CreditPhoto illustration by Delcan & Co.

The way Alastair Mactaggart usually tells the story of his awakening — the way he told it even before he became the most improbable, and perhaps the most important, privacy activist in America — begins with wine and pizza in the hills above Oakland, Calif. It was a few years ago, on a night Mactaggart and his wife had invited some friends over for dinner. One was a software engineer at Google, whose search and video sites are visited by over a billion people a month. As evening settled in, Mactaggart asked his friend, half-seriously, if he should be worried about everything Google knew about him. “I expected one of those answers you get from airline pilots about plane crashes,” Mactaggart recalled recently. “You know — ‘Oh, there’s nothing to worry about.’ ” Instead, his friend told him there was plenty to worry about. If people really knew what we had on them, the Google engineer said, they would flip out.

Mactaggart had spent most of his adult life in the Bay Area, running a family real estate business with his uncle. The rise of the tech industry had filled his condo developments with ambitious engineers and entrepreneurs, making Mactaggart a wealthy man. But he never really thought about how companies like Google or Facebook got so big so fast. The vast pools of data they collected and monetized were abstractions, something he knew existed but, as with plane crashes, rarely dwelt on.

Now he began to think about tech companies a lot. He started reading about online tracking and data mining. He discovered that the United States, unlike some countries, has no single, comprehensive law regulating the collection and use of personal data. The rules that did exist were largely established by the very companies that most relied on your data, in privacy policies and end-user agreements most people never actually read. Mactaggart began to scrutinize these policies closely, the way he read loan contracts and pored over offering plans. He learned that there was no real limit on the information companies could collect or buy about him — and that just about everything they could collect or buy, they did. They knew things like his shoe size, of course, and where he lived, but also roughly how much money he made, and whether he was in the market for a new car. With the spread of smartphones and health apps, they could also track his movements or whether he had gotten a good night’s sleep. Once facial-recognition technology was widely adopted, they would be able to track him even if he never turned on a smartphone.

CreditPhoto illustration by Delcan & Co. Capitol Building: Travelpix Ltd/Getty

All of this, he learned, was designed to help the real customers — advertisers — sell him things. Advertisers and their partners in Silicon Valley were collecting, selling or trading every quantum of Mactaggart’s self that could be conveyed through the click of a mouse or the contents of his online shopping carts. They knew if he had driven past that Nike billboard before finally buying those Air Force 1s. A website might quote him a higher price for a hair dryer if he lived in a particular neighborhood, or less if he lived near a competitor’s store. Advertisers could buy thousands of data points on virtually every adult in America. With Silicon Valley’s help, they could make increasingly precise guesses about what you wanted, what you feared and what you might do next: Quit your job, for example, or have an affair, or get a divorce.


And no one knew more about what people did or were going to do than Facebook and Google, whose free social and search products provided each company with enormous repositories of intimate personal data. They knew what you “liked” and who your friends were. They knew not just what you typed into the search bar late on a Friday night but also what you started to type and then thought better of. Facebook and Google were following people around the rest of the internet too, using an elaborate and invisible network of browsing bugs — they had, within little more than a decade, created a private surveillance apparatus of extraordinary reach and sophistication. Mactaggart thought that something ought to be done. He began to wonder whether he should be the one to do it.

You have 4 free articles remaining.

Subscribe to The Times

Mactaggart, who is 52 but boyish, did not think of himself as a radical. He often describes himself as a capitalist. He is the kind of man who wears chinos with a braided belt; it is easy to picture him on a sailboat. But his research on privacy had stirred something in him. “It’s like that Buddhist thing, where you walk past a mess and a mop and say, ‘Someone ought to clean up that mess,’ ” he says. “And eventually you realize you have to pick up the mop.”

Over evening walks around his neighborhood, Mactaggart batted around ideas for a new state law with his friend Rick Arney, a finance executive. But Arney, who worked in the California Legislature after business school, suggested a different approach. Instead of going through Sacramento, Arney suggested, they could put the question directly to the people of California, gathering signatures for a statewide ballot initiative. Mactaggart liked the idea. He also had the money to do something with it. Early last year, he hired a small staff, set them up in a two-room office in Oakland and began cold-calling privacy experts to figure out just what his initiative should say.

“I thought it was a joke at first, to be contacted by someone named ‘Alastair Mactaggart,’ ” says Chris Jay Hoofnagle, who teaches law at the University of California, Berkeley. Mactaggart was wary of proposing a sweeping law like the European Union’s General Data Protection Regulation, or G.D.P.R., fearing that Californians would find it mystifying and reject it. He wanted a solution that consumers would embrace and Silicon Valley could live with. “I don’t want to kill businesses — I’m a businessman,” Hoofnagle recalls Mactaggart’s telling him. “I just think the data use by these companies is out of control.”


Almost by accident, though, Mactaggart had thrust himself into the greatest resource grab of the 21st century. To Silicon Valley, personal information had become a kind of limitless natural deposit, formed in the digital ether by ordinary people as they browsed, used apps and messaged their friends. Like the oil barons before them, they had collected and refined that resource to build some of the most valuable companies in the world, including Facebook and Google, an emerging duopoly that today controls more than half of the worldwide market in online advertising. But the entire business model — what the philosopher and business theorist Shoshana Zuboff calls “surveillance capitalism” — rests on untrammeled access to your personal data. The tech industry didn’t want to give up its powers of surveillance. It wanted to entrench them. And as Mactaggart would soon learn, Silicon Valley almost always got what it wanted.

