This blog post is part 2 of me digging through the recently posted “Argument Against Proposition 24” that will appear in the Official Voter Information Guide for the November 3, 2020, General Election in California. Prop 24 is the California Privacy Rights Act of 2020 (CPRA) which represents “Version 2.0” of current California privacy law that is known as the California Consumer Privacy Act (CCPA). The group behind the CPRA — Californians for Consumer Privacy (CCP) — is the group that were the backers and architects of the CCPA.
In part one I looked at the first 5 of the 10 arguments the opponents made in the Voter Information Guide and unfortunately I found 4 of the first 5 to contain false and/or misleading statements. Suffice to say it does not get better during the second half of the arguments. Before I get into the nitty-gritty details of each of the remaining arguments, I will share some misc. high-level thoughts on the opposition to Prop 24.
If you were say a citizen of a European country who has the robust privacy rights afforded to them via the GDPR (the European Union’s comprehensive privacy law), and were quickly briefed on Prop 24, you would think that the opposition that submitted the Arguments against Prop 24 would likely be business groups. E.g. the data brokers who buy and sell our personal data and/or the Big Tech companies whose business model involves mining our personal data and selling to advertisers microtargeted ads.
But instead, the opposition on the Voter Information Guide is from a small group of civil society groups. Now, to be very clear, civil society groups like the NAACP and Common Sense do support Prop 24, as do unions like the Firefighters, so there is weighty support for Prop 24 from civil society groups.
Digging a bit deeper into the opposition, you then find that the opponents actually supported a bill that encapsulates their vision for a privacy law here in California, but their bill could not even make it out a subcommittee in the California legislature in early 2019, so the dogs were proverbially not eating their preferred dogfood. And Courts and legal experts have also weighed in that some of their privacy proposals are Unconstitutional. So even if they magically got more support for their vision, the resulting law would likely be shot down. They are in effect the privacy “absolutists.”
On the supporting side of Prop 24 are what I consider to be the privacy “pragmatists” who want to significantly move the ball forward privacy rights-wise and do so in a way that would withstand Court challenges. This in effect what the backers of Prop 24 (aka Californians for Consumer Privacy) are about, and they have considerable credibility at this because they are the ones that brought us “Version 1” of California’s privacy law, the California Consumer Privacy Act (CCPA).
To me this is analogous to the early years of the Obama Administration and the healthcare debate, where at that time there was a small group on the Democratic side that wanted a Medicare for All proposal pushed forward vs. the proposal that became the Affordable Care Act (ACA aka Obamacare). I am not saying that now in 2020 there is not a greater willingness to have Medicare for All among Democrats, I am talking about the 2010 timeframe when the appetite was not as pronounced. Now imagine if that minority in 2010 were absolutists and held out for only their vision/proposal, and voted against the ACA, thereby denying it passage — the result would be no healthcare for 30 million people. And note that even with 10+ years of ACA, we still don’t have Medicare for All, and the ACA has been chipped at by industry, but it has withstood an onslaught of Court challenges so far.
Based on my analysis in this blog post, the current CCPA gives California residents 50-60% of the online privacy rights that the gold standard of privacy laws — the EU’s GDPR — gives its citizens, while the CPRA gets us to over 90% parity with the GDPR. And does so in a way that is NOT likely to be thrown out by a Court. So, to me the opponents to Prop 24 are willing to sacrifice the pretty damn good for the perfect, and in effect are willing to deny Californians a significant upgrade and a host of new privacy rights, with really no chance of their Privacy Plan B making it through the legislature let alone the Courts.
So, the current mini debate right now over Prop 24 is more of an intramural disagreement between privacy and civil society groups. i.e. both are pro-privacy. Which is perfectly fine, and I was willing to sit and eat popcorn and silently watch the philosophical debate.
