The California Consumer Privacy Act is the nation’s first comprehensive commercial privacy law, and Consumer Reports has been working to defend and expand it since it was signed into law in 2018. The fact that California residents now have the legal right to access, delete and control the sale of one’s information is a major step forward, especially as the federal government has failed to take action to protect online privacy.
That said, the CCPA was in some places drafted sloppily — its loopholes pose a big problem. Many companies are adopting extremely narrow interpretations of the bill’s protections to render them nugatory and just continue business as usual. Further, the CCPA’s opt-out model leaves consumers responsible for opting out of hundreds of companies one by one if they want to protect their privacy. Clearly, work needs to be done to bring companies into compliance with the CCPA’s original goals and expand the CCPA beyond its original goals to make it more workable for consumers.
Prop. 24, the California Privacy Rights Act, which recently qualified for the Nov. 3 ballot, would fix several significant problems with the CCPA to help it more fully realize its original goals. In the short term, the CPRA could benefit consumers by closing up targeted advertising loopholes, strengthening enforcement and preventing the legislature from weakening the law. But its long-term impacts on privacy are less clear: The ballot initiative introduces new complexities and ambiguities that could well be exploited by companies. Even worse, there’s a risk that the CPRA sets a ceiling on reform and would hamper new efforts to achieve a better privacy model. And it misses opportunities to meaningfully improve the CCPA — to ensure privacy by default, for everyone, not just those who can afford it.
Below, we explore these points in more detail.
The CPRA adds a number of new protections to the CCPA and closes a number of loopholes that companies are taking advantage of to avoid reforming their data practices. Given widespread and bad faith misuse of these loopholes, including from some of the biggest tech companies, and the fact that the California legislature in recent years has come closer to watering down the CCPA than addressing any weaknesses, the CPRA could substantially improve upon the CCPA in the short term.
Closing targeted advertising loopholes
If passed, the ballot initiative would help consumers by giving them better control over data shared to deliver targeted advertising, since the CCPA’s definition of sale and the service provider exemption have been abused to get around the opt-out. This is a real problem: Not only have Facebook and Google declared themselves outside of the CCPA’s opt-out, but others have done so, as well. Spotify, for example, tells consumers that they “do not sell personal information,” as defined by the CCPA — meaning that they are not legally obligated to honor the CCPA opt-out — even though they provide information to advertising partners to deliver “interest-based advertising.”
How are they allowed to get around the CCPA? Some dubiously claim that data transfers for targeted advertising purposes aren’t a sale because money isn’t necessarily exchanged for data. For example, retailers may send advertising technology platforms both money and data collected about consumers to target ads on multiple sites. Thus, under this interpretation of the CCPA, consumers can’t stop the disclosure of their information, even though this legislature explicitly rejected efforts to amend the CCPA to carve out data shared for online ads through the vehicle of Senate Bill 753 (2019). The service provider exemption in the existing CCPA is a problem, as well, as some have interpreted it to claim that hundreds of unknown companies may be considered “service providers” of a publisher for delivering targeted ads.
CPRA helps address this by giving consumers new control over the sharing of information, which explicitly includes data shared for cross-context targeted advertising. It also clarifies that cross-context targeted advertising is not a permissible business purpose, thus removing it from the service provider exemption.
Companies typically ignore laws that aren’t properly enforced, so the CPRA could do some real good by meaningfully strengthening enforcement. The CCPA’s enforcement provisions are far too weak, and California's Office of the Attorney General has said that they only have the resources to enforce a few privacy cases a year. The CPRA would address one of the worst problems with the existing CCPA by removing the “right to cure” language in the attorney general enforcement section. This provision is a get-out-of-jail-free card that would sap the attorney general’s already-meager enforcement capabilities. The right to cure is particularly misguided in privacy law because once data is improperly shared, it’s not clear how the company could cure the violation. The ballot initiative would also create a new agency that is entirely focused on implementing and enforcing the CCPA, which also could help put some teeth behind the measure.
Floor on weakening amendments
The CPRA, if approved by the voters, should prevent industry from further weakening the CCPA. The CPRA can be amended by the legislature only if it is consistent with and furthers the initiative’s purposes (more on that below) and intent “to further protect consumers’ rights, including the constitutional right to privacy” (Section 3). Given that legislators introduced a raft of bills in the 2019 legislative session in order to weaken the CCPA — including SB 753, the wholesale targeted advertising exemption — this could have a significant positive impact. While the worst of them, such as SB 753, were stopped, several were signed into law, and Consumer Reports–supported bills to strengthen it failed to advance.
The CPRA could provide an important backstop against efforts to roll back protections, enable privacy advocates and consumers to devote fewer of their scarce resources to preventing the law from being gutted, and focus on implementing the CCPA effectively.
Yet, the ballot initiative introduces some problematic elements to the new privacy law, as well.