For most of its relatively brief existence, Silicon Valley has been more lightly regulated than almost any other major industry. The technology that drove the business was complex, and few lawmakers wanted to be seen as standing in the way of a new kind of wealth creation, one that seemed to carry no messy downsides like pollution or global economic collapse. Most of the biggest tech companies could simply ignore Washington — until they grew too big for Washington to ignore. When regulators finally threatened to intervene, the companies did what they were best at: They scaled up, this time not with software and servers but with phalanxes of lobbyists and lawyers.

Microsoft had virtually no Washington presence before the Justice Department filed an antitrust lawsuit against the company in the 1990s. As recently as 2003, Google retained just two outside lobbyists in Washington; over the next decade or so, as it became the world’s dominant search engine, the company became a Beltway heavyweight, hiring lobbyists, wooing regulators and funding the research behind hundreds of Google-friendly studies on competition, copyright law and other topics. By last year, Google’s parent, Alphabet, was spending more money on lobbyists than any other corporation in America.

Facebook, a decade younger than Google, built its political apparatus twice as fast, as if observing a kind of Moore’s Law of influence-peddling. When it went public in 2012, the company had 900 million users — less than half its current size — and earned a relatively modest profit of $53 million. Over the next several years, Facebook simultaneously became one of the world’s biggest collectors of personal data and a powerful presence in Washington and beyond. It acquired Instagram, a rival social media platform, and the messaging service WhatsApp, bringing Facebook access to billions of photos and other user data, much of it from smartphones; formed partnerships with country’s leading third-party data brokers, such as Acxiom, to ingest huge quantities of commercial data; and began tracking what its users did on other websites. Smart exploitation of all that data allowed Facebook to target advertising better than almost anyone, and by 2015, the company was earning $4 billion a year from mobile advertising. Starting in 2011, Facebook doubled the amount of money it spent on lobbying in Washington, then doubled it again. The company employed just 10 lobbyists in state capitals around the country in 2012, according to my analysis of data collected by the National Institute on Money in Politics. By the time Mactaggart and Arney began work on their privacy initiative, it had 67. The tech industry was particularly powerful in California, its home base, where it doled out millions in campaign contributions to state candidates and parties.

But until recently, companies like Facebook and Google also had something that Wall Street and Big Oil and the cable companies didn’t. To many people in Washington, they were the good guys. Through the Obama years, the tech industry enjoyed extraordinary cachet in Washington, not only among Republicans but also among Democrats. Partnering with Silicon Valley allowed Democrats to position themselves as pro-business and forward-thinking. The tech industry was both an American economic success story and a political ally to Democrats on issues like immigration. Google enjoyed particularly close ties to the Obama administration: Dozens of Google alumni would serve in the White House or elsewhere in the administration, and by one estimate Google representatives visited the White House an average of about once a week. But the Obama world had relationships with other firms too. Facebook’s chief operating officer, Sheryl Sandberg, served on a high-level Obama advisory council on jobs and held a fund-raiser for Obama’s re-election campaign at her home in Atherton, Calif. The founders of Twitter, LinkedIn and the app developer Zynga together contributed more than $2 million to a pro-Obama super PAC.

And increasingly, Silicon Valley had come to transform politics itself. As Mactaggart considered how to take on the data industry, he faced an American political establishment that saw the key to its future in companies like Google and Facebook — not because of whom they supported but because of what they did. The surveillance capitalists didn’t just sell more deodorant; they had built one of the most powerful tools ever invented for winning elections. Roughly the same suite of technologies helped elect Obama, a pragmatic liberal who promised racial progress and a benevolent globalism, and Trump, a strident nationalist who adeptly employs social media to stoke racial panic and has set out to demolish the American-led world order.

In Washington and in state capitals, this combination of wealth, prestige and ignorance had made the tech industry virtually unbeatable. They doled out campaign money to Republicans and Democrats alike. They had allies across the major think tanks and universities. Facebook alone belonged to more than four dozen trade associations and industry coalitions, political shields that could advance Facebook’s interests in battles that were too toxic for direct engagement. It supported the Anti-Defamation League and the American Council of the Blind, the American Conservative Union and the N.A.A.C.P. It disbursed millions of dollars in grants to tech-advocacy groups — including those that sometimes criticized them. Like the web of personal data it mined for profit, Silicon Valley’s political network was simultaneously immense, powerful and inscrutable.


Alastair MactaggartCreditJessica Chou for The New York Times
Ashkan SoltaniCreditJessica Chou for The New York Times
Rick ArneyCreditJessica Chou for The New York Times

Last fall, Hoofnagle introduced Mactaggart to a former graduate student of his named Ashkan Soltani, a highly regarded privacy researcher and consultant. The two men quickly struck up an intense email correspondence. Soltani had devoted most of his adult life to understanding digital surveillance and privacy, and he closely observed how the tech industry exerted its will in Washington. Soltani told Mactaggart that his privacy initiative would need a lot of work if he wanted it to survive. Mactaggart decided to hire him.