Unfortunately, we are not in for that high-minded debate regarding privacy. Instead the opponents are casting the backers of Prop 24 as working being “behind closed doors” with Big Tech and in effect their arguments imply Zuck et al drafted up Prop 24. In other words, they are serving up a cornucopia of misleading information at Prop 24, which has led me to feel reluctantly compelled, as someone that has been writing on privacy laws for the last 9 months, to spend time as of late identifying the quacking and waddling of their misinformation ducks. I assume they realized that their real main reasons for opposition (e.g. the CPRA creates in their mind a “privacy paperwork” burden) would not light up voters to vote no, so they are going the throw-the-mud route, with the hope that voters don’t know who to believe and get confused, and the voters decide to “opt-out” of upgrading their privacy rights
The opponents probably also know what they are doing is providing cover to business groups including Big Tech to also go against Prop 24. What they may have not thought through is that they are also providing a straightforward blueprint for anyone else to copy-and-paste their tactics and messages to scuttle future privacy laws. So, if successful, they are dooming California residents to not get privacy parity with Europeans any time soon. Furthermore, as I spelled out in this blog post, defeat of Prop 24 would likely result in less than comprehensive Federal privacy law, if at all, or a watered down law that preempts even the rights we even now have with CCPA. To quote Jefferson in the musical Hamilton: “every action has an equal opposite reaction.”
Is the CPRA perfect? Like the ACA or any law, no. But my view is it gets us very close to the gold standard GDPR. The ACA gave healthcare to 30 million Americans, the CPRA gives additional privacy rights to 40 million Californians. Another analogy is that the CPRA is the second major base camp on our journey up the privacy and data protection mountain, thereby giving us a better starting point to take things further up the mountain versus being snowed in and stuck on the first base camp.
OK, enough editorializing and analogies, let’s get back to the fact-checking, and like before, it is not pretty. We will look at the second half of their arguments, with the first half being covered in Part 1.
The Nitty-Gritty Details
Paragraph 6: False/Misleading
“Under California law, your privacy rights follow you wherever you go. But with Proposition 24, the minute you travel out of state with a phone, wearable device, or computer, big tech companies are allowed to capture the health, financial, and other confidential information you stored on your device.”
Exec Summary of Verdict:
This implies that that the CPRA somehow lets big companies violate federal cybersecurity laws that protect against companies hacking into your computer and stealing your personal files when you are out-of-state. But even if CPRA allowed it, which it does not, CPRA takes a back seat to Federal laws and this this would be no permitted activities by “big tech companies.”
Let’s look at how an average voter would interpret their write-up: say I created a spreadsheet with my financial information (including bank accounts) and maybe also created a Word doc with some health information (such as medical visits, prescriptions and/or treatments) and I store those files locally on my D: drive on my laptop computer. i.e. this 100% maps to this bit about “confidential information you stored on your device.” So, I now have confidential information stored on my device like they write about.
Next, in that scenario they painted, the opponents are implying that the “minute you travel out of state” that “big tech companies” (even ones I may not have any form of a relationship, so there is no caveat which big tech companies) can immediately (i.e. “the minute”) figure out where I am and say “aha he is out of State.” They then have the right to magically try to log into my laptop, rummage around my computer and figure out where I store my local sensitive personal files, and then have the right to upload the files.
That is what the average voter is going to think when they read their argument. But even if their view was the correct legal interpretation of the CPRA, which having stared at it for hours and I can’t see how they came to that conclusion nor do they provide any supporting information for their interpretation, the reality is that the CPRA takes a back seat to Federal laws. This, in this scenario, this would be illegal per Federal cybersecurity laws, so not something that could happen. See Section 27 of CPRA regarding severability.
Paragraph 7: False
“You can set web browsers and cell phones to send a signal to each website you visit and app you use to stop selling your personal data, so you don’t have to think about it each time. Proposition 24 would allow companies to disregard those instructions and shift the burden to you to notify each and every website and app individually to protect your data.”
Exec Summary of Verdict:
I don’t need a detail writeup on this one, this is false. Specifically, 1798.135(e) of the CPRA says … “and a business shall comply with an opt‐out request received from a person authorized by the consumer to act on the consumer’s behalf, pursuant to regulations adopted by the Attorney General, regardless of whether the business has elected to comply with subdivision (a) or (b) of this Section.” So, the bit after the word “regardless” makes it clearly that this not optional.
Paragraph 8: False
“Proposition 24’s new enforcement agency sounds good, but when tech corporations get caught violating your privacy, all they have to do is cooperate with the agency and their only penalty could be a slap on the wrist.”
