Californians: VOTE NO ON PROP. 24, The California Privacy Rights Act (CPRA)

On November 3, Californians will vote on Prop. 24, the California Privacy Rights Act (CPRA). Like most other ballot propositions, it’s designed to bypass the legislative process. Californians are usually inclined to vote “no” on those propositions, and that’s the right instinct here. The key takeaway from this long post:

CPRA is the wrong policy approach, at the wrong time, via the wrong process.

**VOTE NO ON PROP. 24**

If you are considering voting “yes” on Prop. 24, you should read all of its 52 pages. Unless your job requires you to deal with privacy law, there is 0% chance you can read to the end. The text will leave you baffled, overwhelmed, and skeptical of the drafters’ motives and drafting skill. You have to be a true believer to read this text and still favor the proposition. (Yes, all statutory drafting sucks, but IMO this is much worse than average).

Prop. 24 is NOT a referendum on whether you want more privacy (we all know you do) or if the CPRA delivers more privacy (the story is mixed). Fundamentally, Prop. 24 asks whether you want to take away most of the legislature’s power to address consumer privacy over time. Voting “yes” tells the world you think there’s no point in continuing to think about and work on how to balance privacy with many other policy considerations, because the CPRA is the perfect solution for the rest of our lives. If you can’t confidently say that, VOTE NO.

* * *

The CCPA as Prelude to the CPRA

The CPRA’s story starts with the California Consumer Privacy Act (the CCPA). A small team, funded by Alastair Mactaggart, wrote the CCPA as a ballot proposition, working with virtually zero public input or scrutiny. In California, ballot propositions can be amended only via other ballot propositions (an expensive, slow, and uncertain process), not by the legislature. If the CCPA proposition passed, it would have sidelined the legislature’s work on consumer privacy law possibly forever.

The CCPA proposition qualified for the November 2018 ballot. Mactaggart et al then offered the California legislature a deal: if the legislature passed something close to the CCPA, he would remove the proposition from the ballot. The catch: the ballot printing deadline was in 7 days, so the legislature had 1 week to pass a 10,000 word statute (to Mactaggart’s unilateral satisfaction) or the deal was off. Thus, by qualifying the proposition for the ballot, Mactaggart gained enormous leverage over the California legislature; Mactaggart functionally had more veto power than the governor.

The legislature held no hearings on the CCPA before passing it, even though the law affected hundreds of thousands of businesses across virtually every sector of the state’s economy. In the 7 day scramble, a few lobbyists, working behind closed doors, fixed some of the proposition’s worst problems. Unsurprisingly, this rush job produced many obvious drafting mistakes. The bill passed and Governor Brown signed it, but not many people rejoiced due to the bad approval process, dubious substantive terms, and painfully obvious mistakes.

Since then, the California legislature’s revisions to the CCPA have been modest. Soon after passage, the legislature approved “technical” amendments that fixed a few mistakes and typos. In 2019, the California legislature considered many CCPA amendments; but most died in the legislative process, and only a few passed. Overall, the enacted amendments didn’t change much. The 2020 CCPA amendments are even less consequential. At this point, the legislature is unlikely to make major or structural changes to the CCPA for the foreseeable future.

Despite the changes along the way, the CCPA remains terrible. I’ll highlight two of its many problems. First, CCPA compliance cost the California economy $55 billion (according to a government-funded study), or 1.8% of the gross state product in 2018. Second, few Californians have benefited much. The CCPA gives consumers various “rights” regarding their data, but most consumers don’t know about, and haven’t taken advantage of, those rights. So those huge compliance costs have produced what benefits exactly?

(The CCPA might motivate companies to improve their privacy practices irrespective of whether consumers exercise their rights. I am not aware of studies showing how much consumers benefit from these under-the-hood behavioral changes).

To summarize: the CCPA forces businesses to spend money to provide rights that most consumers won’t use. As we’ve sunk into a state-wide COVID-caused recession/depression, businesses are struggling to make payroll and pay rent. We might prefer that businesses stay afloat rather than divert scarce money to CCPA compliance, but the CCPA doesn’t give businesses or consumers that choice.

CPRA Reneges on the CCPA Deal

The CPRA mostly codifies the CCPA (with many changes, a few significant). This directly contradicts the June 2018 deal to enact the CCPA as legislation, not as a proposition. The Mactaggart Clan decided they didn’t like the legislature’s supervision of the CCPA, so they prefer to permanently thwart the legislature. This is problematic for several reasons.

First, the CCPA is essentially intact from its initial passage. The Mactaggart Clan already got what they had wanted.

Second, businesses have scrambled to comply with the CCPA’s voluminous technicalities. The CPRA tells those businesses to eat shit and redo their compliance work. How much will this new compliance work cost? NO ONE KNOWS. So while businesses are getting hammered by the pandemic/economic recession, the CPRA compounds their misery.