Soltani knew exactly how hard Facebook and Google would fight to protect their business model, because he had watched them do it before. In February 2012, senior officials from the Obama administration unveiled what some of them hoped would become a signature initiative of President Obama’s second term: a “consumer-privacy bill of rights.” The proposal called for limits on the data that companies were collecting and more control for consumers over how it was used, and the tech industry had at least some incentive to consider it: The previous year, Facebook and Google each entered into consent decrees with the Federal Trade Commission after regulators found that the companies had deceived users about their privacy policies. Soltani, then serving as an F.T.C. technologist, worked on both investigations, and his efforts helped highlight a more pervasive problem: Most consumers simply didn’t have the time or experience to navigate the personal-data economy on their own. “Silicon Valley’s model puts the onus on the user to decide if the bargain is fair,” Soltani told me recently. “It’s like selling you coffee and making it your job to decide if the coffee has lead in it.” When it comes to privacy, he said, “we have no baseline law that says you can’t put lead in coffee.”

White House officials believed at first that many tech companies were open to the administration’s ideas. But the following year, as a team of experts at Obama’s Commerce Department worked on drafting a detailed privacy bill, The Guardian and The Washington Post began publishing an explosive series of articles about United States government surveillance programs. Relying on thousands of documents provided by Edward Snowden, a former contractor for the National Security Agency, the articles revealed how the N.S.A. was collecting rivers of personal data — emails, photos, instant-message conversations — from nine leading internet companies, including Google, Facebook, Yahoo and Microsoft. Soltani by then had left the F.T.C. and joined The Post as a consultant on the series, working on articles that showed how the N.S.A. had collected hundreds of thousands of user address books from email providers and even hacked into the private networks that companies like Google and Yahoo use to transport their data.

The Snowden scandal robbed Obama’s consumer proposal of both momentum and moral authority. Stung by the perception that it had colluded with United States spy agencies, Silicon Valley demanded that the government regulate itself instead, allying with civil liberties groups to push for legislation reining in the N.S.A. Over the next several months, scores of tech executives flew to Washington for high-level meetings with Obama, including Sandberg, who also sat with Obama’s new commerce secretary, Penny Pritzker, the Chicago billionaire who was the co-chairwoman of his re-election campaign.


In early 2014, Pritzker traveled to Silicon Valley for a highly publicized listening tour. She hailed the tech industry as a model for government — a partner, not an antagonist. Data, she proclaimed, was “the fuel of the 21st century.” Pritzker’s tour included visits to eBay, Google and the Menlo Park campus of Facebook, where she met again with Sandberg. The women discussed an array of issues, including consumer privacy and how to ensure that American tech businesses remained competitive around the world. Two former Obama administration officials told me that those conversations appeared to have shaped Pritzker’s early views on privacy. “Our goal at the Department of Commerce as a service organization is to support you, whether you are a researcher, inventor, entrepreneur, mentor or investor,” Pritzker told her audience at a start-up accelerator in Sunnyvale.

When the Obama administration finally returned to its consumer-privacy bill the following fall, Pritzker and her team voiced concerns about its sweep and scope, according to former Obama officials I spoke with. Pritzker wanted to make sure the bill could win industry support, and with it, Republican support. In January 2015, her office persuaded the White House to delay public release of the draft, which had been planned to coincide with an Obama speech at the F.T.C. Instead, her aides began previewing the bill in dozens of meetings with different business executives and lobbyists. According to the former Obama officials, the industry raised a host of objections. Facebook and Google, in particular, objected to how many kinds of data the rules covered, which included not only conventional personal information like Social Security numbers but also data linked to particular devices, which was critical to compiling the digital dossiers relied on by the advertising industry. (Facebook disputed that account.) Jim Hock, Pritzker’s chief of staff at Commerce and now a spokesman for her private investment firm, PSP Partners, says Pritzker weighed all points of view. “No one meeting was more important than another,” he says.

But when consumer advocates were finally shown the new draft, they were furious. The bill now had a welter of exceptions and carve-outs. It drastically scaled back financial penalties and did not specifically protect location data. More broadly, it seemed to retreat from the idea of consumer privacy as an inherent right. Most of the bill’s protections applied only if collecting or using a given piece of information posed a serious risk of economic or emotional harm. That March, Washington’s leading consumer-privacy groups signed an open letter criticizing the Obama proposal, arguing that it did not do nearly enough. The Internet Association, a trade group representing Google, Facebook, Amazon and other companies, also weighed in, attacking the bill as overbroad and burdensome. “The feeling was that it didn’t do much, and no one really liked it,” Soltani told me.

The White House did little to advance the draft. Obama aides were focused on a different legislative battle: That June, with backing from tech companies, Congress passed the USA Freedom Act, a major reform of N.S.A. surveillance that also positioned Silicon Valley as a champion of civil liberties. Less attention was paid when, a few days later, a working group that the administration had convened to address concerns about facial recognition collapsed. Industry representatives had refused to endorse the principle that companies would need to secure people’s consent before scanning their faces on a public street. Any notion that Washington would produce wide-ranging privacy reform was dead. Silicon Valley had won.

Soltani and Mactaggart first met in person last fall, at the offices of Mactaggart’s lawyer in Oakland. Soltani had been on a kind of sabbatical, touring the country in a van and visiting national parks: A stint at the Obama White House was cut short when Soltani was denied his security clearance. (In privacy circles, the decision was widely viewed as retribution for his work on the Snowden series.) Soltani, who is 43, wondered whether Mactaggart would turn out to be a dilettante. Yet as the two men worked to revise the proposal, Soltani found himself increasingly impressed. “I’ve worked with people who have an ax to grind, who have an agenda,” he told me. “Alastair’s agenda was: First, just do some good. And then it was: Do something about privacy. And then it was: Do something about data privacy.”