For example, the initiative is confusingly drafted, making it even more difficult to evaluate the CPRA and its future impacts. It includes ambiguous and contradictory language, raising the prospect that industry — which has the resources to devise and litigate anti-privacy interpretations of the CCPA — could use the initiative in ways that hurt consumers, as they have already done with the CCPA. And it could forestall more aggressive privacy reforms in the future: As noted above, the CCPA forces too much responsibility onto users to chase down and exercise their privacy rights.
A better law would protect privacy by default, but the well-intentioned ballot initiative could potentially be interpreted to prevent the legislature from passing such a law.
Confusing universal opt-out
The ballot initiative creates a confusing mechanism for consumers to exercise their rights to stop the sale or sharing of their personal information. One of CR’s top short-term priorities is to ensure that consumers aren’t forced to go to every company to stop the sale of their information — that there is a global opt-out that companies are required to honor so that consumers can take one simple step to protect their privacy. Given that there are more than 300 data brokers on the California attorney general’s data broker registry alone, not to mention the hundreds of other companies with which consumers have interacted, consumers seeking to fully protect their privacy have to take on a heavy burden to opt out. Making matters worse, some companies are making consumers jump through hoops — like downloading a separate app — to complete a single opt-out, further rendering the opt-out unworkable.
In an important move, the California attorney general recently submitted final CCPA rules that require companies to honor a global “Do Not Sell” browser signal. In contrast, the ballot initiative mandates that companies that don’t want to put “Do Not Sell” links on their page honor a global opt-out but is contradictory as to whether other companies must do so or not — at least some law firms and reporters are interpreting this language as making compliance with global browser signals optional.
As a result, the ballot initiative could reduce choices for consumers and make it even more difficult for them to opt out, in comparison to the CCPA rules. Ideally, consumers wouldn’t be forced to go out of their way to opt out of the sale of their information to data brokers — it should be automatic. At the very least, opt-out mechanisms need to be simple, universal and easy-to-use, and the ballot initiative’s construction is ambiguous at best.
Potential ceiling on pro-privacy amendments
While the initiative places a floor on weakening amendments, it includes ambiguous language that could be exploited to throw out legislation that would significantly improve the CCPA — for example, as noted above, the initiative states that the legislature may only enact legislation that is consistent with the initiative’s stated purposes.
However, not all of the initiative’s purposes are clearly pro-privacy, and some could be interpreted to state the initiative is designed to calcify a particular (and relatively weak) mode of privacy protection. Section 3(b)(4) states that it is the purpose of the initiative to afford consumers opt-out rights over the sale and sharing of their data. Section 3(c)(3) states that is the purpose of the initiative to empower consumers to knowingly and freely negotiate with a business over its use of their data. A court could determine that laws that would protect data sharing by default or that would ensure that companies can’t charge consumers for exercising their privacy rights could be inconsistent with these purposes (Consumer Reports supported California Assemblymember Buffy Wicks’s Assembly Bill 1760 (2019), which would achieve these objectives).
A recent court case, B.M. v Superior Court, seems to admit in dicta that “legislative amendments must further every purpose of an initiative.” We hope that a judge would point to other purposes in allowing the legislature to enact more aggressive reforms, but it is certainly not clear. It might also make it difficult for the legislature to undo the CCPA’s broad preemption language to allow municipalities to pass local ordinances on privacy, such as a facial recognition ban in shopping centers. As the CCPA and CPRA should really be considered a stopgap policy solution that should eventually be replaced by a more comprehensive and robust regime, the prospect that the initiative could freeze legislative progress is a worrying one.
The CPRA deserves to be evaluated on its own terms, but at the same time, we’re disappointed that the ballot initiative misses key opportunities to make the CCPA more workable for consumers.
A better model would honor consumer privacy by default, by including strong data minimization language limiting data collection, use and disclosure only to what is necessary to provide the service requested by the consumer. Stronger bills, such as Sen. Sherrod Brown’s, D-Ohio, Data Accountability and Transparency Act of 2020 and Wicks’s Minimization of Consumer Data Processing Act offer a better alternative than CPRA’s clunky opt-out mechanisms. And the CPRA could have ensured that consumers can’t be charged higher prices or discriminated against simply for exercising their privacy rights. In March, Washington state nearly passed a privacy bill with strong language banning pay-for-privacy schemes.
The CPRA misses the mark on both counts. Whatever becomes of this ballot initiative, we urge legislators to continue to work to address these problems.
The CPRA offers important incremental reforms in the short term, but the long-term impact is cloudy and potentially harmful. Still, we’re encouraged by strong polling in favor, which confirms that consumers are eager to have their privacy protected — if only there were effective laws to enable them to do so.
Photo by Paul Hanaoka on Unsplash
If you want to comment on this post, you need to login.