In this blog post I am going to dig through the recently posted “Argument Against Proposition 24” that will appear in the Official Voter Information Guide for the November 3, 2020, General Election in California. Prop 24 is the California Privacy Rights Act of 2020 (CPRA) which represents “Version 2.0” of current California privacy law that is known as the California Consumer Privacy Act (CCPA) that passed in 2018 and went into effect in 2020.
If passed this November, the CPRA would go into effect in 2023 and would greatly enhance Californians’ privacy rights while creating a new regulatory agency — the California Privacy Protection Agency (CalPPA) — that will better protect Californians against firms that collect, share and sell our personal data while also being able to levy greater fines for misuse of children’s personal data.
I will cut to the chase and give my executive summary of the arguments the opponents of Prop 24 are putting forth to voters and will provide nitty-gritty details to follow.
Exec Summary of the Fact Check
After a line-by-line fact check of the “Argument Against,” I was frankly shocked how the opponents have decided to message to voters a virtual cornucopia of misinformation regarding Prop 24. Of the 10 paragraphs in the Argument, I easily found that 9 of the 10 have false and/or are misleading statements for California voters. Maybe they thought some of their real reasons for opposition were not persuasive to voters (e.g. the ACLU explained in a tweet thread that their main Prop 24 problem is that they believe the CPRA creates too much “privacy paperwork” — an argument not mentioned in the Argument Against) and decided to go with the throw the spaghetti on the wall approach.
It is a shame what their message to voters will be, not only because I believe it is misleading, but if the CPRA fails in November, others will simply cut-n-paste the same tactics and messaging to torpedo any new privacy laws that the Prop24 opponents or anyone else may back. In other words, by taking this scorched earth approach, the opponents are burning the privacy bridges behind them — their vision of a privacy law could not even make it through a State Assembly subcommittee last year, and if CPRA fails, then there is likely nothing that will happen for years as it relates to privacy.
No doubt their false and misleading attacks will provide cover for business groups to attack Prop 24 (“see, even XYZ civil society group doesn’t support it”). And maybe their opposition is the desire for the perfect and not wanting anything less, or maybe an opportunity to get their name in the paper or voice on the radio, or maybe see an opportunity to tap into some funding … I frankly don’t know. All I know is their arguments in opposition have significant flaws that I will point out in this blog post.
To be clear, there are many consumer and civil society groups that do in fact support Prop 24 and the CPRA, such as the NAACP and Common Sense. In my mind, CPRA does not make the mistake of making perfect the enemy of good enough. It is about putting California on par with the gold standard of privacy laws — the EU’s General Data Protection Regulation (GDPR). The fact is, the CPRA significantly enhances privacy rights vis a vis CCPA, would be the most sweeping privacy law in the US and would be the impetus for a much-needed national privacy law. Hence I support Prop 24.
Background on this Blog Post
I started writing about privacy laws starting back in November, but note for 15+ years I was CEO and co-founder of a $100+ million cybersecurity company that delivered solutions to help customers better protect data and meet privacy regulations such as GDPR. In addition, my company itself had to become GDPR compliant given that we ran a cloud service with servers in the EU and US etc.
How did I get to write this particular blog post? Well, I was recently writing a blog post on the the California Privacy Protection Agency (CalPPA) — a major feature of the CPRA — and I came across the first published opposition article on the CPRA. I was shocked at how they got a number of things wrong vis a vis the CalPPA, which led me to see if they got their other arguments wrong, which they did, and even their responses to that blog were flawed, which has eventually led me to now write on their recently posted official arguments against Prop 24. i.e. I started pulling a thread and the more I pulled, I kept on finding that a bunch of misinformation is being pumped out that did not jibe with the CPRA I have researched and wrote on.
As a disclosure, I am not currently affiliated with or paid by any group/company/etc. No one reviews my blog posts or tells me what to write. Politically I did support (and was a donor to) Elizabeth Warren (who is quite hard on Big Tech) in the primaries, and now support Biden, in case you were trying to figure out my political bent. As I have dug into the CPRA, I did reach out to a supporter and opponent of Prop 24 to get their take. On the supporter side, Californians for Consumer Privacy has responded to my queries. I was introduced to the head of one of the opposition groups in early July, but never got a response to the emails I sent, but have had some interesting back-and-forth twitter interactions with opponents and have read all their public material.