The language of the resulting ballot initiative, which Mactaggart finalized last November, reflected lessons from the painful failure of Obama privacy’s initiative. It wasn’t called a “bill of rights.” And on its face, it was not a frontal attack on the giants of Silicon Valley. Mactaggart’s proposal instead took aim at the so-called third-party market for personal data, in which companies trade and sell your information to one another, mostly without your knowing about it.

Under the proposed law, every California consumer could demand, from most large businesses, an outline of his or her digital dossier, showing what categories of personal information the company had collected. Mactaggart and Soltani included nearly every category of personal information that they could think of: not only whether the companies had collected your name and address but also if they had collected your browsing history, your fingerprints, your face scans or your location data. They would also be required to inform consumers if they were drawing “inferences,” the sophisticated guesses companies make about, say, your dating habits or your taste in convertibles. And if consumers didn’t like the deal, they could “opt out,” demanding that companies no longer sell or share any data in a given category.


The ballot initiative had significant implications for the Silicon Valley giants, however. If adopted, Mactaggart and Arney hoped, it would cripple the tech industry’s “notice and choice” consent model, where companies dictated all the terms of service up front, forcing consumers to either agree or find a different app. As more people opted out of data sharing, they believed, the rules would slowly dry up the supply of personal information that companies could buy or trade on the open market. “Third-party tracking would essentially end,” Mactaggart says. “So when you log in to Spotify, you wouldn’t be logging into, like, 100 partners. You wouldn’t have 75 percent of the websites in the world looking over your shoulder.”

Still, Mactaggart and Soltani imagined their rules to be comparatively light-touch, a way to inhibit only the most invasive and creepy kinds of commercial surveillance while leaving Silicon Valley to thrive. Imposing them in California, the beating heart of the tech industry, offered another advantage. Through California’s referendum process, they could end-run the entire tangle of interests that had stymied the Obama bill in Washington. And if they succeeded, the effect would ripple far beyond the state’s borders: Any company in the world that wanted to do business with California’s 40 million residents would need to follow California’s rules. Mactaggart liked to compare it to California’s strict auto-emissions standards, which forced the world’s automakers to develop cars that guzzle less fossil fuel.

But Soltani also knew how aggressively the tech companies used their connections in state capitals. In 2015, a Facebook user named Carlo Licata filed suit in Illinois, arguing that the company’s photo “tagging” feature, which automatically identified Facebook users in photos uploaded to the site, violated his privacy rights. Illinois is among the few states in the country with a strict law governing biometric data, the 2008 Illinois Biometric Information Privacy Act, which requires companies to obtain explicit consent before collecting fingerprints, voiceprints or a “scan of hand or face geometry.” (“Illinois only has this law because it recognized the need to protect biometrics before Silicon Valley began trying to control state legislation,” says Jay Edelson, a plaintiff’s lawyer in Chicago who represents Licata.) Other Facebook users in Illinois filed similar suits, which were consolidated and transferred to a federal court in California. Facebook argued that the Illinois law did not specifically apply to its methods for identifying people in photographs. The judge disagreed, ruling in May 2016 that the lawsuit could proceed.

Just weeks later, the original sponsor of the Illinois privacy act, a genial Chicago-area lawmaker named Terry Link, abruptly proposed an amendment to his own law. The amendment clarified that digital photographs did not count as a source of biometric information and that the law only protected facial scans conducted “in person.” A Facebook official told me that the company had provided Link with suggestions for clarifying the law, not the language itself. But in a recent interview, Link recalled that the amendment language was given to him directly by a lawyer for Facebook. (Link did not specify who, and would not comment on why he had pursued the amendment in the first place.) Indeed, the amendment, introduced with only a few days left in the year’s legislative session, seemed tailored to buttress Facebook’s arguments in the California lawsuit, leaving Facebook and other companies free to create face scans from digital pictures without consent.

Link had attached his amendment to a bill that was already sailing through the Legislature, an otherwise bland measure dealing with state procedures for unclaimed property. After national privacy groups leapt into action, Link withdrew the amendment. This April, the judge certified Licata’s case as a class action, applying to as many as eight million Facebook users in Illinois. If Facebook loses, the company could face a judgment as high as $40 billion.

Elsewhere, the tech industry has had more success fending off efforts to regulate facial recognition. Last year, at least five other states considered passing legislation regulating the commercial use of biometrics. Only one, Washington, actually passed a law — and it includes precisely the loophole that tech interests sought to carve out in Illinois, excluding “a physical or digital photograph, video or audio recording or data generated therefrom.” The exception covers facial scans and even voiceprints — the kind of technology that Amazon, based in Washington, uses to power Alexa, the virtual assistant that has a microphone in millions of American homes.

Almost immediately after Mactaggart and his friend Rick Arney submitted their final ballot language to the state in November, officials at Facebook and Google sent identical requests: Could they meet in person to discuss the proposal? It was the first time Mactaggart and Arney had heard from either company, and the alacrity of the response was a little intimidating. They decided to talk.


Arney met with three Google representatives, including Mufaddal Ezzy, a former aide in the State Legislature who runs Google’s California lobbying operation. They had lunch in a private room at San Francisco’s Wayfare Tavern, a trendy downtown restaurant with taxidermied heads of wild game on the walls. The executives were friendly, Arney recalls, but mostly they were confused, even a little disconcerted. “Google’s angle was, No. 1, ‘Who are you?’ ” he told me recently, with a chuckle. No one in tech had ever heard of Arney and Mactaggart. They didn’t understand why a finance guy and a real estate developer cared so much about privacy. One asked whether either of the two men were planning to run for office. Eventually, the idea was floated that they all work together on an alternative to Mactaggart’s initiative — a piece of legislation in Sacramento, where they could all have input. “Their idea was that we could fix this in the State Legislature,” Arney says.

