The Gloves are Off: CPRA's High-Level Messaging
Recently I published a series of blog posts on the EU’s General Data Protection Regulation (GDPR) and on the California Consumer Privacy Act (CCPA), and then compared the two at both a high and detail level. I am now looking at “Version 2.0” of the CCPA, which is a November 2020 ballot initiative called the California Privacy Rights Act (CPRA). This would be the most sweeping privacy and data protection law in the United States and would certainly make California on par with the EU in terms of extending privacy rights to their respective residents/citizens.
In my last blog post I looked at the path the CPRA took to being on the ballot, and how it was not a separate law but an uber set of amendments to the existing CCPA law, making it truly a major upgrade / Version 2.0. In this blog post I will look at how voters will see this initiative presented to them at the ballot box and how the group behind the CRPA (Californians for Consumer Privacy aka CCP) is positioning the initiative to voters.
How the Initiative Will Be Presented to California Voters
After Californians for Consumer Privacy — aka CCP and therefore the “proponents” of the ballot initiative — filed the final version of their initiative with the State of California in November of 2019, a month later the California Attorney General released the official title and summary of the ballot initiative. If the initiative meets the certified signature threshold and deadline by the end of June 2020 (which appears likely), and the proponents and the state legislature don’t cut a deal ala the CCPA (see this blog post for details), then this is what voters will see on their ballots as a description of the CRPA:
“AMENDS CONSUMER PRIVACY LAWS. INITIATIVE STATUTE. Permits consumers to: (1) prevent businesses from sharing personal information; (2) correct inaccurate personal information; and (3) limit businesses’ use of “sensitive personal information”—such as precise geolocation; race; ethnicity; religion; genetic data; union membership; private communications; and certain sexual orientation, health, and biometric information. Changes criteria for which businesses must comply with these laws. Prohibits businesses’ retention of personal information for longer than reasonably necessary. Triples maximum penalties for violations concerning consumers under age 16. Establishes California Privacy Protection Agency to enforce and implement consumer privacy laws, and impose administrative fines. Requires adoption of substantive regulations.”
So the “headline positioning” to voters is very much about giving consumers added legal rights, namely consumers can prevent businesses from sharing their personal data, they can rectify incorrect data held by businesses (a right that the GDPR gives EU residents but was not in V1 of the CCPA), and can block businesses from using sensitive data. So, I think the initial positioning to voters is quite good for the proponents in that it is about giving net new rights and freedoms. The voter description then points out new business obligations, and then highlights the enforcement mechanisms that his initiative adds.
The description then references its “cost” (ballot initiatives are required by California state law to present this information to voters):
“Summary of estimate by Legislative Analyst and Director of Finance of fiscal impact on state and local governments: Increased annual state costs of roughly $10 million for a new state agency to monitor compliance and enforcement of consumer privacy laws. Increased state costs, potentially reaching the low millions of dollars annually, from increased workload to DOJ and the state courts, some or all of which would be offset by penalty revenues. Unknown impact on state and local tax revenues due to economic effects resulting from new requirements on businesses to protect consumer information.”
I believe this positioning of the cost is also quite good for the proponents, as the cost of $10 million will probably seem not very onerous to voters in the grand scheme of other initiatives that have historically presented billion-dollar ticket prices (e.g. bonds). i.e. a small price to pay for all these great new rights we get.
Speaking of the references to the Legislative Analyst’s Office (LAO, which is a nonpartisan fiscal and policy advisory service) in the text above, this is how they summarized the initiative:
“This measure (1) modifies existing consumer data privacy laws, (2) establishes new consumer privacy rights, (3) changes existing penalties and uses of penalty revenues, and (4) creates a new state agency to monitor compliance and enforcement of the state’s consumer data privacy laws. If approved by the voters, most of the measure’s provisions would take effect in January 2023 and would apply to data collected on or after January 2022. Select provisions (such as the creation of the agency and requirements for developing new regulations) would go into effect following voter approval.”
LAO highlights in the first two points the amended and net new rights that consumers add, and in points 3 and 4 highlight the enforcement aspect. Note it does not focus on the added obligations to businesses which potentially could turn voters off. So, for those probably few voters who would want to do deeper research, this added analysis also comes off positively for the backers of the initiative.
How Californians for Consumer Privacy are Positioning the Initiative
So how is the group backing this initiative positioning the CRPA to voters? Lets first look at how they positioned “Version 1.0”:
Basically, they positioned the CCPA as delivering three main benefits:
Transparency — it gives consumers “the right to know” what personal data businesses have about them.
Control — gives consumers “the right to say no” by stopping the sale of information and/or requesting their data be deleted
Accountability — this requires businesses to “keep my information safe”
So, in effect the V1 positioning was 2/3rd about consumer rights, and 1/3 added business obligations re: governance and accountability.
Now let’s look at V2’s aka CPRA’s positioning:
The first item is very much about giving consumers additional rights, i.e. further protection of your most sensitive data. The second item really focuses on enforcement, namely we will come down on businesses if they sell or share or otherwise mishandle children’s personal information. And the third positioning bullet point is also about enforcement, i.e. this will create an enforcement arm to put some teeth behind this law.
So, the transition from “V1” (i.e. CCPA) of it being 2/3rds more rights and 1/3rds more accountability has shifted in “V2” (i.e. CRPA) to 1/3rds more rights and 2/3rds more enforcement. And per the CCP, this enforcement emphasis is needed because of what they say at the top of the screenshot above, namely (a) big tech has been and is working overtime to weaken V1 and (b) these big tech firms are also building clever and sneaky workarounds to V1 to still exploit your personal data.
In fact, what Californians for Consumer Privacy (CCP) states out loud (and shown in the screen capture above) is that they think what big tech is doing is both (a) immoral and (b) a threat to our democracy. Hence to the CCP a well-funded and dedicated regulatory agency (called the Privacy Protection Agency — which moves the majority of enforcement and rulemaking away from the California Attorney General to this new agency) is a must to protect individual consumers, further backed by a law that cannot be chipped away.
I am calling out this last point re: the inability to "chip away" at the CPRA due to a section in the initiative that spells out that if it passes, the resulting law is in effect put into in a “lockbox.” What I mean by that is that is, yes, the CPRA could be amended by the legislature (in fact the original CCPA was amended 6 times), but with a key restriction that any amendments must be “consistent with and further the purpose” of this new law — so no watering down by the legislature who may be unduly influenced by big tech (but note a new initiative could weaken, but not lawmakers).
In other words, with the CPRA the gloves are definitely off, in terms of not only giving consumers more privacy rights vis a vis businesses that collect personal information, but also removes various loopholes those businesses can and are using. Furthermore, it wants to hire an enforcement agency to ensure compliance while at the same time making it more difficult to weaken the law. Californians for Consumer Privacy are definitely sending a strong message here that they want these privacy rights and business obligations to be enduring.
In my next blog will discuss the scope and individual rights the CRPA gives consumers.