Get Ready for Another Consumer Privacy Initiative in California

It’s been about a month since California rolled out the toughest consumer data privacy law in the nation.

As of January, you can demand that any company detail what information it collects about you, tell it to stop selling that information to other companies, or even delete the data altogether. And if a company negligently allows itself to be hacked, exposing your data, you can sue.

But already, there's talk of another law: The California Privacy Rights Act would add clarifying language to the newly enacted California Consumer Privacy Act (CCPA), stipulating, among other things, that businesses:

• Should not collect the personal information of children without consent.
• Should only collect consumers’ personal information for specific purposes.
• Should provide consumers with easily accessible tools to obtain their personal information, correct or delete it, and to opt‐out of its sale to other parties.

Perhaps most dramatically, the new initiative would create a new regulatory agency in California that would enforce protections in addition to the Attorney General's Office.

"We should have more privacy professionals in this agency, once it gets funded, up and operating if the initiative passes, than right now exists in the FTC [Federal Trade Commission] in the entire country," said the man behind the existing law and the proposed initiative, Alastair Mactaggart.

That said, he added, "Sensible companies realize this regulation is coming. This is not a burn-down-the-whole-world law. This is not a law that, you know, puts anybody out of business."

The real estate developer turned data privacy advocate has given a lot of thought in recent years to the surveillance economy that's sprung up around consumer data. And he recognizes he's not alone in feeling concerned about it: About 81% of the public say they feel "the potential risks they face because of data collection by companies outweigh the benefits,” according to the Pew Research Center.

But unlike most of us, Mactaggart had the money to launch a political and legal conversation in California, although "conversation" is perhaps too polite a term.

In 2018, Mactaggart launched a ballot initiative to tackle consumer data privacy. Business interests, data privacy advocates and members of the state Legislature were able to persuade him to drop it in favor of hastily written — and passed — legislation.

At that point, all sides declared open season on "fixing" it as the legislative year progressed. More than a couple dozen bills were launched, some trying to tighten the language of the CCPA to favor consumers, more trying to loosen the law to favor businesses.

"I expected some pushing and shoving, but I didn’t expect this wholesale assault to try to like wipe it out," Mactaggart said.

Most of the measures failed to pass, thanks in large part to state Sen. Hannah-Beth Jackson, D-Santa Barbara, who chairs the Senate Judiciary Committee in Sacramento. After the smoke cleared, what was left of the CCPA was still the strongest law of its kind in the country.

That may be because "it's the only privacy act in the country," said Jackson.

She said she appreciates that Mactaggart now wants to make the law even tougher, although she hasn't had the chance to comprehensively review the fine print.

"This is such a new area. There are probably going to be a lot of different interpretations to it," Jackson said.

But a number of other data privacy advocates like Mary Stone Ross with the Electronic Privacy Information Center in Washington, D.C., are concerned about the fine print. Ross co-authored the earlier initiative, but says the new one includes giveaways to business interests.

"For example, there's this definition of 'de-identified information,' " she said. "It's actually a really big deal because by definition, de-identified information is not personal information, and so if that definition is weakened, then it weakens the scope of the entire law."

"Sure enough, in this new initiative is a weakened definition of de-identified," Ross added.

In other areas of the fine print, the Act raises the threshold for when the rules apply: only companies that buy, sell or share the personal information of more than 100,000 consumers or households need comply. The current standard kicks in for 50,000 consumers or more.

And yet more fine print: A business is exempt from disclosing information in response to rights requests if it requires disclosing "trade secrets." The definition of a trade secret is very broad and could create a significant hurdle for prosecutors, regulators, or consumers trying to exercise their rights under CCPA.

It's hard for data privacy advocates to ignore these provisions, even amid other language that tightens other elements of CCPA in favor of consumers. Last October, 11 privacy groups wrote an open letter to Mactaggart, urging 45 ways to strengthen the language of his new initiative. Only seven of their suggestions were incorporated into the final version.

"There are steps forward. There are steps back. There are missed opportunities," said Hayley Tsukayama, a legislative activist for the Electronic Frontier Foundation. Noting that EFF has not officially come out against the new initiative, she added, "We have publicly pointed out the flaws that we see in the initiative. He didn't take all of our suggestions."

Beyond California

In the absence of federal data privacy law, Ross says other states are looking to California for direction. "There’s legislation that’s going to be introduced in Florida, in Colorado, potentially in New York," she said.

For Jim Halpert, a corporate attorney with DLA Piper who advises companies about data privacy, the new initiative is a step in the right direction.

The new language, he said, is "addressing some of the practical compliance issues that drove efforts to amend the law by the business community in 2019."

California's groundbreaking data privacy regulation constitutes "a sea change in regulation of privacy in the U.S.," Halpert added.

Few data privacy advocates expect Silicon Valley to lobby against the new initiative as Mactaggart gathers signatures, because they’re getting at least some of what they want. And given growing public concerns about data privacy, people on both sides expect voters to find the basic idea of the California Privacy Rights Act of 2020 appealing.