On November 3, Californians voted in favor of Proposition 24, the California Privacy Rights and Enforcement Act of 2020 (CPRA), which would expand the privacy protections enacted under the 2018 legislation, the California Consumer Privacy Act (CCPA). Like its progenitor, Proposition 24 is limited in scope to California businesses and consumers but will likely dictate internet privacy law for the entire United States. Because companies like Facebook, Twitter and Google reach many Golden State residents, California law directly affects how big tech companies interact with their consumers across the nation and beyond. But comprehensive federal privacy law may be on the horizon. What shape it takes is anybody’s guess.
I. California Proposition 24
In January 2020, the California Consumer Privacy Act (CCPA) went into effect and marked a major shift in Big Tech’s collection and dissemination of user information. The CCPA allows Californians to request information from tech companies pertaining to the collection and use of their data, the right to have that data deleted and the right to restrict tech companies from further collection and sale of personal information. Any noncompliant company risks a lawsuit from the California Attorney General. The CCPA induced many tech companies to implement significant, albeit inconspicuous, alterations to their platforms.
Soon after January 1, 2020, Facebook began providing users with an “Off Facebook Activity” tool, which allows users to view and restrict Facebook’s use of third-party information to target users with personalized advertisements. Facebook users could view their “Off Facebook Activity,” which is a summary of activity that businesses and organizations share with Facebook about user interactions, such as visiting their apps or websites. Facebook uses this information to better target users with advertisements. The CCPA prompted Facebook to allow users to view and opt out of this process. Apple, Mozilla and Google have gradually eliminated the use of tracking cookies from their web browsers in an effort to comply with the CCPA. In late 2019, Microsoft announced that it would extend the protection guaranteed by the CCPA to the rest of the United States.
For all its success, the CCPA has its flaws. According to Alastair McTaggart, the main drafter of the CCPA, the law as passed includes loopholes that exempted “service providers” and allowed for the “sharing” of data rather than the “selling” of data. Further, McTaggart believes that the California Attorney General’s office is not well equipped to adequately enforce the regulation.
Enter Proposition 24 - the California Privacy Rights and Enforcement Act of 2020 (CPRA). The CPRA aims to strengthen the CCPA by creating a new enforcement agency focused entirely on enforcing privacy rights, increasing fines levied for the collecting and selling of a child’s private data and amending the CCPA to close certain loopholes as noted above. These changes will bring California privacy law more in line with its European counterpart, the General Data Protection Regulation (GDPR).
Still, many oppose Proposition 24 on a variety of grounds. Two primary issues present in all internet privacy legislation are (1) an opt-in versus an opt-out system and (2) a private right of action. Opt-in means that companies must secure express permission before collecting and disseminating data, whereas opt-out means that companies collect and disseminate data by default, and users have the right to “opt-out” of the process. A private right of action allows any individual to bring a lawsuit against a company which allegedly violates the protections.
The initial draft of the CCPA included an opt-out system and a private right of action. The drafters believed that an onslaught of individual lawsuits would keep tech companies in line and compensate for the less restrictive opt-out system. However, during the political process of moving the bill through the California legislature, the private right of action was replaced with state enforcement by the Attorney General. Replacing the private right of action removed a powerful weapon from the CCPA’s arsenal.
Critics of Proposition 24 argue that the initiative does too little to remedy the weaknesses of the CCPA. Proposition 24 does not alter the opt-out system, nor does it replace state enforcement with a private right of action. According to such critics, state enforcement is a root flaw that must be replaced because no agency will have the resources to bring action against every violation.
Critics also underscore Proposition 24’s failure to close the door on any pay-for-privacy loophole in light of a provision in the initiative for “loyalty club” systems where a company may charge more or limit access to services based on whether a user decides to opt out of data collection. In rebuttal, McTaggart and other supporters of Proposition 24 argue that the user should be in control of her own data and that a pay-for-privacy scheme increases transparency. What remains is the question of whether any such provision conflicts with the language in the CCPA which prevents companies from discriminating against users who exercise their opt-out or deletion rights, by, for example, withholding a discount from a user who does not allow the collection of personal data. This question is likely to remain even after Proposition 24 becomes law.
As California tallies its election ballots, the enactment of Proposition 24 seems certain. The CPRA will not become effective until January 1, 2023 and will not be enforced until July 1, 2023. The three-year window gives businesses ample opportunity to prepare for the enhanced regulations, but businesses must also keep abreast of privacy developments in different states and at the federal level. Although California currently leads the charge for privacy protection, federal privacy law may be in our future.
II. A Patchwork of State Internet Privacy Laws
Regardless of the far-reaching impact of California’s privacy policy, consumers still have different privacy rights across the United States, causing confusion among consumers, companies and the government. While California has again raised the bar for internet privacy law, individual states are still responsible for establishing their own regulations. Only three states have signed comprehensive privacy laws, but many similar bills are currently in the legislative pipeline across the country. Of the three states with internet privacy laws — California, Maine and Nevada— the CCPA is most protective of consumer rights, and Maine is the only state with an opt-in requirement. Nearly all other proposed laws include an opt-out requirement, and only South Carolina includes a private right of action. Seven states have decided to authorize task forces to propose comprehensive privacy bills for legislative review. California’s CCPA, as amended by Proposition 24, will be the most expansive and protective internet privacy statute to date.
III. The Need for Comprehensive Federal Privacy Law
Although trends appear among the various privacy regimes, disparate policies and levels of enforcement indicate a need for comprehensive federal privacy laws. Both consumers and companies, especially Big Tech, would be better served by uniform guidelines and explicit privacy regulations. Recent developments reflect Congress’ willingness to establish a framework for federal privacy laws, but two major roadblocks stand in the way of a resolution: the private right of action and preemption.
Similar to the problems faced by Californians in the CCPA and Proposition 24, the debate over a private right of action has stymied a Congressional resolution on federal privacy law. The frontrunner among the various proposals is the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act. The SAFE DATA Act, proposed by Republican Senators, does not include a private right of action, instead relying on enforcement by the FTC and Attorney General. Proponents of the SAFE DATA Act argue that a private right of action would lead to an onslaught of frivolous lawsuits. Opponents, such as Senator Maria Cantwell (D-WA), offer criticism similar to that faced by the CCPA and Proposition 24 that a private right of action is necessary for any measure of enforcement.
The second contested issue is whether the federal law will preempt state laws dealing with internet privacy. As written, the SAFE DATA Act would preempt state laws such as the CCPA. Proponents argue that preemption is necessary for a uniform national framework and that a patchwork of state laws present compliance and operational challenges, but others oppose preemption of more protective state privacy laws.
Although the process is slow, the SAFE DATA Act and a handful of other internet privacy bills proposed by both Republicans and Democrats suggest that Congress is willing to pass comprehensive federal privacy law.
Conclusion
The CCPA as amended by Proposition 24 is poised to be the de facto privacy law of the land until Congress can reach a compromise on a federal policy. Until then, companies, particularly Big Tech, will adhere to the most demanding policies in order to avoid liability. Even websites that fall below the legislation’s threshold for compliance are likely to comply to some degree as a matter of “best practices.” Whether the government-run enforcement methods of Proposition 24 are up to the task is yet to be seen. Fortunately, it appears that both political parties and Big Tech are in favor of some federal internet privacy regulation, so it is only a matter of time until we see expansive legislation. What form such legislation takes is not so certain. Lutzker & Lutzker will continue to monitor and report on these developments.