California’s recently enacted digital privacy legislation, the “California Consumer Privacy Act,” may be getting a sequel in the form of an initiative called the “California Privacy Rights and Enforcement Act of 2020.” While the fallout of CCPA has yet to be seen, since the Act does not go into effect until next year and the regulations governing its application have yet to be finalized, CPREA promises to double-down on its approach by creating yet more largely superfluous – and hugely expensive – digital “rights”.
How did we get here? Well, CCPA, the original, was the brainchild of a wealthy real estate investor named Alastair Mactaggart who, inspired by a cocktail party conversation, used California’s initiative process as a cudgel to get the full attention of the legislature in Sacramento. The body was given an ultimatum, negotiate and pass privacy legislation or Mactaggart would place his creation on the ballot.
Instead of running the risk of complicating a 2018 midterm ballot in which Democrats were slated to make huge gains, the Democratic super-majorities in Sacramento chose to pass comprehensive privacy legislation in a matter of days, thereby utterly transforming the way in which digital commerce occurs in the Golden State. Unsurprisingly, the result of doing so was that California became subject to a technically unworkable mess of regulation that necessitated an entire year of subsequent legislative work to it clean-up.
Now, in the wake of that saga, and in spite of a largely successful campaign in the state capital, Mactaggart has grown weary of the legislative process and crafted another initiative to expand and refine the vision of privacy that he would like to impose on America’s most populous state. Only, this time, it appears that he has no intention of working through the legislative process. This time, Mactaggart is going to be a one-man policy decider.
As released, the initiative is equal parts privacy extremism and cynical-politics. Substantively, some will find elements to applaud in the CPREA, between prohibitions on the use of behavioral advertising and reputational risk assessment (all of which are deserving of their own critiques), but the operational structure of the CPREA is nothing short of disastrous. Here are some of the worst bits:
-
Amendments (Section 24) – this section would effectively prevent California from changing its approach to privacy without another initiative, and may even prevent the sort of subsequent legislative clean-up that was necessary to make CCPA at all workable in the first place. A straightforward lesson in exactly what happens when such provisions are passed is available in the form of 1988’s Proposition 103, which has a similar provision that has effectively prevented innovation in California’s insurance market. Wonder why property insurance premiums are skyrocketing in the wake of the state’s fires and why there has been no appreciable development in the auto insurance sector? Look no further than this clause.
-
California Privacy Protection Agency (Section 23) – to enforce the Act, the CPREA creates a new government agency with the power to audit firm’s approaches to security and to fine them, in the amount of $2,500 per/unwitting-transgression, should they be found in violation. While pointless (why have an Attorney General anyway?), that’s not entirely unusual. What is problematic is that the new agency’s entire existence would be funded directly by fines instead of the general fund, thereby creating an incentive to use broadly defined powers to search for violations to sustain its very existence. What’s more, the suggested statute of limitations in the Act is long, the right to cure is curtailed, and the agency is directed to fund – annually – consumer groups to “promote and protect consumer privacy”. All of this represents a devil’s cocktail of bad incentives for regulatory overreach.
-
Duties of Businesses that Collect Personal Information (Section 4) – new business-side duties in the CPREA will lead to compliance headaches without achieving clear benefits for consumers. For instance, the Act includes an obligation to maintain “reasonable security,” a standard without definition, but readily enforceable by a fine-inclined agency. Similarly troubling, the definition of “personal information” included in the Act likely encompasses a person’s likeness. Which, in consort with the Act’s other requirements, means that when a Californian walks into a brick-and-mortar retailer using security cameras, the Act would require firms to provide them with notice. In effect, this requirement will function as an enforcement trap. The only good to come of it will be the resulting boom in the state’s sign making industry as notices proliferate in a manner that makes Proposition 65’s utterly pointless chemical warnings appear reasonable.
Fortunately, there is time yet for the CPREA to be fought off. Californians, and industry within the state, could see to the direct electoral defeat of CPREA and/or the passage of another initiative designed to more directly remedy consumer harms. Doing so will require not only clear communication about the costs of CCPA and CPREA alike, but also a recognition that voters do want to see something, anything, done related to privacy. Give them a moderate alternative and a reason to choose it, and Mactaggart’s status as de facto state privacy administrator may come to an end.