Media Alliance was kind enough to respond via Twitter to my blog post that fact-checked their article opposing Proposition 24, which is the California Privacy Rights Act of 2020 (CPRA). Let me go through each one of their points below (I also responded via Twitter), but suffice to say it looks like the opponents are going to be doing some apples to orange comparisons vis a vis Prop 24, especially as it relates to the Privacy Protection Agency that is one of the main features of the CPRA.
- The FTC’s requested budget is $330 million and to have 1,140 personnel. The FTC covers the entire United States. They do anti-trust and a whole host of other stuff, with privacy being a small part of their equation. I have seen various references that specific to privacy enforcement the FTC has 40 people. With an annual budget of $10m, the California Privacy Protection Agency (CalPPA) would be able to hire at least 40 people (the current amount that Cal AG spends on privacy is $4.5m with 23 people, so extrapolating you could even argue that CalPPA could hire 50 people). So the FTC and CalPPA would have the same number of personnel to do privacy enforcement (or CalPPA could have more), but FTC has to cover 7x the population specific to privacy. But to compare CalPPA budget to the overall FTC budget, it is an apples to oranges comparison, equivalent to comparing the California budget to the US budget and saying why doesn’t California spend the same amount?
- It is nice to see the tweet above reference that the CalPPA has a $10 million annual budget. Their article just says “$5 million a year” and does not mention $10m. So I guess they fact-checked themselves.
- Specific to the Cal AG, just like the FTC, of course they have a big overall budget, and of course the Cal AG does many many more things than just privacy enforcement. But what is the Cal AG’s budget specific to privacy enforcement, which the legislature approved, again doing an apples to apples comparison here? We have it, it is $4.5 million per year for the next 5 years. It is 23 people. So to say “Cal AG is way better resourced” specific to privacy is not factually correct, unless you think $4.5m > $10m and 23 people > 40 people. Sure if you compare the overall budget of the Cal AG to the CalPPA, sure the entire budget of the Cal AG is much much bigger, but again you are comparing apples to oranges.
- They then project 3 years from now what the litigation strategy would be with the $10m, which is they believe will only go after small businesses vs. big tech. Meanwhile, if they again read the current Cal AG privacy unit budget, the Cal AG makes it clear that they will target each year 2-3 large firms regarding privacy violations. I quoted that section verbatim in this blog post. So their logic appears to be with $10m you can’t go after big tech businesses for privacy violations, but here we see the Cal AG will be going after 2-3 big tech businesses for privacy violations each year. So if it can be done with $4.5m, it can be done with $10m.
- They complain that the regulatory agency is underfunded. But the complaint in the article was that it was paltry at $5m, but the budget is actually $10m. Yet the press release that they participated in (snippet below) complained about the burden on the taxpayers of $100m in a decade, which is $10m per year, clearly implying that $10m is way too high. And per my blog post on the CalPPA, one of their partners in opposition thought $500k for the now defunct California Office of Privacy Protection got incredible bang for the buck. If I were them, I would pick a story (it is too big, it is too high, etc.) and stick to it.
- I 100% agree, what they are doing by comparing the CalPPA budget to the entirety of the Cal AG budget is “ridiculous.” But per above, you need to compare apples to apples.
- I am not going to re-litigate this, as I made my arguments in the prior blog, but the reality is that they did not even call it the right name which may tell you something.
- This whole “prevents the Legislature from changing” is not correct. Section 2 of the CPRA clearly states that “Rather than diluting privacy rights, California should strengthen them over time” and section 25 is quite clear per below. If someone claims that the Legislature can’t enhance privacy, the would lose in court.
Here is what they tweeted next
- They are factually incorrect, that CCPA went into effect on January 1, and in fact the group behind CPRA was still collecting signatures, as I detail in my last blog post. Yes, small infraction, but yet another incorrect statement.
- The irony of this statement is that the same groups in opposition of Prop 24 were behind the “Privacy for All Act,” which got pulled before it could even get a sub-committee hearing. That bill was introduced in early 2019. So they are 100% cool with their bill getting passed before the CCPA goes into effect. Got it: Do as a I say, not as I do.
- OK then, even though you fact checked yourself in your own tweets by saying $10m a few times when your article just says $5m. You said the CalPPA would “start from zero” when there is explicit language in the text that the Cal AG would staff CalPPA during a transition. And you said the group behind CPRA was no longer collecting signatures on January 1, 2020. And …
Anyway, more than happy to continue the debate on finer points, but at this point it is a waste of time to debate organizations who make clear apples to orange statements (overall budget of FTC and Cal AG compared to the budget of CalPPA, vs. not looking at what each spends on privacy) and won’t hold themselves accountable when they make misstatements (size of CalPPA budget, CalPPA must start totally from scratch, “system integrity”, ballot signatures all collected by January 1, 2020, etc.).
[UPDATE: Well I promised to not respond, but Media Alliance tweeted back, so figured I would try one more time.]
Here is what they tweeted.
Here was my response
There is *no* language re: minimum and maximum. You are making it up. Here is the text
It says $5m for FY20-21. That FY started July 1, 2020. CPRA gets passed in November, gets certified in December, forms say in Jan. So for that half FY, it has a half year to operate, and it gets $5m, annualized to $10m but each FULL year it gets $10m. Read the text.
But don’t believe me, here is what the Legislative Analyst Office (non-biased Cal State agency) wrote up. See $10m. Nothing about $5m or min/maxes.
LAO says it here too. Not some min and max thing. Not $5m. It says $10m annual.
New let’s look at your magical $55b number. That is what the AG estimated cost is for businesses to comply with CCPA, i.e. the current law. *Not the CPRA*. Most businesses now support CCPA and paid to get compliant. Already sunk cost. The Cal AG has made NO estimated costs for CPRA.
The only body that did an analysis of cost to business is Legislative Analyst Office, and their writeup of the measure did not put a cost down for businesses
I won’t begin to comment on the silliness with the cost for businesses to do compliance and how it is relevant to an agencies size. If your argument was based on revenue of data brokers and size of agency, then more honest debate. But again, CPRA gives us the same size as entire FTC in terms of privacy personnel, and we are 1/8 US Population
Finally, if you actually read the Cal AG budget that I linked to multiple times, it has a budgeted amount it spends on Privacy. Which was proposed and approved by the legislature. It is $4.5m per year for the next 5 years. In govt you have budget and stick to it. CalPPA is over 2x that budget, i.e. much much better.
But you guys at the same time criticizing the size as too much “Prop 24 creates a new state privacy agency that will cost taxpayers $100+m over the next decade” as in that’s bad. Which is it, is $10m too much or too little?
But say a legal privacy matter is so big and important that the CalPPA can’t handle. Guess what, the CPRA allows for the Cal AG to jump and help with what you call “agency wide resources.”
Anyway, thanks for your arguments, and have a good day.