In 2018 , an initiative headed for the ballot led to a frantic and imperfect bargaining session in Sacramento. The outcome was the only comprehensive state consumer privacy law in the country, the California Consumer Privacy Act (CCPA).
As we pointed out then, CCPA, the result of the watering down of a stronger legislative proposal that had gotten marooned in the Legislature, had significant flaws. It was the best consumer privacy law in the country because it was basically the *only* consumer privacy law in the country.
In the years since, the Federal government has threatened , and failed, to pass national data privacy legislation that would pre-empt the CCPA. A powerful coalition of business groups made over a dozen legislative efforts to water down the CCPA even further in 2019 – and didn’t succeed. And the California Attorney General literally created a CCPA department from scratch and promulgated regulations to fill out the law which went fully into effect on July 1, 2020.
It seemed that California had reached, if not consumer privacy nirvana, a state of equilibrium.
But in the background, the author of the ballot initiative that ended up as the CCPA had other plans. Alastair MacTaggart, a multimillion dollar real estate developer and landlord, decided to put another ballot initiative on the November 2020 ballot – a CCPA take 2, as it were. He called it CPRA, and spent millions qualifying it for the ballot.
The text of CPRA is 53 pages long, consisting of a redline of the CCPA with changes to be found on almost every page. We can safely assume the majority of Californians who will be voting on it won’t actually be reading it. Even if they start out with good intentions, it’s pretty unlikely they will make it all the way through. So this important decision will be made by dueling ballot arguments, probably not the best way to craft legislation that will impact most every consumer transaction in one of the biggest economies in the world.
Process aside, we would love to tell you that the changes CPRA makes to the CCPA are all good. Or even tell you that the changes CPRA makes to the CCPA are all bad. But neither of those things would be true. Of the over 3 dozen changes that the November 2020 ballot initiative makes to the CCPA, some are bad and some are good.
But you can’t pick just the good ones and throw away the bad ones. And that imaginary process is the only way that we could endorse the CPRA. As the nursery rhyme goes: sometimes the CPRA is very, very good and sometimes the CPRA is very, very bad. And when it is bad, it is horrible.
Here is a short list of the horrible:
CPRA removes enforcement of data privacy laws from the CA DOJ and moves it to a new state privacy commission that will be newly created. Then CPRA gives this brand new agency that will have to get started from zero, a paltry budget of $5 million dollars a year with no additional funding guaranteed beyond what the agency can raise by penalizing companies for breaking the law. This incentivizes tackling easy cases and smaller companies that can’t afford top-flight legal defenses and pretty much assures the enforcement agency will be outgunned by big tech and multinational corporations.
CPRA expands the security exemption, which allows companies to retain data and personal information without your consent if the data is needed for security and anti-fraud measures. The newer, vaguer language creates a big loophole called “system integrity” that can mean just about anything and potentially reduces the efficacy of your opt-out substantially.
CPRA explicitly enhances the pay for privacy language in CCPA, which allows companies to charge you for “the value of your data” if you choose to opt out. Pay for privacy means that you can be financially penalized for choosing not to allow the sale of your personal information and it makes privacy a luxury for the affluent, instead of a human right available to all. By placing this language in a ballot initiative, CPRA makes it more difficult for the Legislature to change the existing pay for privacy language if companies abuse it, which is likely.
All three of these things make CPRA a downgrade from the current law and a giveaway to business that makes their privacy-deficient activities easier to conduct under California law. Big businesses have not objected to the ballot initiative and we can see why.
But the single most frustrating part of CPRA is that it is modifying a law that literally had not gone into effect before the signatures were collected. That means that all of these changes were developed with no real data on how CCPA worked and didn’t work.
It’s just one guy’s opinion as he forecasts the future. And that one guy is a multimillionaire who lives in Piedmont and may not understand the privacy challenges faced by a low-income single mother or a recently paroled inmate or an undocumented immigrant or any of a plethora of life experiences that he hasn’t experienced. An opinion is not the same as the track record of a law being used by 39 million California consumers.
We should get the data first. Vote no on Proposition 24.