By Allison Grande, LAW 360
October 23, 2020
Law360 (October 23, 2020, 9:12 PM EDT) — The battle over a California ballot initiative that would significantly toughen a landmark state privacy law is heating up, with supporters saying that the measure is necessary to keep consumer privacy protections strong and opponents countering that the changes don’t do enough to limit big companies’ control over personal data.
With just over a week before voting closes, those on both side of the debate are making their final push to influence voters on the California Privacy Rights Act, also known as Proposition 24. The measure would build on the California Consumer Privacy Act in several vital ways, including by creating a new agency dedicated to data privacy and providing consumers with substantial new data control rights that companies would need to figure out how to implement before the changes would take effect on Jan. 1, 2023.
The charge to pass Prop 24 is being led by Californians for Consumer Privacy, an advocacy group founded by Alastair Mactaggart, the real estate developer-turned-activist who proposed a similar ballot initiative in 2018 that spurred the enactment of the CCPA. Mactaggart told Law360 that he was optimistic that voters would back the initiative, which he said was drafted in order to deliver privacy protections to Californians that are on par with the European Union‘s General Data Protection Regulation.
“Our message is that we as Californians need to have the best privacy protections in the world,” Mactaggart said. “In 2019, we saw multiple efforts to convince the state legislature to weaken the CCPA and gut it, so it’s clear that we need a ballot initiative like this, where any future amendments that help consumer privacy can be enacted with a simple majority and anything that hurts consumer privacy would be prohibited.”
The advocacy group released polling results Oct. 6 from Goodwin Simon Strategic Research indicating that 77% of likely voters would vote yes on the ballot measure, while 11% of surveyed voters opposed it. The initiative has received backing from a slew of prominent groups and officials, including Consumer Watchdog, the California Black Chamber of Commerce, the president of the California NAACP and California Senate Majority Leader Robert M. Hertzberg, a Democrat who co-authored the CCPA.
“We’re in good shape, but are still running like we’re in last place,” Mactaggart said.
A dueling campaign urging voters to reject Prop 24 has also emerged, with dozens of groups including the American Civil Liberties Union of California, the California Small Business Association, the California Republican Party, the Consumer Federation of California, Color of Change and the San Francisco Chronicle refusing to back the initiative. The opponents argue that the measure would weaken the CCPA, create a “toothless new state privacy bureaucracy” and cost California consumers and small businesses billions.
“The ballot initiative would roll back the CCPA’s protections and weaken core definitions of the law, while making the biggest companies even more powerful,” Mary Stone Ross, who chairs one of two political action committees that have popped up to oppose the measure, told Law360.
Ross, who helped Mactaggart’s organization draft the 2018 ballot initiative but cut ties with the group after disagreeing with the legislative compromise that was struck to enact the CCPA, also argued that the law would likely prove difficult to update with necessary privacy-friendly changes down the line, given that the measure requires lawmakers to “give attention” to the impact of any amendments on businesses and innovation.
The ACLU and other opponents also object to the ballot measure’s promotion of what they call “pay for privacy.” While the CCPA restricts the ability of companies to discriminate against consumers who choose to exercise their deletion and opt-out rights under the statute, Prop 24 would clear the way for companies to offer loyalty programs, which are premised on consumers disclosing their personal information in exchange for discounts and other benefits.
“Alastair and his group had the opportunity to fix this and were very aware of the harms of pay for privacy, which most often affects people who can’t afford to make a choice and who often don’t know that they’re getting pennies for giving away their sensitive location and health information,” Ross said, adding that voters being asked to weigh in on the 52-page ballot initiative may miss this detail.
She added that while the opposition groups haven’t conducted their own surveys of voters, she has seen some polling that shows support for the measure is around 60%, saying the campaign against the measure feels as though it is within striking distance.
Mactaggart responded to the “pay for privacy” criticism by arguing that the choice should be up to consumers, and a model where companies aren’t allowed to derive value from data likely wouldn’t be sustainable in today’s world.
“Our point is that transparency is important, that it’s important for people to know what they’re getting into and then they make the choice,” he said. “But [those who are against this] don’t trust people to manage their own data.”
Mactaggart added that his group drafted the original 2018 ballot initiative to be “GDPR lite,” based on the theory that if companies were already complying with the European law, they couldn’t complain too much about a California law that contained 75% of GDPR’s requirements. Now, two years later, the measure up for a vote is even closer to the European standard, according to Mactaggart.
“We wanted to overtly harmonize [the EU and California regimes] and put everything that’s good about GDPR and a couple of things that are better into this ballot initiative,” Mactaggart said. “Consumers now have the opportunity to shut the door before the horse escapes, and I hope they take advantage of it.”
Several privacy attorneys who work in California and have been following the ballot initiative closely reported that, while either outcome is certainly possible, the general consensus across the state was that voters will approve Prop 24.
“It’s always felt like there was a pretty strong chance that the ballot initiative would be approved because when you put a question to the public about whether they want more privacy, the answer is usually going to be yes,” said Reece Hirsch, co-head of the privacy and cybersecurity practice at Morgan Lewis & Bockius LLP. “But for businesses, it’s a little more complicated.”