Facebook seemed to have different worries, Mactaggart told me. Mactaggart’s uncle was friends with a former San Francisco city official who had gone to work for Facebook. The friend reached out to arrange a meeting with Facebook’s vice president for state and local policy: Will Castleberry, a gravel-voiced veteran of the tech and telecom industry. When Castleberry met Mactaggart and Arney at a different San Francisco restaurant in December, Mactaggart found him charming and sincere. “A lot of people who we talked to told us these were evil people,” Mactaggart said later. “But they seemed nice.”

Castleberry praised Mactaggart’s proposal but asked whether he was willing to rewrite it. Facebook’s chief concern, he said, was a feature of the proposal called a “private right of action.” Unlike the Obama bill, which left most enforcement to the F.T.C., Mactaggart proposed letting consumers sue companies that violated the law. (Illinois had included such a right in its biometrics law, allowing Licata to sue Facebook.) Facebook feared that if interpretation of the new rules was left to juries, rather than regulators, it would take years just to determine what the company’s compliance obligations were. “We support more disclosure in principle,” Castleberry explained to me. “But the stakes are just much higher with the private right of action.”

Mactaggart wanted to make sure his bill had teeth. But as a businessman, he said, he was sympathetic to Facebook’s concerns. He urged Facebook to send him some alternative language. “We thought, Gosh, if Facebook came back with something reasonable, and we could get behind it, that would be a win-win,” he recalls.

But as Mactaggart waited, the tech companies — and other industries dependent on free data — were preparing to crush him. In January, California’s Chamber of Commerce filed paperwork to register a group called the Committee to Protect California Jobs. The committee soon collected six-figure contributions from Facebook, Google and three of the country’s biggest internet service providers: Comcast, Verizon and AT&T. The money paid for polling, which showed that Californians indeed had ample concerns about privacy, and to retain Gale Kaufman, a respected Democratic referendum specialist with close ties to the state’s labor unions. The group also hired Steven Maviglio, a prominent Democratic public-relations consultant whose clients included the Democratic speaker of the California State Assembly. Silicon Valley was girding for war.

Mactaggart and his team didn’t find out what was happening until March, when the Committee to Protect California Jobs was required to disclose its donors and spending. He and Arney believed the opposition had made a blunder: They had shown their hand before Mactaggart’s initiative had even qualified for the fall ballot. But the battle ahead looked to be ugly. “ ‘Full employment for trial lawyers’ — and that’s just the tip of the iceberg of this poorly-written-by-a-multi-millionaire’s measure,” Maviglio tweeted. Within a few weeks, the committee was circulating talking points to California sheriffs and prosecutors, claiming that Mactaggart’s proposal would make it harder for cops to foil kidnappings or quickly track down criminals like the San Bernardino shooter. “It was like, ‘Welcome to the N.F.L.,’ ” Mactaggart recalls. “It was a reminder of how small we were. These were the biggest corporations in the world.”


Mactaggart also knew that the tech and cable money, while less than the $2 million he had so far put into his own campaign, was only just the start. His own consultants warned him that the Committee to Protect California Jobs would most likely raise $100 million or more by Election Day. Mactaggart was rich. But he wasn’t that rich.

In March, as Mactaggart’s canvassers were gathering signatures to qualify for the November ballot, Facebook made a surprise announcement — one that would change everything. In a statement posted on its website late one Friday evening, the company said it was suspending a political analytics firm called Cambridge Analytica from its platform after it had “received reports” that Cambridge had improperly obtained and held data about Facebook users. The source of those reports became clear the following day, when reporters at The Times and The Observer of London revealed that a contractor for Cambridge had harvested private information from more than 50 million Facebook users, exploiting the social-media activity of a huge swath of the American electorate and potentially violating United States election laws. Within weeks, Facebook acknowledged that as many as 87 million users might have been affected, marking one of the biggest known data leaks in the company’s history.

The Cambridge Analytica scandal engulfed Facebook, sending the company’s stock price plunging and setting in motion the worst crisis in the company’s history. Cambridge executives had long bragged about deploying powerful “psychographic” voter profiles to manipulate voters. Now Facebook was forced to acknowledge that Cambridge had used voters’ own Facebook data to do it. The damage was not only legal and political — Facebook faced lawsuits and new inquiries by regulators in Brussels, London and Washington — but also reputational. Silicon Valley’s public image had survived the Snowden revelations. But tech companies, already implicated in the spread of “fake news” and Russian interference in the 2016 election, were no longer the good guys. When Arney took one of his sons canvassing on the train, it was suddenly easy to get people to sign their ballot petition. “After the Cambridge Analytica scandal, all we had to say was ‘data privacy,’ ” he told me.

The scandal forced Facebook to take complaints about privacy more seriously — or, at least, to sound as if it did. “I’m not sure we shouldn’t be regulated,” Mark Zuckerberg, the company’s chief executive, told CNN. Mactaggart pressed the advantage, posting an open letter accusing Zuckerberg of misleading Facebook users, then calling up media outlets to remind them that Zuckerberg’s company was, at that moment, financing a campaign to stop new privacy regulations in California. When Zuckerberg appeared before Congress, in April, he again appeared contrite. “We didn’t take a broad-enough view of our responsibility, and that was a big mistake,” Zuckerberg told lawmakers. The next day, Facebook announced that it would no longer contribute money to the Committee to Protect California Jobs.