So here goes …
Paragraph 1: False/Misleading
“Vote NO on Proposition 24 because it was written behind closed doors with input from giant tech corporations that collect and misuse our personal information – while the measure’s sponsor rejected almost every suggestion from 11 privacy and consumer rights groups. Proposition 24 reduces privacy protections by severely weakening your rights under current California law.”
Exec Summary of Verdict:
It is misleading because it implies that the authors of Prop 24 met only with giant tech firms. It is false because (a) says that that “almost every suggestion” was rejected when in fact a number of suggestions were accepted and (b) in fact Prop 24 significantly improves privacy rights in over 12 ways and therefore does not overall weaken privacy.
The first part of the sentence is very misleading when it says “it was written behind closed doors with input from giant tech companies” because it clearly implies that Californians for Consumer Privacy (CCP aka the backers of Prop 24) only met with giant tech companies. The language was written to hint that the backer may be in cahoots and smoking cigars with Zuck given the imagery about “closed doors.” The first part of the sentence fails the smell test for the following reasons:
#1 In a State Assembly hearing on June 12, 2020, which opponents of the CPRA participated in and would have clearly heard this (and even I listened to this hearing from home), the CCP clearly testified that it had met with all stakeholders, not just businesses but also privacy groups, regulators, academics, etc. This was conveniently not mentioned in the Argument. The CCP would have been criticized if they had not met with business … so they are damned if they do and damned if they don’t it appears.
#2 The CCP were the backers of the original CCPA initiative in 2018. Approximately $2m was raised by Google, Facebook, etc. against the CCPA initiative and the CCP, but subsequently the big tech firms dropped opposition when a version of the CCPA was passed by the legislature. So, the big tech companies were not fans of the CCP then, so why would the CCP suddenly flip over and be besties with big tech? Especially in light that Alastair Mactaggert, the Chair of the CCP, is someone who recently was named Consumer Watchdog’s Citizen Activist of the Year?
Look, the opponents are clearly trying to paint a picture here to unknowing voters that Zuck wrote this law. But the reality is that folks behind the CPRA is a group who was behind the most comprehensive privacy law in the US (CCPA) and whose chairperson is known as an “activist” for consumers. And this group tried to get feedback from everyone in a responsible manner. And the opponents even wrote the group a letter saying, “We thank you for your work to advance consumer data privacy in California” and the group did in good faith engage with the opponents and others. The opponents know all this, but they decided to go the fool the voters route right off the bat by clearly implying this CPRA thing comes from the lips of Zuck, when their opposition is a debate between very pro-consumer viewpoints (e.g. a Bernie Sanders vs. Elizabeth Warren thing).
The second part of the first sentence appears to be false, or at the very least highly debatable: “while the measure’s sponsor rejected almost every suggestion from 11 privacy and consumer rights groups.”
To me “almost every suggestion” is like a 98% rejection rate. Here are their suggestions in this letter, specifically they wanted changes to 41 sections of the proposed law. Well again, in the same State Assembly hearing, Mactaggert was asked about changes they made based on input from privacy groups, and he listed out many changes were made for these folks. I read the letter and noted at least 15 changes were made into the final proposed initiative, but I did just a cursory look, no doubt I missed some more.
The former CTO of the FTC, Ashkan Sultani, tweeted out that 27 of the 41 asks were included in some form or fashion.
I don’t know, if someone makes 15 or so changes on your behalf, unless you provided 400 requested changes to get to a 95% reject rate (but the number of suggestions did not total 400), or in the case of Ashkan’s analysis where 27 of 41 were reflected, but a cursory analysis shows that “almost every suggestion” claim is overblown to fool the voters.
Finally, the claim that the CPRA “reduces privacy protections by severely weakening your rights under current California law” is in my opinion false. Here is a table of consumer privacy rights comparing GDPR to CCPA to CPRA (see full blog write up here). There are net new consumer rights you get with the CPRA. In fact, I further detail out the 12 ways the CPRA significantly enhances consumer privacy in California. The only article I could find that has any details on how the opposition provided details on how they think it weakens privacy listed 5 arguments, all of which I fact checked and debunked basically all of them.
