The Californian Privacy Rights Act (CPRA)
The current California Consumer Privacy Act, (CCPA) became enforceable from 1st July 2020, but it looks like it might be on its way out. The same group that pitched the original Privacy Act have proposed another, stronger bill; The California Privacy Rights Act, (CPRA) also referred to as Proposition 24. This has been successfully voted to be added to the November 2020 ballot, where Californian citizens will be asked to vote on the initiative. If that ballot is successful, then the CPRA is likely to be effective from 1st January 2023.
Whilst many see this as a positive sign that strengthens and broadens the scope of the existing law, it has recently seen several challenges.
The Electronic Frontier Foundation, (EFF), “a leading non-profit organisation defending civil liberties in the digital space” 1, have confirmed that they do not support proposition 24. Although they have also stated they do not oppose the proposition.
Yes and no. Alastair MacTaggart, the founder of Californians for Consumer Privacy, drafted the Californian Privacy and Enforcement Act, (CPREA), to strengthen of consumer rights as a supplement to the CCPA.
The EFF were one organisation within a group of privacy advocates who suggested amendments to this draft act, so you’d expect them to be in favour? However, it seems not all the suggestions were included in what is now known as the CPRA. The EFF’s argument for not supporting the ballot is that:
“Prop 24 does not do enough to advance the data privacy of California consumers.” 2
This has gained some traction across the privacy advocacy network, with several parties raising a rebuttal to Proposition 24. Almost the first sentence in the rebuttal states:
“We OPPOSE Proposition 24 because it stacks the deck in favor of big tech corporations and reduces your privacy rights.” 3
With opinion divided over the support of Proposition 24, it will be interesting to see which way Californian residents will vote in November.
What improvements would the CPRA bring?
- An increased number of consumer rights
- Separate and distinct definition of sensitive personal information and rules for processing such data
- A definition of consent that is more akin to that under GDPR
- Higher fines for breaches of privacy against children’s’ data
- Definition of breach expanded
- It would establish the Californian privacy protection agency to regulate the Act
What are privacy advocates objecting to?
Primarily that the act does not go far enough to protect consumers, that there is a bias towards large tech companies that undermines the privacy of individuals.
- The language used in Proposition 24 is vague and inconsistent.
- There is a burden on consumers themselves to understand and know how to act on their rights and then interpret any information they manage to retrieve from the companies that hold it.
- Many suggest that opportunities have been missed to make privacy and associated rights easy for the consumer.
- The CPRA expands ‘Pay for privacy’ options, so consumers could be penalised for not allowing the sale of their data, potentially creating a privacy underclass situation.
- The proposal has not taken account of how the CCPA is working or not working.
- There is also a concern that the CPRA could create a ceiling in the law, therefore no other strengthening amendments will be made going forward.
It is understandable that drafting data protection and privacy regulations can be complex with the amount of technological innovation ongoing. Getting the level right can be divisive and often sees conflicts between privacy advocates and large tech companies.
With Privacy Shield recently invalidated, this could be an opportunity for California to further its lead on the privacy front. If legislators work with European counterparts, they could create an Act that is privacy first and demonstrate sufficient adequacy to enable data transfers with the EU & possibly the UK.
To the last concern, my opinion is that: it would be ignorant to impose restrictions on future iterations of any data protection or privacy regulation. Technology will continue to evolve and new methods of data processing will emerge. These regulations are here to protect the rights of individuals. And more needs to be done to educate individuals and make privacy accessible.