What Comes After California’s CCPA?

In 2003 California passed Senate Bill 1386 (SB-1386). It was the first online privacy law in the U.S. What followed, over the next 17 years, was that every state in the nation implemented a law, generally modeled after SB-1386.

In 2018 California, sort of with a gun to its head, passed CCPA. Again a first in the land, CCPA was modeled after Europe’s GDPR, with a few twists and turns.

Since CCPA was passed under duress, the legislature decided to fiddle with it a bit after it was passed. In addition, the Attorney General, who didn’t get much money in the deal, decided that he effectively was not going to enforce it.

Based on all of that, the original backer of CCPA, Alastair MacTaggart, went back to the original plan and created a new ballot measure on the ballot this year – Proposition 24. That measure passed last week. So what does it bring to the party? Here are a few things; stay tuned for more details.

  1. Since the AG didn’t seem to want to enforce CCPA before, this measure created a new department – the California Privacy Protection Agency – with a $10 million budget.
  2. It closed the Facebook loophole in CCPA. They said they didn’t sell your data, just used it to target you, so CCPA did not apply. It does now.
  3. Adds some protections for “sensitive data,” but weakens protections for biometric data.
  4. Takes steps towards ensuring algorithmic transparency and fairness.
  5. Provides some data minimization requirements.
  6. Permits “pay for privacy” schemes – it allows companies to offer discounts in exchange for permission to collect and use personal data. This undermines privacy rights and discriminates against individuals who are economically disadvantaged. More about this later. Some people are hung up over this one.
  7. Does not allow for an expanded private right of action.

Unlike CCPA which the legislature can change on a whim, Prop 24 has language in it that says the legislature can fiddle with it, but only if the fiddling is privacy neutral or privacy enhancing.

One complaint from the fairness crowd is that CCRA (Prop 24) is not fair because it allows companies that want to sell your data to charge you more if you don’t want them to use your data. This, they say, will create two data classes – the rich who can afford privacy and the rest of us who cannot.

This is just a start – I will continue to talk about this over time.

Also consider that more states will consider CCPA/CCRA- style laws after this ballot measure was approved.

Note that the proposition does not go into effect until 2023, so there is still plenty of time for everyone to fight over it. Credit: EPIC, ACLUNC

Leave a Reply

Your email address will not be published.