But don’t believe, maybe believe the guy who wrote the book Zucked.
Paragraph 2: I Agree With!
“Make no mistake – the privacy of every Californian is at stake!”
Exec Summary of Verdict:
I will liberally interpret this as CPRA being important to the privacy of Californians, so I won’t complain about this one 😊.
Paragraph 3: Misleading
“The real winners with Proposition 24 are the biggest social media platforms, giant tech companies and credit reporting corporations who get more freedom to invade the privacy of workers and consumers, and to continue sharing your credit data. Here’s what they won’t tell you about the 52 pages of fine print:”
The opponents have provided no public supplemental information to back that claim, while numerous independent analysis state that businesses will face more obligations and more enforcement with the CPRA. I think a cursory view of the tables I show below will make it clear that it is false that businesses “get more freedom.” They are also possibly misrepresenting the sharing of credit data as I will detail.
I have done months of analysis of comparing CCPA and CPRA, and here is a summary comparing GDPR vs. CCPA vs. CPRA as it relates to additional business obligations and enforcement. If you want the nitty-gritty details, which I detail in the links in the last sentence, the analysis shows that the CPRA is stricter vis a vis business.
Legal experts agree, e.g.
As does the International Association of Privacy Professionals (IAPP) who said the CPRA “would create a much broader set of privacy rights and obligations than the CCPA” and even provided a top 10 impactful assessment of the CPRA.
Opponents have provided no detail public information to back up their claims, meanwhile the independent analysis (including my own) shows that CPRA is stricter than CCPA. To be candid, I think the opponents know once they provide some details, that means more threads get to be pulled, so I bet they keep it high-level with the gold old Fear Uncertainty Doubt (FUD) strategy. But we shall see.
Regarding the whole credit reporting thing, suffice to say as is the case with healthcare data covered under HIPAA and financial data covered by GLBA, state laws like CCPA and CPRA are limited in regulating credit reporting bureaus because of the Fair Credit Reporting Act (FCRA). In other words, the Federal government carefully regulates the sharing of credit data, and this write-up certainly gives the impression that CPRA would negate the FCRA laws regarding sharing of data. It can’t. Until the opponents provide more details in a public forum, which they have not, this blanket statement should have been more caveated in what cases they believe credit reporting firms can willy-nilly share your credit data under the CPRA. Until they do, on the face this appears to be a misleading statement.
Paragraph 4: False/Misleading
“Proposition 24 asks you to approve an Internet “pay for privacy” scheme. Those who don’t pay more could get inferior service – bad connections, slower downloads and more pop up ads. It’s an electronic version of freeway express lanes for the wealthy and traffic jams for everyone else.”
What they don’t tell you is that what they consider is a “pay for privacy” scheme is in the current CCPA law but selling you as something that would be in CPRA. And none of the bad things they are talking about is happening now with CPRA being in effect (i.e. please show me the traffic jams they allude to), which tells you a lot about the scenario they are painting. If anything, CPRA improves what they consider this scheme. But they paint the picture that this is a new feature to CPRA, which it is not.
Let’s step back here and try to unpack this. As we know some companies have business models where they don’t charge consumers for their service, but they derive revenue in using your data in various ways. The existing CCPA, specifically Section 1798.125, says in sub-section (a) that business cannot discriminate against you if you opt-out or exercise any other CCPA rights like request to delete etc. (but fun fact that the CPRA actually adds more consumer privacy rights like Right to Correct!).
But sub-section (b) says “a business may offer financial incentives, including payments to consumers as compensation, for the collection of personal information, the sale of personal information, or the deletion of personal information,” and, more germane to this argument, it says “A business may also offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the business by the consumer’s data.” But that fee cannot be “unjust, unreasonable, coercive, or usurious in nature.”
That’s the current law, and privacy groups historically don’t like (b). If they want to call it pay for privacy, fine.
