The California Privacy Protection Agency during its Friday meeting pushed back against the specter of federal preemption, highlighting how the recently introduced American Privacy Rights Act (APRA) would virtually defang the agency.
The bipartisan bill, sponsored by Sen. Maria Cantwell and Rep. Cathy McMorris Rodgers, would eliminate the floor of rights Californians have right now and take away California’s ability to pass and enforce its own privacy laws in the future.
“I appreciate Congress’ efforts to protect people’s privacy,” said CPPA Chair Jennifer Urban. “I in no way want to undermine Americans’ privacy, but 9.4 million Californians voted for strong privacy protections, and they voted for a floor under those protections to keep them strong so they can be built on, but they cannot be diminished easily. Congress should do the same.”
Agency member Alastair Mactaggart, who helped spearhead four years ago Proposition 24, which gave residents new control over how companies collect, share and sell personal information, voiced concern about loopholes that businesses could exploit.
“Once again, it’s sort of a wolf in sheep’s clothing,” said Mactaggart, alluding to the previously stalled federal privacy bill, the American Data Privacy and Protection Act (ADPPA), which the agency also opposed. This new bill, the agency said, is “quite similar” to the ADPPA, which failed to move forward in 2022 after concerns raised by then-House Speaker Nancy Pelosi.
APRA would turn on its head years of progress in the data privacy space in California, shifting responsibilities to the Federal Trade Commission, which would have two years from when the law is in effect to draft regulations. The CPPA is already enforcing the law and is in the middle of crafting bellwether regulations for Artificial intelligence and algorithms.
APRA would also allow for companies to take advantage of sensitive information such as sexual orientation, union membership and immigration status, as those categories are not included in the definition of sensitive covered data under APRA.
A total of 18 states have consumer privacy laws that would be superseded by APRA, most recently Maryland.
Consumer Watchdog outlined what rights Californians would stand to lose, as well as Cantwell’s ties to Microsoft, which is supporting her bill.
Later during the agency’s meeting, members voted to support a bill that would strengthen privacy rights for those under 18. The bill, AB 1949 (Wicks), would raise the consent age from 16 to 18 for businesses selling or sharing a consumer’s personal information. It would also eliminate the so-called “knowledge standard” in which businesses have to actually know if a person is under 18. Without actual knowledge, the business would be prohibited from selling or sharing the consumer’s personal data without authorization.
Some privacy groups are concerned the bill will do more bad than good, and spur companies to collect more data on people.
Drew Liebert, newly appointed to the agency, disagreed.
“I think they are doing an extraordinary job of scooping up on data already,” said Liebert, who was Chief Counsel to the Assembly Judiciary Committee for 18 years, working on a lot of tech policy. “I don’t know how concerned we should be about that.”
Consumer Watchdog supports the bill.
The agency voted unanimously to support AB 1949 if amended to maintain the knowledge standard.
The agency wrote in its memo:
“Given the tension between updating the actual knowledge standard and protecting users’ privacy, staff recommends a balanced approach: to either maintain the actual knowledge standard or establish in statute an alternative standard, such as that the business, ‘knew or should have known that the consumer is less than 18 years of age,’ based on factors suggesting the consumer is a child, such as the nature of the product or service offered by the business, consumer demographic information; market research, the results of product testing, and reasonable inferences.”

Privacy In The News
Latest Privacy Report