The California State Assembly held a hearing June 12 on the California Privacy Rights Act, formerly known as "CCPA 2.0." Most "attended" the hearing virtually and offered testimony over the phone given COVID-19 precautions, but Assemblymember Ed Chau, D-Calif., hosted in-person CPRA author Alastair Mactaggart, as well as witnesses from Consumer Reports and the California Retailers Association.
While Mactaggart was steadfast in his testimony that the CPRA should it make it to the California ballot, only enhancing the CCPA, the prevailing concern among those who testified was the timing. California's Office of the Attorney General just issued the CCPA's final regulations a couple of weeks ago, and businesses are desperately trying to get compliant. Why is now the right time to throw another law at them?
As noted in an analysis recently, among other outcomes, the CPRA would modify CCPA rules by:
- Further clarifying the definition of "sale" as related to consumer data.
- Creating a "limited exception" to deletion and access rights.
- Exempting an increasing number of small businesses from the law.
- Creating a new category of personal information on "sensitive data."
- Allowing consumers to correct inaccurate information.
- Extending the "lookback" period for consumer access to the information collected about them.
- Placing new obligations on service providers.
For a comprehensive look at the CPRA's top-10 impacts, see IAPP Research Director
But Mactaggart said it's his "profound conviction" that the CPRA only builds on the CCPA, citing CPRA's enforcement date of 2023. "There's a long runway here," he said.
Besides its timing, a number of groups testified in opposition to some of CPRA's provisions. Maureen Mahoney of Consumer Reports testified that while the CPRA would strengthen enforcement provided a new agency dedicated to the cause and the right to correct, there are problems.
Specifically, Mahoney cited the bill would create a "convoluted mechanism for consumers to opt out" of the sharing or sale of their data.
"One of our top priorities is to make sure there's a universal opt out so consumers don't have to go to every single company to opt out," after all, she said. "There are 300 data brokers on the California data broker registry alone."
Ariel Fox Johnson, CIPP/US, of Common Sense Media testified that in some places the proposal is more business-friendly than consumer-privacy protective. She applauded a provision within the CPRA that calls for data minimization, she took issue with language that bases the duty to minimize on a businesses' purposes and not a consumers' expectations.
She also took issue with certain changes in definitions from the CCPA to the CPRA that "do not advance consumer privacy." Namely, she said, publicly available information has been changed from "lawfully made available by government" to information that "a business has a reasonable basis to believe is lawfully bade available to the general public by the consumer or from widely distributed media ... ."
"This is a broad, somewhat confusing definition, and we worry that a lot of information inadvertently shared online could receive no protections — for example, enabling Clearview-style scraping and profile building, if a consumer has not set their settings correctly," she testified.
Finally, witnesses testified that despite Mactaggart's success using a ballot initiative process to get a law on the books previously, that's not the appropriate method this time around.
"I wish to remind you of the history of the CCPA," testified Mary Stone Ross, co-architect of the CCPA ballot initiative. "Respectfully, we needed an initiative to get you to pass it. But it worked, and California now has the most comprehensive privacy law in the United States, a model that other states and perhaps even the federal government will follow. We no longer need a privacy initiative to get Sacramento’s attention. As you know well, privacy legislation is complicated."
She called for a process negotiated through the legislature "by elected officials who answer to the people who voted them into — and out of — office."
For now, it remains to be seen whether the CPRA will make it to the ballot in November. California government officials are in the process of verifying the signatures, though Californians for Consumer Privacy has announced that it has collected about 900,000 signatures, while 675,000 valid signatures are required to make it to the ballot.
The group last week sought a court order to get California officials to conduct the count before the deadline for ballot inclusion, June 25.