Why the CPRA is a Critical Linchpin for a Comprehensive Federal Privacy Law
In this blog post I am going to discuss how passage of the California Privacy Rights Act of 2020 (CPRA) — on the ballot as Proposition 24 — is a critical linchpin to finally getting a comprehensive national privacy law passed. By “comprehensive” I mean a law approximating what the European Union (EU) has with General Data Protection Regulation (GDPR) in terms of consumer privacy rights, business obligations and enforcement. Clearly the most critical linchpin is a new administration who would likely prioritize privacy, as the Trump Administration had shown little appetite in this area, but passage of CPRA in California is probably what is needed to get any national privacy legislation at levels equivalent to GDPR.
The unique influence of California
While the current California privacy law — the California Consumer Privacy Act (CCPA) of 2018 — is the US’ most robust privacy law, it still does not match the GDPR. Version 2 of the CCPA, the CPRA, is the only law on the horizon in the US that finally gets a privacy law in the US on par with GDPR as shown in the table below.
I am not saying that every line item in the table above is necessarily equal weight, but if you were to compare green marks as a benchmark, CCPA matches GDPR at a 55% clip, while CPRA matches GDPR at a 93% clip. However you want to quantify it, experts do universally say that passage of Prop 24 gives California “a law that is closer in scope to robust international privacy laws, such as the GDPR.”
The reality is that California tends to take a lead role in consumer protection as witnessed by the world auto industry following California’s auto emissions rules. This is because California is the 5th largest economy in the world and 1 out of 8 Americans live here. So, the CPRA is bound to be a model given California’s size and scope, as well as for historical reasons.
Now if the CPRA fails to pass, then the message would be sent to a new Congress that if a GDPR-like can’t pass in the bellwether state of California, then a comprehensive GDPR-like bill does not have to be passed. In other words, if there is not an appetite even in a predominately Democratic state, where there is a proclivity to consumer protection and privacy rights, then the thought process would be likely this lack of desire is reflected elsewhere.
The opposition to and potential defeat of Prop 24 clearly plays into the hands of those who don’t want comprehensive federal privacy legislation. In other words, without the CPRA, there is no high bar set by the highly influential and trend-setting California.
On the other hand, if the CPRA passes, an incredibly strong signal is sent to Congress and the bar for federal privacy legislation is now set to the high GDPR levels. Namely businesses want consistency in cross-border regulations to remove friction, and if the EU market (with the second largest GDP) and if California (with the 5th largest GDP) are on the same privacy level, then it becomes a forcing function to have the rest of the US adopt the CPRA-GDPR standard of privacy.
Furthermore, the politics of this situation is that in the US House, 20% of the House Democrats are from California. I think California House Dems would be loath to override or weaken with a Federal law a statewide referendum that voters passed, i.e. they don’t want to be in a situation of taking away rights that Californians have voted they want. So, the politics of the situation further makes CPRA a key linchpin in getting us towards comprehensive privacy on a national level.
Putting CPRA in the Context of Existing US Privacy Laws
Unlike the EU, the US does not have an over-arching data privacy/protection law. In fact, the word privacy is not mentioned in the US Constitution, although over time the 4th Amendment (“The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated …”) has been interpreted over the last 100+ years as providing a reasonable expectation of privacy.
What we do have is a patchwork of state and federal laws, some of which are sector specific and others that cover very specific personal data associated with a given industry or type of data. These Federal privacy laws have been enacted based on a variety of factors, including: [and shoutout to Lauren Steinfeld and her course Privacy Law and Data Protection for the categorization of these data protection laws]
Who’s Got the Data. This started in the late 1960s when the federal government and credit bureaus were the only ones that had personal data on millions of people. The two best examples of laws in this category that were passed by Congress were The Privacy Act in 1974 (that regulates personal data held by the Federal government( and the Fair Credit Reporting Act in 1970 (that regulates data held by credit bureaus).
Lawmaking by Anecdote. These laws have come up when a specific incident has made headlines. A good example is the Video Privacy Protection Act of 1988 which came about because a reporter was able to find out what Robert Bork’s video renting tastes were. Another example includes the Family and Education Rights and Privacy Act (FERPA) in 1974 that protects students’ data.
Privacy Laws as Part of Some Other Data Sharing Initiative. The best examples are the Health Insurance Portability and Accountability Act (HIPAA) in 1996 for healthcare and the Graham-Leach-Bliley Act (GLBA) in 1999 for the financial services industry. I will cover these down the road. But they are very industry-specific, and in the case of HIPAA, have strict definitions of “covered entities” (e.g. your hospital is covered, but not your health app on your phone).
Special Harm, Special Concern. These are laws that have been introduced to address compelling privacy harms in very specific areas. Examples include the Children’s Online Privacy Protection Act (COPPA) of 1998 and the Genetic Information Non-Discrimination Act (GINA) in 2008.
So, as you can see from above, the last US Federal privacy act of note was in 2008 and it was for a very specific (or dare I say, narrow) concern re: genetic/DNA info. You must go back the 90s when we had major laws such as HIPAA and GLBA involving privacy, but again for specific industries, so to this day other huge segments of the economy are not covered.
California Here We Come
So as of lately it has been at the state level where most of the Data Protection and Privacy law action has been taking place in terms of passing legislation, and it has been my home state of California that has led the way.
First off, California voters amended its State Constitution in the early 1970s to include the right of privacy among the “inalienable” rights of all people: “All people are by nature free and independent and have inalienable rights. Among these are enjoying and defending life and liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety, happiness, and privacy.”
Next, California was the first to enact a comprehensive Data Breach Notification law in 2002.
Then in 2004 California added the first state law in the nation to enforce the public posting of privacy policies on websites. This law is called the California Online Privacy Protection Act (CalOPPA).
Finally, the most significant privacy legislation in the US since the 1990s was passed in California with the California Consumer Privacy Act (CCPA) in 2018.
But California has the choice to not just stop at a law that gives us residents just 50% or so what Europeans get with the GDPR in terms of consumer privacy rights. The good news is that California voters can decide this November with the CPRA if they want parity with the European citizens or not, or if we will have less fundamental online rights than them.
For more information, visit this blog post on why you should Vote Yes on Prop 24.