Exec Summary of Verdict:
No, this is false. As I documented here in a comparison of enforcement between GDPR vs. CCPA vs. CPRA, the CPRA is slightly more putative when it comes civil fines than CCPA (e.g. when it comes to fines involving minors’ data) Specifically, if the PPA determines a violation has occurred, it can issue a cease and desist order, as well order an entity to “pay an administrative fine of up to two thousand five hundred dollars ($2,500) for each violation, or up to seven thousand five hundred dollars ($7,500) for each intentional violation and each violation involving the personal information of minor consumers to the Consumer Privacy Fund within the General Fund of the state.” [§ 1798.199.55] That is per violation, so if they ignore privacy rights for 1000s of consumers, that is either 1000 x $2500 (or $7500 if involving children or intentional). That is not a slap on the wrist.
Paragraph 9: False/Misleading
“California’s new privacy just law took effect this year. Smaller businesses spent a lot of money to comply with the new regulations. Before we even know how this new law is working, Proposition 24 rewrites it, forcing smaller businesses to absorb even more costs at a time that the economic slowdown has many businesses on the verge of closing their doors.”
Exec Summary of Verdict:
False and misleading. The California legal definition of small business is firms under $15 million in revenue, and the CPRA does not apply to firms under $25 million in revenue unless they process personal data on 100,000 consumers or more. This is in fact an increase over 50,000 with the CPRA. So, the CPRA in fact raises the bar on who must be compliant, so fewer businesses need comply. Furthermore, there is no study that shows that the CPRA would add costs. In fact, the Legislative Analyst Office explicitly said the economic impact is unknown. Finally, it is hypocritical for opponents to cry about how we don’t know how the CPRA is working when they tried to ditch it with their own privacy bill.
The legal definition of small business in California is this: 100 or few employees and average annual gross receipts $15 million and under. So, what sized businesses does CPRA apply to? Businesses that have
(1) gross revenue greater than $25 million in the preceding calendar year OR
(2) buys/sells/shares personal information on over 100,000 consumers or households; OR
(3) derives 50% or more of its revenue from selling or sharing consumer personal information.
So most “small businesses” don’t have to comply with CCPA. The CPRA actually tightened up which businesses are covered, namely it increased the 50k threshold for consumers/households that we had in the CCPA to 100k and dropped “devices” as one of things counted. It further added the text “in the preceding year”, thereby further raising the bar a bit on which businesses have to comply. So, the CPRA is actually better for small businesses in terms of who has to comply than the current existing CCPA law.
Furthermore, their claims about “costs” is not substantiated by any published research. The Legislative Analyst Office look at Prop 24 and said, “unknown impact.”
Finally, this statement that “Before we even know how this new law is working, Proposition 24 rewrites it,” is hypocritical. The opponents of Prop 24 had no problem promoting their own preferred privacy bill in early 2019, called the “Privacy for All Act,” which got pulled before it could even get a sub-committee hearing. So, they seem to be perfectly fine with their own bill not seeing how the CCPA “worked and didn’t work,” but if someone else does it …
Paragraph 10: False/Misleading
“Proposition 24 was written to accommodate big social media platforms and the Internet and technology companies that spend tens of millions of dollars a year to lobby government at all levels to avoid laws that hurt their profits. Proposition 24 is a bonanza for them – and a big step back for consumer privacy.”
Exec Summary of Verdict:
This is a repeat of the prior points. The fact is that CPRA was written by privacy advocates that these big tech companies spent $2 million against just in 2018. The backers of the CPRA met with all parties to get their input. I have detailed that the CPRA adds more privacy rights and adds more business obligations and enforcement.
But don’t believe me, here is what the CFO of Facebook describes as a “headwind” to their business in their Q1 2020 earnings call: “Yes, I mean the targeting headwinds are having an impact on the business, … We continue to see the three factors around targeting, and this hasn’t changed the regulatory pressures with GDPR and CPPA and similar regulations.”
So regulatory pressures such as CPRA — that gets California to 90%+ parity with GDPR vs. the current law the CCPA at 50-60% parity — are perceived as “tailwinds” to “big social platforms” and therefor are not “accommodating.” puts pressure on social media platforms and is what could potentially “hurt their profits.”
It would be nice to have the debate about how much additional regulation should be out there with respect to privacy and data protection, vs. falsely claim the CPRA rolls back regulation.