TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | On keynote stage, Mactaggart addresses his 'new' CCPA Related reading: CCPA activist begins new Calif. privacy initiative


Everyone at the Privacy. Security. Risk. stage Wednesday was expecting to have one specific conversation: How about those recent California Consumer Privacy Act amendments? What no one but one man knew until the night before, including the panelists to take the stage, was that another conversation would supplant those plans. On Tuesday, news broke that Alastair Mactaggart, the co-architect of the CCPA, would introduce a citizen's initiative more stringent than the CCPA. 

The new initiative, called "The California Privacy Rights and Enforcement Act of 2020," will appear on the November 2020 ballot in California. It would create "new rights around the use and sale of sensitive personal information," provide enhanced protection for children by "tripling CCPA's fines" on violations of children's privacy and require opt-in consent to collect data from anyone under 16 and establish a new privacy regulator, the California Privacy Protection Agency, to bolster enforcement outside of the attorney general's office. 

Mactaggart said the reason he is dropping the initiative now is that it's the "perfect time for this next step." He said California voters want "more privacy protections, not less, and there's a desire for more protection around sensitive information and algorithmic transparency." 

He said he's a "big fan" of California Attorney General Xavier Becerra, but "he’s set up to be a cop and not a regulator. Maybe the [attorney general] is not the right place to have regulatory body." Maybe the creation of a data protection agency that has rule-making enforcement is the right format, he said. 

He added that conversations at the U.S. Congress on a federal privacy bill have often included, among those pushing for a stringent privacy law, calls for "nothing weaker than California. So I think this raises the bar substantially for what 'weaker than California' is." 

Travis LeBlanc, former enforcement chief at the Federal Communications Commission and a newly confirmed member of the Privacy and Civil Liberties Oversight Board, indicated strong support for Mactaggart's new initiative. Specifically, LeBlanc lauded efforts to establish a new data protection agency, saying he is "hugely supportive of it." 

He noted that globally, there are data protection authorities dedicated to the cause full time, whereas the California attorney general's office is charged with enforcing much more than just privacy. Look at Ireland's DPA, for example, which staffs more than 700. Or the U.K.'s Information Commissioner's Office, which staffs 800 or so. 

"We are clearly in no way being able to enforce this law without other entities being there," he said. There are some options to remedy that, including giving more power to the attorney general, creating an additional agency or allowing for a broader private right of action. But, he added, "I know how people in this audience" feel about that. 

Chuckles from the audience.

California Deputy Attorney General Stacey Schesser told the audience, "Like everybody here, I found out about this yesterday." She expressed frustration that, as the CCPA continues to be amended and the attorney general's office works to promulgate its regulations and guidelines, it feels sort of like it's in a 3D chess game, and in some ways, "we're in a 3D chess game with Alastair to a certain extent." 

But she said the news that a revised CCPA would introduce a citizen's initiative hasn't distracted the attorney general's office from its job. 

"We are writing these draft regulations in real time and just trying to keep an eye on whether or not they’re going to substantively impact the guidance and the rules on what we’re drafting," she said, adding it's "something we’re laser-focused on and have a vested interest in insuring. Our eyes are on implementation of the CCPA, which is going to be happening next year. We are focused on implementing this law, and once we can file enforcement actions, we'll be focused on enforcement strategies so this law will have teeth. That is our priority and we’re going to stand by that." 

Schesser added that rule-making will be happening soon, and the office invites the public, attorneys and businesses to get involved and engaged. The office plans to unveil its formal rule-making in October, which will be followed by a 45-day public commentary period, during which the office will be looking for "things we can improve upon and should be considered. Compliance will be essential," she said. "It is very important for businesses to start thinking about compliance now. From my perspective, we are getting ready for enforcement in parallel with our rule-making process." 

LeBlanc also encouraged companies to start getting ready for compliance. While an IAPP-OneTrust survey recently found that about 2% of companies covered by the CCPA are ready for compliance, LeBlanc said he estimates the number is lower than that, just based on water-cooler conversations at P.S.R. itself. 

"The reality is that Jan. 1, 2020, is approaching, and although the [attorney general] can’t bring enforcement until July 1, the law goes into effect Jan. 1," he said. Every company should try its best, "especially if you're a household name" or a company with large datasets. Because when and if the attorney general takes action in July, it can, in fact, retroactively enforce for infractions committed starting Jan. 1. 

Mactaggart said he is hoping for strong engagement from stakeholders on his new citizens' initiative. But he thinks there's a very strong chance it passes, based on early polling.

"We’ve been out there doing focus groups," he said. "We’re polling in the 90s. My pollster said the last time she saw numbers like this was the time there was something on the ballot on human trafficking."

During this 35-day amendment period, Mactaggart said his intention is "to really have some input in what this final version is going to look like. I wanna say that publicly, I’m really engaging. In terms of trying to walk the middle ground, it was important to me this time not to go back on the deal we made. It’s gonna be an interesting journey, and I look forward to seeing the regulations. And I think California is moving in the right direction, and I’m honored to be a part of it."

Photo by Cashman Photo

Credits: 1

Submit for CPEs

1 Comment

If you want to comment on this post, you need to login.

  • comment Kevin Kreuser • Sep 26, 2019
    Why the separate proposals of related and similar concepts that, collectively, could have made one good, comprehensive law?  Had all of this been slowed down and better hashed out (see still existing ambiguities and uncertainties of CCPA) it could have better served the underlying interest of safeguarding personal data/rights.