The California Consumer Protection Act – the “CCPA” – goes into effect on January 1, 2020. The California Legislature rushed the CCPA into law leading to a piece of legislation that is woefully vague and lacking in many ways. Neither privacy advocates nor the business community is particularly happy with the final result. Given this, we probably should not be surprised to learn of the California Privacy Rights Act of 2020 (CPRA), a new ballot initiative introduced to amend the CCPA.
If it can be said there is one person behind the push for consumer privacy laws in California, Alastair McTaggartt is that man. MacTaggart was one of there people behind the original California Consumer Privacy Act ballot initiative and is now the man spurring the California Privacy Rights Act ballot initiative.
But who is Alastair MacTaggart?
Many people are shocked to learn that Alastair MacTaggart is…a real estate developer. He’s made a fortune developing properties ranging from condominiums to apartment buildings to retail malls throughout the greater San Francisco area. Such a background is rare, to say the least, for a privacy advocate.
How did MacTaggart come to be interested in privacy issues? Google may want to fire one of its employees. MacTaggart apparently had a lengthy conversation with an unnamed Google engineer a few years back and was stunned to discover the existence of the big data market and the fact companies faced few restrictions when collecting data from individuals. The engineer allegedly told MacTaggart that he would be horrified to know how much data Google had about him and other consumers.
This development led to MacTaggart becoming interested in legal solutions to reign in tech companies. He put $3.5 million up to back the California Consumer Privacy Act ballot initiative, and the rest is history. Here’s MacTaggart giving a speech on the CCPA and his views.
Proposed CPRA Amendments To CCPA
Backers of the California Privacy Rights Act of 2020 do not intend it to be a new law in and of itself. Instead, the goal of the backers of the CPRA is to address specific elements of the CCPA they feel come up short. The specific changes include the following:
California Privacy Protection Agency
Yes, the CPRA would create yet another government agency in California. In this case, the California Privacy Protection Agency would take over most of the obligations currently placed on an unenthusiastic Office of the Attorney General, including issuing regulations and enforcing the law. Think about that for a minute. An entire agency dedicated to enforcing privacy rights in California, no doubt creating yet more burdens to conducting business in the state.
A new category of “sensitive information” would be added to the CCPA that would cover data such as precise geolocations, social security numbers, sexual orientation, and ethnic origin. Consumers would be allowed to opt-out of the sharing of any of this information with third parties, including service providers. Businesses would be required to add another link to their sites for this opt-out option – yes, websites and apps would now be required to have two opt-out links!
The law would require companies to notify the state and consumers when using a consumer’s personal information for political purposes or to influence an election. While this may sound appropriate at first glance, who is going to decide what qualifies and what does not? Such a restriction is also likely to face a serious constitutional challenge based on limiting free speech.
12 Month Period Extended
The CCPA currently allows consumers to ask for the personal data a company has collected from them in the last 12 months. The CPRA would let consumers ask for data collected over more extended periods, so long as it isn’t unduly burdensome on companies. Yes, we’ll see plenty of litigation over the “unduly burdensome” standard.
It isn’t all bad. One proposed section of the ballot initiative makes a bit of practical sense.
50,000 Threshold Increased
The CPRA would bump the 50,000 threshold test to 100,000, a very positive development. Currently, businesses must comply with the CPPA if they buy, sell, share, or collected data from 50,000 or more consumers in a year, even if just IP addresses. This low figure is a nightmare for small businesses with high volume transactions. For example, consider a mom and pop deli. The 50,000 figure breaks down to about 137 data transactions a day. A small deli will meet this number easily, subjecting it to the CCPA compliance requirements and cost. If the Facebooks and Googles of the world are the real concern with privacy law, bumping the number up to 300,000 would be optimal but at least 100,000 is an improvement.
Will It Pass?
The CPRA initiative will appear on the November 2020 ballot, which is a presidential election promising a large turnout. Given Californians tends to vote liberal, it isn’t difficult to see voters passing the CPRA. The chances of such an outcome may be boosted by the fact that we are likely to continue to see more significant data breaches. In fact, breaking news as I write this post suggests hackers may have obtained the account information of as many as 267 million Facebook users and are listing the data for sale on the dark web.
Will It Matter?
Perhaps the most fascinating aspect of the CCPA and now the proposed CPRA is whether either law will matter in another year or two? We are finally seeing Congress take up the issue of a federal privacy law. Representatives have introduced several bills, and are now holding hearings, so it isn’t insane to think we could have such a law in 12 to 18 months.
If Congress passes a national privacy law, an interesting legal concept may come into play – the Supremacy Clause. The Clause is found in Article 6 of the Constitution and reads:
“This Constitution, and the Laws of the United States which shall be made in Pursuance thereof; and all Treaties made, or which shall be made, under the Authority of the United States, shall be the supreme Law of the Land; and the Judges in every State shall be bound thereby, any Thing in the Constitution or Laws of any State to the Contrary notwithstanding.”
A national federal privacy law could invalidate the various California privacy laws. One has to wonder what would become of the California Privacy Protection Agency! Indeed, one of the hotly debated topics in Congress is whether a proposed national privacy law would invalidate state legislation. We will have chaos if Congress passes a federal privacy law, but allows states to continue to enact and enforce privacy laws. Companies would face 51 different sets of compliance requirements under such a scenario. Ironically, the companies that are the targets of such law – big tech – would best be able to meet the compliance burden. Small companies such as mom and pop outfits? Not so much with many potentially going out of business.
The CPRA represents not so much an amendment to the CCPA, but another sign that the days of companies siphoning up personal data and monetizing it are over. Will the new privacy laws go too far? Almost certainly, but one can’t really complain given the data abuses massive companies commit.
It is just a pity that small businesses must suffer.
Richard A. Chapo, Esq.