In more than two hours of discussion and testimony Friday before the California State Assembly Committee on Privacy and Consumer Protection, San Francisco investor and developer Alastair Mactaggart presented the California Privacy Rights Act (CPRA), a proposed ballot initiative he said would be one of the most meaningful laws of its type in the world if approved by voters. Mactaggart’s 2018 ballot initiative prompted lawmakers instead to create legislation that became the California Consumer Privacy Act (CCPA). CPRA proponents need the verified signatures of 685,534 residents by June 25 to qualify it for the Nov. 3 ballot; they had 420,744 as of June 8, Mactaggart said, indicating he’s confident that will happen. Among the takeaways:
• The CPRA would create a new category of highly sensitive personal information such as health and financial data, MacTaggart told legislators -- “so sensitive that you should be able to tell business, ‘You can’t use this unless it’s really necessary to deliver a service that I’m asking for.’” It would stop the geo-tracking of residents more precisely than a radius of about one-third of a mile; add your email and password to a list of items “covered” by CCPA’s “negligent data breach” section; and it would create the California Privacy Protection Agency (CCPA) to oversee the state’s stewardship, funded with $10 million from the General Fund. (The state’s former Office of Privacy Protection was disbanded in 2012 by former Gov. Jerry Brown, Mactaggart pointed out.) Additionally, it would give the Legislature the ability to make CPRA amendments with a simple majority – but these would have to be “in furtherance of the purpose and intent” of the CPRA.
“I think privacy is a movement whose time has come. It is foundational to the kind of society we are going to create and leave for our children,” Mactaggart said, highlighting the examples of last-century regulation on vehicle safety, tobacco and air quality that made the world “a better place.”
• The state Legislative Analyst’s Office (LAO), which must work with the Department of Finance to do fiscal and impartial analyses of initiatives and ballot propositions before their circulation and voter approval, respectively, found that the CPRA would add new regulations on business but in some cases relax others. It would no longer require compliance from businesses that “buy or sell the personal data of 50,000 to 100,000 consumers or households annually” – but would require compliance with data privacy mandates from businesses earning 50 percent or more of their annual revenues from sharing personal data. Businesses would be required to tell consumers if they share their personal data. Consumers would be able to direct businesses to not share their personal data, correct it if it’s incorrect, and limit the use of sensitive data like Social Security numbers.
However, creating the CCPA would cost the state money. An increased workload to courts and the state Department of Justice would also cost money “not likely to exceed the low millions of dollars annually,” the LAO found, noting some costs would be covered by penalties generated. Tax revenue could drop if complying with the CPRA costs businesses money, the LAO found – but it could also rise if severe data breaches are fewer and consumers buy more. “The total net impact on the economy and state and local revenue is unknown,” the LAO wrote.
• The importance of the issue and the initiative is highlighted by the novel coronavirus (COVID-19), said Committee Chairman Ed Chau, D-Monterey Park, one of three authors of Assembly Bill 375, the original CCPA updated by the Legislature last session.
“The need for this protection has been amplified by the current pandemic and protests as we see civil liberties being compromised on a number of fronts,” Chau said. “And while at the same time the state enters an unprecedented fiscal crisis causing cuts to many of our vital social safety net programs.” Among questions from lawmakers, Assemblymember Buffy Wicks, D-Oakland, asked Mactaggart why only about seven of 45 changes to the initiative proposed by consumer groups were taken into account.
“For me, I’m a big ‘perfect is the enemy of the good’ person,” Mactaggart said, discussing the changes in detail. “And I’m trying to get something that will stand the test of time that we can achieve. There were some parts of the advocates’ letter absolutely that we did not take and unfortunately, that’s life.”
• Representatives of consumer advocacy groups offered a pointed critique of the initiative. Maureen Mahoney, policy analyst for Consumer Reports, said the CPRA “would give consumers better control over targeted advertising” and clarify on opting out – but misses a “key opportunity” to remove CCPA language that could let companies charge residents for exercising their privacy rights. Speaking in her “personal capacity as a privacy advocate,” Mary Stone Ross, principal at MSR Strategies and a co-author of the initiative that led to the CCPA, called the CPRA “a watered-down, hobbled sequel” to it and urged the committee to not support its components that would have “little practical consequence.”
Ariel Fox Johnson, senior counsel at Common Sense Media, a CCPA sponsor, said the initiative would improve enforcement, make the attorney general’s job easier and triple penalties for companies that misuse the data of minors. But, she said, it doesn’t offer “substantive protections specifically for vulnerable children and teens,” its protection of consumer data collection is insufficient; and the organization is “skeptical” of the ability to amend the initiative.