Since the state legislature rushed the CCPA into law in June 2018 to avoid having Mactaggart’s first ballot initiative presented to voters, companies have been working to put in place policies and procedures that allow them to comply with the law’s requirements, to ensure that consumers are able to find out what data companies hold on them, to delete this information and to opt out of the sale of the data. The CCPA took effect on Jan. 1, 2020, and the state attorney general began enforcement activities on July 1.
“Businesses have dedicated significant resources, particularly in the second half of 2019, to address the requirements of this transformative privacy law … and will certainly look to update their policies and practices to ensure they are CPRA-compliant, should it pass,” Meredith Slawe and Mike McTigue, co-chairs of the class action group at Cozen O’Connor, said in a joint email.
The ballot initiative, commonly referred to as CCPA 2.0, would drastically alter the existing consumer privacy laws in several important ways, including by enabling consumers to correct inaccurate data and to stop companies from sharing their data. If the measure passes, these new rules will force companies to quickly revisit the compliance frameworks that they’ve just built and have barely had a chance to test, attorneys said.
“Complying with the ballot initiative is going to involve more granular data mapping and understanding more about who companies are sharing data with and for what purposes,” said Hogan Lovells partner Bret S. Cohen. “So while companies that have worked to get ready for CCPA won’t have to go back to the drawing board, they will have to reassess a number of choices they’ve made under CCPA.”
If enacted, Prop 24 would “make many significant changes to the CCPA, with regard to scope of applicability, compliance duties and enforcement” that companies would need to factor into their compliance efforts, according to Kristen Mathews, a partner in Morrison & Foerster LLP’s global privacy and data security group.
A major change would be the creation of the California Privacy Protection Agency, which, beginning in July 2023, would take over the responsibility currently held by the state attorney general’s office for enforcing privacy violations.
Ross, who also runs her own consulting firm, MSR Strategies, has criticized the plan, calling the new agency an “underfunded paper tiger.” While Ross said that she agrees that establishing a dedicated privacy enforcer is a good idea, she argued that the agency’s $10 million annual budget wouldn’t be enough to complete the work it needs to and would derail vital enforcement efforts that the California attorney general just started in July.
“We don’t even know what’s working and what’s not working under CCPA, so why even change it now before giving this law a chance to work and for enforcement to tell us what this law means?” Ross said.
If the ballot measure passes, the new regulator is likely to present a “mixed bag” for companies, given lingering questions about how the agency will use its funding, what enforcement is likely to look like and whether the attorney general will still have a hand in these efforts, Baker Botts LLPspecial counsel Cynthia Cole said.
Mactaggart noted that the California attorney general’s office has long stressed that it’s a “cop and not a regulator” and has repeatedly voiced concerns over its limited resources to enforce privacy, making a stand-alone regulator in this space vital. Attorneys agree that, if one is established, companies would likely not only get more guidance on the law but face more consequences as well.
“The establishment of the California Consumer Privacy Agency would have a profound impact because it would take enforcement obligations out of the AG’s office, which will probably lead to many more enforcement actions since its work will be focused solely on protecting California citizens’ privacy rights,” said Jeff Dennis, head of the privacy and data security practice at Newmeyer & Dillion LLP.
The proposed law would also give consumers the new abilities to have a business correct the personal information it has about them and to opt out of the sharing of their personal information, which “would be an additional compliance challenge for businesses on top of the consumer’s rights to request information, deletion, and to opt out of sales of their data,” Mathews said.
The sharing opt-out in particular is likely to present a challenge for marketers, which have argued that the CCPA’s restrictions on selling data once a consumer has opted out doesn’t apply to their sharing of data with third parties for cross-context behavioral advertising. The new law would erase this contention by explicitly allowing consumers to opt out of these sharing activities.
“To the extent that companies took comfort in the fact that they didn’t sell data and that reduced their obligations and risk profile, that’s not the case anymore, since almost every company shares data in some way,” said Robert Braun, a partner at Jeffer Mangels Butler & Mitchell LLP and co-chair of the firm’s cybersecurity and privacy group, adding that the new practice “heightens the need for companies to get a handle on their data collection practices.”
Companies would also need to revisit their data-retention policies, given the measure’s requirement that companies inform consumers about the length of time they intend to retain their personal information, as well as reassess what data they hold falls under the new category of “sensitive information,” attorneys say.
Mactaggart touted this expansion, noting that “if folks realize they can tell businesses not to use your sensitive data, including race and ethnicity, to profile you, that’s a huge benefit to not only consumers in general but also communities of color that have raised issues about being digitally redlined.”
Even if the ballot measure doesn’t pass, attorneys stressed that companies will still have their hands full ensuring that they stay up to date with the CCPA, which will continue to be the law of the land.
“Companies will still have to continue their CCPA compliance efforts into 2021 and 2022 even if Prop 24 doesn’t pass,” Hirsch of Morgan Lewis said. “And if it does pass, there will be a new layer to those programs where they’ll have to begin to build out these new rights created by Prop 24.”
–Editing by Breda Lund and Jill Coffey.