Yet even as his canvassers racked up petition signatures from voters in the state, Mactaggart was being spurned by almost every prominent privacy group in the country. Like any other movement, the world of privacy experts has its radicals and moderates, feuds and schisms. In the wake of the Cambridge revelations, some advocates in Washington and California called for regulations, similar to Europe’s G.D.P.R., that were much more sweeping than what Mactaggart proposed; some privacy advocates told me that they feared his initiative would crowd out their own, more sweeping proposals. (Whereas Mactaggart’s initiative allowed consumers to “opt out” of data sales between companies, G.D.P.R., which went into effect across the continent in May, required companies to obtain consumers’ permission for collecting the information in the first place.) Once voters approved Mactaggart’s initiative, these critics pointed out, California lawmakers would need to muster an almost unobtainable supermajority to amend it.

The Electronic Frontier Foundation, the storied advocacy group based in San Francisco, did not endorse Mactaggart’s proposal. Neither did the American Civil Liberties Union or Common Sense Kids Action, an influential group also headquartered in San Francisco, that has pressed for restrictions on the collection of children’s data. Samantha Corbin, a lobbyist in Sacramento for both Common Sense Kids Action and the E.F.F., tweeted in late March that she couldn’t support Mactaggart’s proposal because it did not require that companies get people’s permission to use their data. “Informed consent to use personal data is critical to privacy & democracy,” Corbin tweeted.

Corbin did not mention her firm’s new client: the Committee to Protect California Jobs. Still at work for its remaining backers, the committee had hired Corbin’s firm in February. According to Corbin, the industry coalition wanted her to provide an overview of existing privacy rules as well as areas of potential compromise with the other privacy activists, a move that could further isolate Mactaggart. Such an alliance would not have been totally unprecedented. Despite disagreements over consumer rules, tech companies have contributed millions of dollars to groups like the E.F.F. and the Washington-based Center for Democracy and Technology while working closely with some of them in pushing for post-Snowden surveillance reforms. “Sometimes politics makes for strange bedfellows,” Corbin told me by email, when I asked about the payment. “I can tell you there was plenty to concern industry and privacy groups alike about the ballot initiative.”


Facebook, for its part, contacted the C.D.T., asking the center’s top expert on data-privacy protection, Michelle De Mooy, to help develop an alternative to Mactaggart’s proposal — language that could be submitted to lawmakers in Sacramento, either replacing or pre-empting Mactaggart’s proposal. De Mooy told me that after some initial discussions, she turned them down, in part because Mactaggart did not seem interested in further compromise, but also because he seemed likely to succeed. “They were looking for options,” De Mooy says of Facebook. “Ultimately, we said that that wasn’t something we were going to do.” But C.D.T. also remained neutral.

Facebook chose that moment to make another direct appeal to Mactaggart. The company had developed a legislative counterproposal, which in April Will Castleberry emailed to Mactaggart, copying De Mooy. Mactaggart read it on a plane, flying back from a memorial service in Canada. He wasn’t impressed. It was vague about data collected from mobile phones, and it appeared to exclude Facebook’s own network of “like” and “share” buttons around the Web, one of the company’s chief means of tracking consumers when they weren’t on Facebook. And while it limited the sale of data, it seemed to allow companies to make deals to swap data back and forth, potentially a major loophole.

But Mactaggart didn’t want to waste his money on a ballot fight if he could get a deal in Sacramento — and now that his initiative looked sure to get on the ballot, lawmakers in Sacramento had taken a renewed interest in passing their own privacy bill. Some privacy groups, including Common Sense Kids Action, were already negotiating with them. “I’m a real estate developer,” Mactaggart told me later, describing his thinking. “I’ve never gotten everything I want, ever. If the legislature passed my entire bill, I’m fine. And if it was almost as good — sure. Who needs to have a fight for the sake of having a fight?”

A few weeks later, I had lunch with Mactaggart and Arney at a sushi place near the Capitol. We were joined by Robin Swanson, Mactaggart’s campaign consultant, herself a former senior aide in the Legislature. Everyone was in a good mood. They had recently submitted more than 629,000 signatures to qualify Mactaggart’s initiative for the ballot, nearly twice the required minimum, and a Republican candidate for governor had endorsed his proposal during a public debate, surprising even Mactaggart. “Zuckerberg testifying helped us,” he said. “He has the name, he has the face. He ripped off 87 million people.”

Nevertheless, Mactaggart was willing to compromise. He had told California lawmakers that he would drop his campaign if they could pass a reasonable privacy bill by June 28, the legal point of no return for formally withdrawing his initiative from the ballot. Mactaggart and his team were scheduled to meet Ed Chau, a mild-mannered lawmaker from outside Los Angeles who leads the Assembly’s committee on privacy and consumer protection. Chau had been designated as the Assembly’s chief negotiator on a potential deal between industry and privacy advocates. After lunch, we all walked over to the Capitol and filed into Chau’s fifth-floor office, where staff members had promised Mactaggart an update on the negotiations.