The groups not supporting Prop 24 wanted the CPRA to change this. This is what they wrote back in October on this subject (same letter I previously referenced above):
If one were to do a cursory comparison of that section in CCPA and CPRA, the CPRA does change the language of section 1798.125, and it actually tightens up a bit in a pro-consumer way by adding to sub-section (a) that you can’t discriminate against an employee or an applicant, and it changes up (b) to add if a consumer refuses to provide opt-in consent, then the business must wait 12 months before their next request.
So, they say the CPRA “approves” this alleged scheme, when in fact it already was “approved” by the legislature with the CCPA passing in 2018. If anything, the CPRA changes are more pro-consumer in this area. But the real issue is that the opponents really wanted 125(a)(2) & (b) removed, per their own letter, and with the CPRA they did not get all what they wanted, so they are attacking the incremental improvements it does make by falsely saying it makes things worse. If they said “we hate this feature in the current CCPA law and we don’t like the new proposed law because it does not completely strike it out” that would have been their truthful argument, but instead they spin the CPRA as worse as CCPA when it is not. Just compare the same section from the two laws. And ironically if CPRA fails, you still got their vision for “pay for privacy” as the law. It appears they rather not have incremental changes, but rather their pure vision. Who knows.
And frankly, if they explained what they really wanted, some consumers may say gee I really don’t agree with your argument, i.e. maybe businesses should have the right to charge for their free service if consumers don’t let them use the consumer’s data in certain ways. So, maybe what they really want is a not a winning argument anyway (e.g. the privacy bill they backed in 2019 did not make it out committee in the State Assembly), but it clear they are making the water muddier.
Paragraph 5: Misleading
“Currently, employers can obtain all kinds of personal information about their workers and even job applicants, including things like using a pregnancy tracking app, where you go to worship or if you attend a political protest. Proposition 24 allows employers to continue secretly gathering this information for more years to come, overriding a new law that lets workers know what sensitive private information their bosses have beginning January 1, 2021.”
Well, this argument clearly implies to a voter that employers can ignore Federal and State employment discrimination laws under CPRA, which is not true. Second, CPRA actually adds the concept of Sensitive Personal Information for the stuff they mention (like geolocation, health issues such as if you have cancer or pregnant, your religion, union membership, sexual orientation, etc.) and allows you to limit its use (e.g. OK to let Uber know my location specific for a pick up, but not use that data for serving me ads to nearby restaurants or selling my location to data brokers). Third, CPRA in fact further enshrines employee privacy rights vis a vis the CCPA.
Basically, the opponents are hinting that Federal and State employment laws for businesses can be ignored with the CPRA in place. Are you kidding me? Say a business “secretly gathered” data on you as an employee, but did so by hiring a Private Investigator who tailed you (i.e. nothing to do with online data), and found out that you went to a church, and then fired you because of it, then the employer may find themselves getting their butts sued. Any internal HR or legal team would freak out if they heard of an employer doing that stuff, either with a Private Investigator or buying data on employees via a data broker. Each year most businesses in California get HR Training, and gathering data like that type of information is a big no no.
But OK, maybe some idiot employer will still try to obtain sensitive personal data, and make business decisions based on that, and are willing to blatantly ignore Federal and State discrimination laws which have only been getting stricter. Guess what, with the CPRA, consumers can now limit use of that sensitive personal data, so even if some knucklehead employer wanted to buy your Uber geolocation data, as you as a consumer could check limit use of my sensitive data and/or do not sell and share my personal data. Here is some text from the CPRA regarding sensitive personal information
The backer of Prop 24 actually market this as a major feature.
Specific to employees, the CPRA clearly has enhanced privacy rights for employees. For example, it added E below (in bold)
But look, until they provide details justification for these broad-brush claims, they really don’t pass the smell test. But if any opponents disagree with my assessment, please publish your justifications for all your arguments with corresponding detail, e.g. a page or two on each paragraph in this Argument. Show us the beef. I am providing at least one-page assessment of each one of your arguments, please show us similar depth/analysis for each one of yours. I can only work with your blanket statements that on the face of them seem misleading and/or false.
This is getting long, so will break into Part 2.