(Note: the CCPA has been lucrative for privacy lawyers and professionals. The CPRA will extend their good times. Indeed, the CPRA’s complexity will scare off many generalist technology lawyers, and even many privacy lawyers, from advising clients on the CPRA, leaving the field to a small cadre of CPRA specialists who will reap the financial spoils).

Third, the Mactaggart Clan again developed the CPRA’s terms behind closed doors, not via a public legislative process. (The CPRA drafters did invite many players to submit comments; I declined). No publicly-elected official “voted” on the CPRA’s changes to the CCPA; the Mactaggart Clan had unilateral final approval over all changes.

Fourth–and this part cheeses me off the most–the Mactaggart Clan pursued the CPRA **BEFORE THE CCPA BECAME EFFECTIVE**. The CCPA only became effective January 1, 2020, and the CA DOJ did not have enforcement authority until July 1, 2020 (some parts weren’t enforceable until mid-August 2020). The CCPA is a brand-new and sweeping law with widely-felt consequences; we are only beginning to understand those effects. Nevertheless, the Mactaggart Clan decided they wanted to end the CCPA experiment BEFORE THE CCPA EVEN STARTED.

THIS IS THE STUPIDEST POSSIBLE WAY TO MAKE LAW.

(This San Jose Mercury News op-ed against the proposition discusses this point more).

Finally, the Mactaggart Clan has already played the proposition game twice. There’s no reason to believe they won’t keep playing it, so long as Mactaggart has money to spend and a hatred of legislative processes. The Mactaggart Clan has anointed itself as the unelected privacy autocrat of California. Is this the right way to set privacy law for the fifth largest economy in the world?

The CPRA’s Provisions

Modifications to the CCPA

In general, the CPRA replicates the CCPA’s consumer rights to: (1) know about companies’ data practices, (2) download and port data to new vendors, (3) access/delete our data, (4) opt-out of data sales (or opt-in for minors), and (5) not be discriminated against for exercising a privacy right, plus (6) a private cause of action for certain data breaches. From this foundation, the CPRA makes many edits to the CCPA. The voter guide summarizes the more substantial changes. I’ll likely address those changes in a future post.

A puzzlement: the Mactaggart Clan initially drafted the CCPA, so virtually every one of its hundreds of edits to the CCPA tacitly admits what they didn’t get right when they initially drafted the CCPA. Given their drafting history, these drafters surely made new drafting errors in the CPRA. This time, though, the CPRA may lock in those errors permanently.

The Amendment Process

The CPRA provides the legislature with limited flexibility to amend it:

The provisions of this Act may be amended after its approval by the voters by a statute that is passed by a vote of a majority of the members of each house of the Legislature and signed by the Governor, provided that such amendments are consistent with and further the purpose and intent of this Act as set forth in Section 3, including amendments to the exemptions in Section 1798.145 if the laws upon which the exemptions are based are amended to enhance privacy and are consistent with and further the purposes and intent of this Act and amendments to address a decision of a California state or federal court holding that a provision of the Act is unconstitutional or preempted by federal law, provided that any further amendments to legislation that addresses a court holding shall be subject to this subdivision.

(Yes, that is a 142-word sentence. Yes, the entire law is equally unreadable. This is why you need to try reading it before voting yes. This provision is on page 51. Good luck getting that far.)

So, the legislature can amend CPRA with a simple majority only when the changes benefit consumers. If you’re a hard-core consumer advocate, this makes sense. But if you expect your elected legislators to respond to conditions that evolve  over time, a one-way ratchet materially handcuffs the legislature’s power to do so. (Note: the CPRA rule-making can evolve over time, but the rules probably can’t contravene the CPRA’s text).

The legislature will have little interest in amending the CPRA on these terms. It’s barely amending the CCPA when it has full freedom to do so. The CPRA’s amendment restrictions will further sap the legislature’s enthusiasm.

Furthermore, consumer advocates or business representatives (or both) will likely bring court challenges over any future legislative amendment, claiming the changes do not satisfy the CPRA’s amendment requirements. As a result, any legislative amendments may not take effect until the courts resolve the litigation–possibly years later. Legislators will be scared off from working on amendments by the mere threat of litigation, and legislators won’t want to invest a lot of energy in any amendments that courts can easily overturn.

Thus, the CPRA will likely remain mostly unchanged for the rest of our lives. As society and technology evolves over decades, the CPRA will become increasingly incongruent with our state’s needs. We have a lot more societal growth before we confidently can anticipate what we’ll need from a functionally immutable approach to privacy regulation. Yet, immutability is the CPRA’s raison d’etre.