Many privacy advocates in California regarded Chau as their champion. In 2017, he tried to pass a bill that would have required cable companies and other internet service providers to obtain customers’ consent before selling their browsing history and other sensitive personal data. Known as AB 375, the bill was designed to replicate a popular Obama-era regulation that Trump and Republicans in Congress overturned during Trump’s first months in office. To get it done quickly, Chau employed the very same tactic the tech industry had used in Illinois, gutting a different bill that had already passed the Assembly and inserting the broadband privacy provisions. “California is going to restore what Washington stripped away,” he pledged at a news conference.

But Chau’s bill had quickly run into a series of roadblocks. The Senate leader at the time was Kevin de León, a prominent and ambitious Democrat from Los Angeles. Because Chau had replaced his original bill with a totally new one, the rules committee that de León leads initially required the legislation to be “triple-referred,” a rare legislative maneuver under which three different committees are entitled to inspect and approve the bill. (Ultimately, it was required to clear only two committees.) When the bill survived referral, Democratic leaders took over the legislation and began revising it, largely freezing Chau and the privacy groups out of the process. In the waning days of last year’s legislative session, a huge coalition of industry groups, data brokers and tech companies signed a joint letter opposing the privacy legislation.


Some privacy advocates believed de León was deliberately setting up Chau’s bill to fail. While de León is a progressive Democrat — he is now seeking to oust his fellow Democrat Dianne Feinstein from her United States Senate seat — he has also had a long relationship with AT&T, among the most feared and influential companies in Sacramento. As Senate leader, de León was responsible for the health and size of the Democratic majority in the chamber, and the telecom and tech industries were a critical source of campaign cash. (AT&T also employed at least one of de León’s former top advisers among its swarm of lobbyists.) Most of the chamber’s Democrats declined to go on the record supporting or opposing AB 375, fearful of enraging either the state’s most powerful companies or privacy-minded anti-Trump voters. It never reached the floor, sparing them a painful vote. The reason for its demise remains murky. (Dan Reeves, a de León aide, told me: “We said, if the author wants a vote, we’ll put it up for a vote. We never heard back from them.” Chau says he did ask for a vote. “The response from leadership then was, I didn’t have the support,” he says.) Now Chau had a second chance. Democratic leaders had resurrected his legislation, making a modified AB 375 the vehicle for a potential compromise with Mactaggart.

But when we arrived in his office, Chau seemed ill at ease. He had not yet heard from Facebook or Google, he told us, and did not really know what their position was. He spoke in bland generalities. “We’re in the process of reaching out to all the stakeholders to see whether we can build consensus,” Chau said. Mactaggart asked if the tech companies were being reasonable. Chau repeated himself, a nervous smile stuck on his face. “We’re reaching out to all potential stakeholders,” he said. After 15 minutes, Chau’s assistant interrupted to say that he had another meeting. We filed out. No one else appeared to be in Chau’s waiting room.

Outside, it was a beautiful California day, so we strolled along a footpath on the Capitol grounds. Mactaggart was struck by Chau’s evasiveness — and worried about the tech companies’ seeming silence. “If you are Facebook and Google, and you are serious about legislation and reform,” Mactaggart said, “you would think that it might make sense to go talk to the head of the committee that’s in charge of crafting the legislative response to this initiative.” It was possible that the companies had abandoned compromise. It was also possible that everybody was playing a more complex game. State lawmakers didn’t want to cede policymaking authority to Mactaggart, and tech companies disliked his initiative so much that they might be willing to come to a reasonable compromise with the Legislature instead. If Democratic leaders were careful, they could devise a win-win: A bill that Mactaggart and the industry would accept, that privacy activists would hail and that lawmakers could take credit for. But Mactaggart found the delays and secrecy maddening. His deadline was fast approaching. “Daylight’s burning,” he said.

We got in his SUV and headed back to Oakland. I asked him whether he thought Chau could deliver a bill that would satisfy him and still pass the Legislature. But Mactaggart took my question both more broadly and more personally: What would happen if he failed? “These companies know so much about you,” Mactaggart said as he drove. “And as time goes on, it is only going to get worse and worse.” Approaching Oakland, we drove past the Benicia refinery, a small mountain of pipes and distillation towers looming over an inlet of San Francisco Bay. Mactaggart suggested that the refinery, originally constructed for Exxon in the 1960s, could never be built there today, given California’s strict environmental-impact laws. Reform movements of earlier eras had managed to rein in Big Oil, Mactaggart noted. It was time for Big Tech to face a similar reckoning.

For much of May, Chau and his counterpart in the California Senate, a lawmaker named Robert Hertzberg, quietly tried to negotiate a compromise. Industry lobbyists flatly threatened to kill any bill with a private right of action. They also objected to forcing companies to disclose the names and contact information of every third party they shared data with, claiming it would be an impossible burden. (“The private right of action was something that many stakeholders did not like,” Chau told me later. “That is a true statement.”) In June, the two lawmakers sent their first draft to Mactaggart. He was not pleased. “They sent me a draft with no enforcement,” Mactaggart said. “There was zero creativity about how to solve the problem.” He told them no.

It began to dawn on at least some people that Mactaggart’s vote might be the most important one. Without it, Mactaggart’s initiative would move forward. There would be no win-win. Hertzberg, in particular, really wanted a deal. Where Chau is modest, Hertzberg, who represents the San Fernando Valley, is voluble and insistent, with a slicked-back mane of hair and a steady borscht-belt patter. “I called Alastair — we had some friends in common,” Hertzberg told me. Hertzberg proposed that Mactaggart take the pen. Mark it up however you want, he told Mactaggart, and I’ll bring your proposal back to the industry. On a Wednesday in mid-June, Mactaggart went to his lawyer’s office and got on the phone with a small group of negotiators, among them Hertzberg, Chau and an adviser to Common Sense Kids Action. Twelve hours later, they had an agreement, which Mactaggart and Common Sense Kids Action agreed to support. Hertzberg and Chau sent it off to the Legislature’s lawyers to be formally drafted into a bill.

