an impossible burden. (“The private right of action was something that many stakeholders did not like,” Chau told me later. “That is a true statement.”) In June, the two legislators sent their first draft to Mactaggart. He was not pleased. “They sent me a draft with no enforcement,” Mactaggart says. “There was zero creativity about how to solve the problem.” He told them no.

It began to dawn on at least some people that Mactaggart’s vote might be the most important one. Without it, Mactaggart’s ­initiative would move forward. There would be no win-win. Hertzberg, in particular, really wanted a deal. Where Chau is modest, Hertzberg, who represents the San Fernando Valley, is voluble and insistent. “I called Alastair — we had some friends in common,” Hertzberg says. Hertzberg proposed that Mactaggart take the pen. Mark it up however you want, he told Mactaggart, and I’ll bring your proposal back to the industry. On a Wednesday in mid-June, Mactaggart went to his lawyer’s office and got on the phone with a small group of negotiators, among them Hertzberg, Chau and an adviser to Common Sense Kids Action. Twelve hours later, they had an agreement, which Mactaggart and Common Sense Kids ­Action agreed to support. Hertzberg and Chau sent it off to the legislature’s lawyers to be formally drafted into a bill.

Mactaggart had agreed to whittle down his biggest stick: the private right of action would permit consumer lawsuits only in the case of a traditional data breach, as when your credit card information is stolen. And instead of naming every third party they shared your data with, companies would have to disclose only the kinds of data they were sharing, an obligation the companies already had to European consumers under GDPR. Many privacy activists hated the deal, and some of the same groups that had refused to support Mactaggart’s initiative now savaged him for compromising on it. The ACLU and EFF, both of which rely heavily on civil litigation to win advocacy battles, were particularly upset by the narrowed private right of action.

But as Mactaggart saw it, the core of his initiative remained ­intact — and was in some ways strengthened. Now you could see exactly what information Silicon Valley and the data brokers had collected about you. You could still demand that they stop selling or swapping your data. And if they ­refused, the California attorney-general could investigate and ­impose fines. Even in this reduced form, Mactaggart and Soltani ­believed, this would be the most stringent consumer privacy law in the US — the most significant step in years towards regulating the surveillance capitalists, and a proof of concept for activists and industry alike. If it passed, the tech industry could no longer claim that no one cared about privacy, or that data rules would kill jobs, or were too technically challenging. California’s attorney-general could police the entire industry, while other states worked on their own versions of the rules. “Under this law, the attorney-general of California will become the chief privacy officer of the United States of America,” Mactaggart argues. Eventually, it might drive the tech industry back to the negotiating table in Washington in hopes of getting a single national standard.

The next morning, Hertzberg summoned tech lobbyists to a meeting. They had a simple choice, he explained. They could agree to the deal or take their chances with Mactaggart in autumn. Hertzberg told the lobbyists they could probably scare his colleagues into killing this new bill, too. But Mactaggart’s initiative was polling extraordinarily well. To beat him in November, the tech industry and its allies — the cable companies, the data brokers and the financial companies and retailers that used their data for advertising — would have to mount a huge negative campaign, at considerable cost to their own image. “And if they do, we’ll be right back here next year,” Hertzberg told me later that day.

Legislative staff members had finished rewriting AB 375 and a deal seemed imminent. That Friday, as he drank his morning coffee, Mactaggart decided to read the new bill — the fine print — one more time. He noticed a seemingly minor alteration in one section, the kind of thing most people would skip over. Mactaggart ­realised it would completely gut what remained of the private right of action. Furious, he called Hertzberg and Chau and told them the deal was off. Neither legislator could explain who made the change, Mactaggart says, but Hertzberg scrambled to fix it. “In most negotiations, you are talking to all these different interest groups,” Hertzberg says. “This is a situation where we had to go and reach out to everyone and bring that information to Mr Mactaggart and ask him what he wanted to do.” By Monday morning, the deal was back on again.

That Tuesday, Facebook signalled it would not fight the bill. In a statement emailed to reporters, Castleberry said that “while not perfect, we support AB 375 and look forward to working with policymakers on an approach that protects consumers and promotes responsible innovation”. At hearings, industry representatives complained that they had been put in the impossible position of accepting the compromise or fighting a ballot initiative they had no power to change. “The internet industry will not obstruct or block AB 375 from moving forward,” the Internet Association announced, “because it prevents the even worse ballot initiative from ­becoming law in California.” Soltani wryly pointed out that Mac­taggart had offered Silicon Valley a take-it-or-leave-it privacy policy — the same kind that Silicon Valley usually offered everyone else.

That Thursday, California began voting on the bill. Mactaggart, who wore a blazer and khakis, watched from the Senate gallery with his wife. As the vote was called, Mactaggart kept his eyes on the electronic billboard where votes were recorded: one by one, almost every light flipped to green. They walked over to the lower house, where much the same scene unfolded. In the end, not a single politician in either chamber voted against the compromise.

Political power is a malleable thing, Mactaggart had learned, an elaborate calculation of artifice and argument, votes and money. People and institutions — in politics, in Silicon Valley — can seem all-powerful right up to the ­moment they are not. And sometimes, Mactaggart discovered, a thing that can’t possibly happen suddenly becomes a thing that cannot be stopped.

“It felt like a moment — people didn’t want to be on the wrong side of this issue,” Mactaggart says. A part of Mactaggart was already thinking ahead. The legislation would not take effect until 2020, and both the legislature and the tech industry would have a chance to amend the new law beforehand. In the weeks after the vote, as Silicon Valley’s accumulated troubles sent shares in Facebook and other tech companies plummeting anew, their lobbyists were back on the march. The Trump administration was convening meetings to discuss a new national privacy standard, one that would perhaps override California’s newly minted statute. There would be plenty of chances for mischief. But as he basks in the victory, Mactaggart is giddy, even emotional. “Everyone who could have blocked it didn’t,” he says. “When the system wants to work, it can.”

-

The New York Times