A New Administrative Agency

The CPRA will create a new state government agency, the “California Privacy Protection Agency” (CPPA), to supplement the CA DOJ’s enforcement authority provided by the CCPA. The CPPA will take over the DOJ’s current rule-making authority (the CPRA identifies 22 topics, with many subparts, for rule-making). The CPRA also creates an administrative “court” within the CPPA to adjudicate CPRA violations, and the CPPA will have parallel enforcement authority with the CA DOJ.

A new privacy-specialized regulator has some appeal. The CA DOJ is stretched thin, privacy will never be its top priority, and the DOJ prioritizes litigation over other regulatory tools. In other countries, “Data Protection Agencies” (DPAs) enforce privacy laws. DPAs tend to be more holistic and less litigious in their efforts. In theory, a new California DPA might be a better privacy regulator than the CA DOJ.

However, the CPRA miscalibrates the CPPA’s design. The CPPA will divert prosecutions into its administrative adjudication process. On the plus side, handling cases administratively might be cheaper and faster than court; and it could keep our already overtaxed courts from being overwhelmed by privacy litigation. On the minus side, specialized “courts” tend to develop structural biases that favor their primary constituency. In this case, the CPPA jurisprudence surely will develop an anti-business bias. Indeed, the CPPA’s charge requires it to “protect the fundamental privacy rights of natural persons with respect to the use of their personal information.” Some might think an anti-business skew is great, but I think biased adjudicatory processes undermine our faith in the rule of law. The CPPA’s adjudicative process may become a kangaroo court.

Businesses can appeal the kangaroo court’s judgment to the court system, but a reviewing court will defer to the kangaroo court’s decision. More importantly, businesses will have to pay for litigation through both the kangaroo and regular court systems. The stacked procedural deck and high defense costs will coerce businesses into settling dubious or illegitimate enforcement actions. I expect the CPPA will weaponize these costs to troll businesses for settlements.

Conclusion

Even if you want more privacy and you hate Facebook, the CPRA is not the privacy law you are looking for. First, incumbents like Facebook benefit from laws that raise their competitors’ costs. Second, and more importantly, the CPRA’s changes, COMPARED TO WHAT THE CCPA ALREADY GAVE YOU, aren’t worth the immutability. The CPRA imposes new costs at a time we can least afford them, and cements the solution before we know whether the CCPA even works. I reiterate: CPRA is the wrong policy approach, at the wrong time, via the wrong process.

When Will Congress Act?

Congress will pass a comprehensive federal consumer privacy law eventually. The CCPA should have spurred Congress to act, but that hasn’t happened; and it won’t happen soon because Congress is notoriously dysfunctional and has baffling priorities.

Nevertheless, Congress will closely watch the Prop. 24 vote. If CPRA passes by a wide margin, Congress will feel compelled to treat the CPRA as its template. This is how a deeply flawed privacy law, drafted behind closed doors by people we never elected, could become the national standard. Your “no” vote empowers Congress to not be locked into the CCPA/CPRA model.

Prior CCPA Posts

* A Review of the “Final” CCPA Regulations from the CA Attorney General
The CCPA Proposed Regs’ Data Valuation Calculation Provisions Provide Flexibility, But Raise Ambiguity & Transparency Concerns (guest blog post)
My Third Set of Comments to the CA DOJ on the CCPA Regulations
Comments on the DOJ’s Proposed Modifications to the CCPA Regulations
Eric Goldman’s Comments to the California DOJ Draft Regulations for the Consumer Privacy Act (CCPA) (Part 3 of 3)
Some Lessons Learned from the California Consumer Privacy Act (CCPA), 18 Months In (Part 2 of 3)
Resetting the California Consumer Privacy Act (CCPA)…with 2 Weeks To Go! (Part 1 of 3)
And At the End of the Day, the CCPA Remains Very Much the Same (Guest Blog Post)
A Recap of the Senate Judiciary Committee Hearing on Amending the California Consumer Privacy Act (Guest Blog Post)
Want Companies to Comply with the CCPA? Delay Its Effective Date (Guest Blog Post)
Recap of the California Assembly Hearing on the California Consumer Privacy Act
A Status Report on the California Consumer Privacy Act
41 California Privacy Experts Urge Major Changes to the California Consumer Privacy Act
California Amends the Consumer Privacy Act (CCPA); Fixes About 0.01% of its Problems
Recent Developments Regarding the California Consumer Privacy Act
The California Consumer Privacy Act Should Be Condemned, Not Celebrated
A First (But Very Incomplete) Crack at Inventorying the California Consumer Privacy Act’s Problems
Ten Reasons Why California’s New Data Protection Law is Unworkable, Burdensome, and Possibly Unconstitutional (Guest Blog Post)
A Privacy Bomb Is About to Be Dropped on the California Economy and the Global Internet
An Introduction to the California Consumer Privacy Act (CCPA)