Mactaggart had agreed to whittle down his biggest stick: The private right of action would permit consumer lawsuits only in the case of a traditional data breach, as when your credit-card information is stolen. And instead of naming every third party they shared your data with, companies would have to disclose only the kinds of data they were sharing, an obligation the companies already had to European consumers under G.D.P.R. Many privacy activists hated the deal, and some of the same groups that had refused to support Mactaggart’s initiative now savaged him for compromising on it. The A.C.L.U. and E.F.F., both of which rely heavily on civil litigation to win advocacy battles, were particularly upset by the narrowed private right of action.


But as Mactaggart saw it, the core of his initiative remained intact — and was in some ways strengthened. Now you could see exactly what information Silicon Valley and the data brokers had collected about you. You could still demand that they stop selling or swapping your data. And if they refused, the California attorney general could investigate and impose fines. Even in this reduced form, Mactaggart and Soltani believed, this would be the most stringent consumer-privacy law in the country — the most significant step in years toward regulating the surveillance capitalists, and a proof of concept for activists and industry alike. If it passed, the tech industry could no longer claim that no one cared about privacy, or that data rules would kill jobs, or were too technically challenging. California’s attorney general could police the entire industry, while other states worked on their own versions of the rules. “Under this law, the attorney general of California will become the chief privacy officer of the United States of America,” Mactaggart argued. Eventually, it might drive the tech industry back to the negotiating table in Washington, in hopes of getting a single national standard.

The next morning, Hertzberg summoned tech lobbyists to a meeting. They had a simple choice, he explained. They could agree to the deal, or take their chances with Mactaggart in the fall. Hertzberg told the lobbyists they could probably scare his colleagues into killing this new bill, too. But Mactaggart’s initiative was polling extraordinarily well. To beat him in November, the tech industry and its allies — the cable companies, the data brokers and the financial companies and retailers that used their data for advertising — would have to mount a huge negative campaign, at considerable cost to their own image. “And if they do, we’ll be right back here next year,” Hertzberg told me later that day.

Legislative staff members had finished rewriting AB 375, and a deal seemed imminent. That Friday, as he drank his morning coffee, Mactaggart decided to read the new bill — the fine print — one more time. He noticed a seemingly minor alteration in one section, the kind of thing most people would skip over. Mactaggart realized it would completely gut what remained of the private right of action. Furious, he called Hertzberg and Chau and told them the deal was off. Neither lawmaker could explain who made the change, Mactaggart told me, but Hertzberg scrambled to fix it. “In most negotiations, you are talking to all these different interest groups,” Hertzberg told me recently. “This is a situation where we had to go and reach out to everyone and bring that information to Mr. Mactaggart and ask him what he wanted to do.” By Monday morning, the deal was back on again.

That Tuesday, Facebook signaled that it would not fight the bill. In a statement emailed to reporters, Will Castleberry said that “while not perfect, we support AB 375 and look forward to working with policymakers on an approach that protects consumers and promotes responsible innovation.” At hearings, industry representatives complained that they had been put in the impossible position of either accepting the compromise or fighting a ballot initiative they had no power to change. “The internet industry will not obstruct or block AB 375 from moving forward,” the Internet Association announced, “because it prevents the even-worse ballot initiative from becoming law in California.” Soltani wryly pointed out that Mactaggart had offered Silicon Valley a take-it-or-leave-it privacy policy — the same kind that Silicon Valley usually offered everyone else.

That Thursday, California lawmakers began voting on the bill. Mactaggart, who wore a blazer and khakis, watched from the Senate gallery with his wife. As the vote was called, Mactaggart kept his eyes on the electronic billboard where votes were recorded: One by one, almost every light flipped to green. They walked over to the Assembly, where much the same scene unfolded. In the end, not a single lawmaker in either chamber voted against the compromise.

Political power is a malleable thing, Mactaggart had learned, an elaborate calculation of artifice and argument, votes and money. People and institutions — in politics, in Silicon Valley — can seem all-powerful right up to the moment they are not. And sometimes, Mactaggart discovered, a thing that can’t possibly happen suddenly becomes a thing that cannot be stopped.

I spoke to Mactaggart shortly after the vote. “It felt like a moment — people didn’t want to be on the wrong side of this issue,” he observed. A part of Mactaggart was already thinking ahead. The legislation would not take effect until 2020, and both the Legislature and the tech industry would have a chance to amend the new law beforehand. In the weeks after the vote, as Silicon Valley’s accumulated troubles sent shares in Facebook and other tech companies plummeting anew, their lobbyists were back on the march. The Trump administration was convening meetings to discuss a new national privacy standard, one that would perhaps override California’s newly minted statute. There would be plenty of chances for mischief. But as he basked in the victory, Mactaggart was giddy, even emotional. “Everyone who could have blocked it didn’t,” he said. “When the system wants to work, it can.”

Nicholas Confessore is a political investigative reporter for The Times and a writer at large for the magazine. He last wrote about how to get rich in Trump’s Washington.