California has an established track record for being forward-thinking when it comes to how corporations and other entities handle data about its residents. The most recent addition to California’s data privacy legislation, the California Consumer Privacy Act (CCPA), is getting a lot of attention because 1) it is more like the European Union’s General Data Protection Regulation (GDPR) than any other legislation in the United States, and 2) it will become the national standard for all intents and purposes, if only because of the sheer number of people who live in California[1]. This series of posts will explore the history, scope, and application of CCPA, as well as its potential implications for businesses within California state borders and beyond.
Background
Privacy legislation is not new to the state of California. In 1972, the people of California amended the state Constitution to specifically include privacy as an inalienable right[2]. Five years later, the Information Practices Act was enacted by the California State Legislature, expressly because of their concern over the threat posed by “the indiscriminate collection, maintenance, and dissemination of personal information.” The Act cited the increasing use of computers and other technologies as major contributors to the potential risk to individual privacy[3]. The Information Practices Act also included data breach notification requirements for government agencies. This was supplemented by later legislation which expanded breach notification requirements to businesses in 2000[4].
Additional legislation intended to enhance privacy and improve data protection practices within the state include the Online Privacy Protection Act of 2003 (CalOPPA), the California Invasion of Privacy Act, Fair Debt Collection Practices Act, Insurance Information Privacy Act, and multiple others[4].
An Unlikely Activist
The origins of CCPA involve a real estate developer, a random conversation with a Google engineer[5], and a “shower thought” said developer had in 2015[6]. The real estate developer is a man named Alastair Mactaggart, and as he tells it, the whole thing started when an engineer who worked at Google told him “he would be ‘horrified’ to know how much data Google collects on its users”[5]. Soon after this conversation, Mactaggart began doing research about how to get an initiative on the ballot to improve data privacy, enlisting help from a neighbor and a former CIA analyst and funding promotion of the ballot initiative out of his own pocket. When State Senator Bob Hertzberg heard about the initiative, he was immediately concerned that its threshold was not strict enough to do what Mactaggart intended. Seeking to get what he saw as a flawed initiative off the ballot, Hertzberg approached Mactaggart, offering to work with him to craft a bill, and once the bill was passed, Mactaggart would withdraw the initiative. The first iteration of CCPA was the result, and it was passed unanimously by the state legislature in 2018. Unfortunately, this first attempt at most ambitious data privacy law in the nation soon proved to be inadequate and legislators tried for nearly a year to fix it. They failed.[6].
Going Back to Plan A
Because lawmakers in the California State Senate were unable to reach anything close to agreement about how to handle the flaws in CCPA, Hertzberg eventually went back to Mactaggart and suggested they go back to Plan A. He proposed that Mactaggart draft a new ballot initiative to revise CCPA, correcting what they both saw as issues with the original legislation. If this new initiative went all the way to a vote by Californians, it would bypass the legislative process [6]. Thus, Proposition 24 was born, appeared on the ballot for the general election on November 3, 2020, and was passed with approximately 55% of voters approving the initiative [7].
Disagreement Among Privacy Advocates
While CCPA is generally hailed as “the most sweeping data privacy law in the country”[8], not all privacy advocates are fully convinced that it goes far enough. The ACLU of Northern California, the Consumer Federation of California, and Color of Change all came out against Proposition 24 over concerns that it weakened CCPA too much, catering to large tech companies and their concerns. Likewise, Consumer Reports and the Electronic Frontier Foundation (EFF) declined to endorse Proposition 24, saying that they were unsure whether it made things better or worse[6]. In spite of the reservations of these groups, Proposition 24 was passed in the 2020 general election and went into effect on January 1, 2020[9].
In Part 2 of this series, I will discuss the definitions, scope, and rights provided by CCPA.
References
[1] D. Sirota, “California’s new data privacy law brings U.S. closer to GDPR,” TechCrunch, Nov. 14, 2019. https://techcrunch.com/2019/11/14/californias-new-data-privacy-law-brings-u-s-closer-to-gdpr/.
[2] “Summary of the California Information Practices Act,” Nossaman LLP., Mar. 01, 2019. https://www.nossaman.com/newsroom-insights-Summary-of-the-California-Information-Practices-Act.
[3] “Cal. Civ. Code §§ 1798 – 1798.78,” California Legislative Information. https://leginfo.legislature.ca.gov/faces/codes_displayexpandedbranch.xhtml?tocCode=CIV&division=3.&title=1.8.&part=4.&chapter=1.&article=.
[4] “California Privacy Laws.” https://calawyers.org/section/privacy-law/privacy-law-guide/.
[5] B. Fung, “The unlikely activist behind the nation’s toughest privacy law isn’t done yet,” CNN, Oct. 10, 2019. https://www.cnn.com/2019/10/10/tech/alastair-mactaggart/index.html.
[6] G. Edelman, “The Fight Over the Fight Over California’s Privacy Future,” Wired, Sep. 21, 2020. https://www.wired.com/story/california-prop-24-fight-over-privacy-future/.
[7] “California Privacy Rights Act,” Wikipedia. Jun. 26, 2022. Accessed: Sep. 17, 2022. https://en.wikipedia.org/wiki/California_Privacy_Rights_Act.
[8] L. Hautala, “CCPA is here: California’s privacy law gives you new rights,” CNET, Jan. 03, 2020. https://www.cnet.com/news/privacy/ccpa-is-here-californias-privacy-law-gives-you-new-rights/.
[9] N. Garhart, “Nonprofits and the California Consumer Privacy Act,” Farella Braun + Martel LLP, Jun. 20, 2019. https://www.fbm.com/publications/nonprofits-and-the-california-consumer-privacy-act/.