California Privacy Act Sequel Likely Coming to Voters

Claiming to strengthen privacy enforcement and create new consumer privacy rights, the CPRA appears to have enough signatures to make the November ballot, though they must be verified (see 2005050063). The initiative’s author, Alastair Mactaggart, sponsored a 2018 ballot initiative that never went to vote because he struck a deal that led to the legislature quickly passing the California Consumer Privacy Act (CCPA). “We intend to take this to the ballot,” emailed a spokesperson for Mactaggart’s group, Californians for Consumer Privacy.

The privacy measure has “great chances” of winning Californians’ vote, said Corbin, whose clients include the Electronic Frontier Foundation, Common Sense Kids Action and Privacy Rights Clearinghouse. Proponents “put enough in” for both sides "so that the large industry groups aren’t going to spend money to oppose it” and consumer privacy groups “aren’t going to feel comfortable opposing it,” she said. Corbin doubts the legislature will intervene like in 2018 because industry seems “perfectly OK with this initiative.”

Cable expects it to be up for vote in November because it’s unlikely Mactaggart or legislators “will pursue legislation to head off the ballot measure,” emailed California Cable & Telecommunications Association President Carolyn McIntyre. Wiley attorney Joan Stewart said Mactaggart appears “committed to bringing this to voters, likely because there will be less need to compromise on the final terms.”

Mactaggart cut a deal last time, but “I suspect part of the reason he's coming at this again is he didn’t love how it turned out last time,” said Cowen analyst Paul Gallant. “Mactaggart’s first initiative in 2018 was polling well before he pulled it, so I suspect this new one will pass in November." Tech companies generating goodwill during COVID-19 might make it close, but generally, “when you ask people ‘do you want more online privacy’ the answer is ‘of course,’ because the question doesn’t get into how data fuels free service.”

“The uncertainty surrounding this pandemic has shifted our immediate focus to work that is most urgent and relevant to the current crisis,” said California Assembly Privacy and Consumer Protection Committee Chairman Ed Chau (D) in a statement. “I will continue to safeguard the privacy rights of Californians, with a focus on prioritizing the most urgent and crisis-relevant legislation to make the most efficient and effective use of our limited time and resources.”

‘Grumbling’

“I’ve heard lots of grumbling but no official objection,” emailed Wiley's Stewart. CCTA doesn’t have a position and its president isn’t “aware of any industry or business organization officially opposing the measure,” said McIntyre.

CPRA “ further complicates and confuses” the privacy landscape, with Attorney General Xavier Becerra's CCPA rulemaking not completed and a July 1 enforcement deadline, said Association of National Advertisers Group Executive Vice President-Government Relations Dan Jaffe. Some provisions might be improvements on CCPA while others are problematic, he said. Jaffe raised concerns about using the ballot process here. There are no hearings and “you are locked in” after it’s enacted, he said.

CPRA is “a mixed bag,” with consumer groups not involved in its genesis, said Corbin. EFF, the American Civil Liberties Union and nine other privacy groups asked to strengthen the initiative in October, but Mactaggart took only some suggestions, Corbin said. The proposal makes slight improvements to consumer rights but lacks a private right of action or other “meaningful” enforcement, she said. It includes some exemptions sought last year by industry but defeated by civil liberties groups, such as exempting commercial credit reporting from CCPA and excluding publicly available data from the definition of protected personally identifiable information, she said: “The hard-fought efforts ... to defend the CCPA deal are in some instances actually being overturned by the ballot initiative.”

The 2018 ballot initiative frustrated some privacy groups by derailing work on a California bill to revive in the state the federal ISP privacy rules repealed by Congress in 2017, said Corbin. Legislators saw the ballot vote coming and decided they needn’t act on ISP privacy, said the lobbyist. Corbin fears this year’s initiative could similarly quash bills to tighten CCPA rules.

“This isn't something privacy groups are excited about,” but there may be room to change CPRA later, said EFF Senior Legislative Counsel Ernesto Falcon. Laws enacted by ballot usually require a two-thirds majority in the legislature to amend, but the 2020 proposal specifies it would take only a simple majority. ACLU California didn’t comment.

Compliance

“This is a head-scratcher, as it will further muddy the waters before” Becerra (D) “has even finalized the regulations on the initial CCPA,” said CALinnovates Executive Director Mike Montgomery, whose group hasn’t taken a position. The California Chamber of Commerce doesn’t have a stance, a spokesperson said.

“It’s just too early to be thinking about shifting business processes or priorities based on the announcement that the signatures have been collected,” emailed Mintz privacy attorney Natalie Prescott. “The CPRA should certainly be on the radar, but we see a more critical focus point to be on CCPA compliance.”

Wiley is monitoring CPRA, but with enforcement starting July 1 is "advising clients to focus on implementing the rules as they exist now (or will once the AG puts out the final implementing regulations),” said Stewart.

It has good and bad elements for CCPA-regulated businesses, the International Association of Privacy Professionals blogged Tuesday: “Early polling strongly suggests that if the CPRA ... is certified for the ballot, it will pass and become effective Jan. 1, 2023, and move California privacy law a bit further in the direction of the EU General Data Protection Regulation.”