Californians are set to vote on a new privacy law that would make sweeping changes to the CCPA regime. GDR has interviewed members from the campaigns supporting and opposing the proposal.
The California Privacy Rights Act (CPRA), which will appear as “Prop 24” on the state’s ballot on Tuesday, has made strange bedfellows, with both industry groups and some privacy advocates opposing the initiative. The former say more regulations will further burden the private sector, while the latter claim that the CPRA creates loopholes that will lead to further data exploitation.
But other privacy advocates, policy experts and lawyers support the measure. They are confident that Prop 24 will pass, and that it will make meaningful privacy enhancements – while also clarifying some existing ambiguities with the CCPA.
Simplifying the CCPA
Squire Patton Boggs of counsel Lydia de la Torre, who is a policy advisor for Californians for Consumer Privacy – the driving force behind both the CCPA and CPRA – says Prop 24 would settle some open questions about certain CCPA provisions.
For instance, there have been issues with how CCPA applies to multinational companies. The law says that if the CCPA applies to one corporate entity, then it also applies to the entire global organisation.
“This is a question that has created exposure for many organisations that might have their parent company outside of the US. They might not even hold data on US residents, but they operate under the same brand,” de la Torre told GDR. “So the question is, ‘Well, what does it mean if I’m subject to US law when I’m a foreign company?’”
The CPRA would simplify this by only covering organisations to the extent that they share Californians’ data, according to de la Torre.
CPRA would also clarify the longstanding debate over what constitutes a “sale” of data. The CCPA defines a “sale” as including any quid-pro-quo concept – including trading mailing lists, receiving price breaks in exchange for data – but California’s attorney general Xavier Becerra, who is tasked with enforcing the legislation, has not expressed how he intends to apply this definition.
The ambiguity over the term “sale” is one of the biggest issues for the adtech industry. Some advertisers and publishers have claimed an exemption from certain aspects of the CCPA when they share data with adtech vendors, because they say this sharing doesn’t constitute a sale – although a recent report from the Network Advertising Initiative has spotted pitfalls with this practice.
De la Torre said the CPRA would allow consumers to opt out of data “sharing,” which would render obsolete many of the questions about what it means to sell data.
“CPRA settles the debate … and requires businesses to provide consumers with a right to opt out of sharing in relation to cross-context behavioural advertising,” she said, explaining that “sharing” under CPRA is defined as transferring of or making available of ‘a consumer’s personal information by the business to a third party for cross-context behavioural advertising.’”
In addition to clarifying certain points of existing law, Prop 24 would also introduce new privacy protections, according to de la Torre.
CPRA would set data minimisation principles and prohibit the storage of personal information for longer than what is “reasonably necessary”.
It would also create a new category of “sensitive personal information” that is subject to additional restrictions. This would include certain financial, genetic, biometric and health information; precise geolocation; race and ethnicity; religion; union membership; content of certain communications; and information about sex life or sexual orientation.
The CPRA would also create new rights: Californians would be able to direct a business to limit the use of their data, and demand corrections to their data.
De la Torre admitted some of these new provisions will need clarification from enforcers if Prop 24 passes, but said California could learn from what’s being done in other jurisdictions.
“The one area where I think there will be more scratching of heads is the new rights, and the idea of sensitive personal information,” she said. “People will have to review their data maps to see where is the sensitive personal information, and whether it’s being used.”
Along with the pushback from the private sector, prominent groups like the American Civil Liberties Union and the Electronic Frontier Foundation came out against Prop 24.
That wasn’t always the case.
When Californians for Consumer Privacy head Alastair Mactaggart unveiled the “California Privacy Rights and Enforcement Act” last September, it had much more support amongst privacy advocates. At the very least, it was not met with active opposition, said Tracy Rosenberg, a volunteer for the campaign “No on Prop 24”.
But Mactaggart made the rounds with stakeholders, including Facebook and Google, and later released a new proposal. According to critics, the updated initiative was substantially watered down – as evidenced by removing the word “Enforcement” from the bill’s title.
Rosenberg, who runs Media Alliance – a Bay Area media organisation that focuses on privacy and other issues – told GDR that her ideal data protection legislation would set up an “opt-in” framework rather than the opt-out system established by the CCPA and most other privacy law. But beyond that, her specific gripes with CPRA include its overly broad definition of “publicly available information,” which she said would essentially legalise data scraping.
The CPRA defines “publicly available” as information lawfully made available by the government, or information “that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media”.
As written, businesses could interpret the CPRA to allow the collection of information from public social media accounts and similar platforms, leading to a Clearview AI-like situation, according to Rosenberg and other critics.
Law professors and others, including de la Torre, have said that restrictions on publicly available information would probably be unconstitutional.
“Including information that is public creates a high risk that the law will be found unconstitutional,” de la Torre said. “It’s difficult to make the case that [publicly available] information is private. And if it’s not private, then you’re creating these constraints for nothing.”
However, the possibility that a law might one day be challenged in court is not a good reason to erode privacy, said Rosenberg.
“Fundamentally, [CPRA would be] aiding and abetting behaviour we all agree that is problematic – because when people post pictures of a family outing at the park, they do not expect those pictures to be scraped by a third party that packages them and sells them to the police and [Immigration and Customs Enforcement],” she said. “So the fact that we’re sanctioning that activity because we’re worried that it would potentially be challenged in court, and that we would lose, is really too much of a concession to privacy-abusive behaviour.”
Another loophole Rosenberg identified in the CPRA is that it would allow credit agencies to process, collect, sell and disclose the names and contact information of business owners. Citing a February article from outlet Protocol, Rosenberg said emails between Mactaggart and a lobbyist show that the credit agencies were successfully able to lobby for this provision.
Along with these and other perceived loopholes in the 53-page bill, Rosenberg said the CPRA’s enforcement mechanisms are too weak.
The creation of an independent enforcement agency has been one of the most widely touted features of CPRA among its advocates. But critics say the $10 million proposed annual budget would make the agency woefully underfunded.
Mactaggart has resisted these criticisms. At a June hearing at the California legislative assembly, he said the proposed budget could fund roughly 40 staff, which is about the same number of people the Federal Trade Commission has working on privacy issues.
“This would have the same number of privacy professionals as the FTC has for the entire country,” Mactaggart said in June.
Rosenberg doesn’t find Mactaggart’s logic convincing.
“The FTC is not a good parallel because they haven’t been able to enforce federal laws, and they’re the first to admit it,” she said. “To use an example that ‘we’re slightly better than an inadequate federal regime’ – OK, maybe you are, but we need to open up the conversation of what would actually work.”
To Rosenberg and other privacy advocates, a comprehensive private right of action is the way to go – “then you have potentially unlimited legal resources,” she said.
Putting technical legal and policy arguments aside, Rosenberg said there seems to be a fundamental difference in values between the proponents and opponents of Prop 24.
During June’s legislative hearing, Mactaggart took exception to the allegations that his proposal damages privacy. “I have to kind of laugh at the thought that I’d spend all this time and money doing the first law, and then consciously try to sabotage the second law by spending more time and money on it,” he said.
Rosenberg said she doesn’t doubt Mactaggart’s intentions. However, he and many of his cohorts live in an upper socioeconomic stratum, which may limit their perspective on how important privacy protections are to most people.