CCPA, CPRA, and the Case for Federal Data Privacy Laws

By Mitchell Antalis.

In the waning months of a decade characterized by the digitalization of nearly all aspects of life, giving rise to unprecedented concerns regarding data collection, misuse, abuse, breach, weaponization, and interconnectivity, and notwithstanding the exacerbation of these issues and others by a once-in-a-century pandemic, 2020 has provided some signs of progress with respect to consumer data privacy rights.

"System Lock" by Yu. Samoilov is licensed under CC BY 2.0

The CCPA & CPRA Framework

The California Consumer Privacy Act (CCPA), which officially took effect on January 1, 2020, but was not subject to enforcement until July 1, established the first significant foothold within the U.S. for data privacy regulation. This November, Californians will vote on Proposition 24, the California Privacy Rights Act (CPRA), which expands and amends the protections offered by the CCPA. If the CPRA passes, it would take effect on January 1, 2023, making California data privacy laws arguably on par with those established by the European Union in 2018 through its General Data Protection Regulation (GDPR)—a piece of legislation hailed as a monumental step toward protection of consumer data privacy rights.

The CPRA expands on the CCPA in a few key ways. First, with regard to the data privacy rights enacted, the CCPA’s core provisions enable California residents to request a copy or deletion of their personal information held by covered entities, and to “opt out” of their data being sold to third parties. But it has been criticized for being too vague in its requirements, making compliance procedures unclear and difficult for companies to implement. The CPRA aims to clarify the procedures set forth in the CCPA, expand the definition of and restrictions applicable to “sensitive personal information,” and extend the “opt out” provision to data shared with, rather than simply sold to, third parties. It also creates a right for individual consumers to correct mistakes in their personal data as well as limit what information is collected and how long it may be stored. In addition, the CPRA would allow consumers to request obfuscation of their geolocation by up to one-third of a mile.

Further, the CCPA applies to all businesses, subject to certain threshold requirements, that do business with California residents regardless of whether the business has a physical presence in the state. Thus, it may be triggered by a California resident accessing the website of a qualifying non-California-based business. Given the size of California’s economy and the difficulty of identifying and crafting a wholly unique web experience for California residents, the CCPA effectively mandates compliance from a sizeable portion of businesses within the U.S. It also established two forms of liability for data breach incidents – administrative fines and private rights of action – but only after allowance of a 30-day “cure period.” The CPRA would maintain the reach of the CCPA, but remove the cure period for administrative action, allowing the issuance of fines based on the occurrence of a breach incident. However, the 30-day cure period will continue to apply to private rights of action under the CPRA.

Lastly, under the CCPA, the California Attorney General is responsible for investigation and enforcement, having authority to issue fines of up to $7,500 per intentional violation. The CPRA, on the other hand, would create and fund an independent administrative agency, the California Privacy Protection Agency, imbued with the authority to enforce the privacy regulations established.

Despite its broad appeal, a number of consumer advocacy groups have vehemently opposed the CPRA, including the ACLU of California, the Consumer Federation of California, and the Electronic Frontier Foundation, among others. These groups argue the CPRA contains flaws which actually reduce privacy rights for many Californians. For instance, the CPRA enables a “pay for privacy” scheme allowing companies to charge individuals for exercising their right to opt out of the use or sale of personal information. Although this opposition signals that the CPRA may not be as comprehensive a solution as advertised, recent polling indicates the ballot initiative is likely to pass in November.

The Case for Federal Data Privacy Legislation

Passage of the CPRA could put pressure on Congress to finally pass federal data privacy legislation, the absence of which to date is not due to lack of effort. In the past year alone, at least six different privacy proposals were considered in Congress but none gained traction, primarily due to complications caused by the ongoing pandemic and partisan disagreements. But the parties are not as far apart as one may think on the issue of privacy. Research across the failed proposals shows both parties agree that individuals have a right to control their personal information which requires creation of entities and procedures to enforce and protect such rights. The parties disagree, however, on the following three key issues: (1) which federal agency should have enforcement power; (2) whether to preempt state privacy laws; and (3) whether to provide a private right of action. Given the hyper-partisanship present in the federal government at the moment, any hope for compromise and progressive legislation likely lies in the hands of the incoming legislature.

In the absence of federal oversight, states are left to their own devices to draft and debate comprehensive data protection regulations. However, this process has rarely been successful, as studies show over half of states have considered the issue of data privacy, but only three—Maine, California, and Nevada—have passed any sort of legislation. Take Arizona for example. Its most recent proposal, HB 2729, introduced in January 2020 and sponsored by twelve Democrats and one Republican, reportedly failed due to the legislature’s adjournment this session. Yet the mere existence of legislation in so many states suggests citizens are concerned about their data privacy rights, which makes this failure to effectively legislate harmful to citizens. Even if states manage to pass their own data privacy regulations, the patchwork of inconsistent laws creates a nightmare scenario for businesses, which could be subject to dozens of unique regulations at once.

In essence, the state-by-state approach is a lose-lose scenario: if no state regulations are implemented, citizens go without needed protections; whereas if states all pass individual regulations, businesses and the economy will suffer needlessly. Federal legislation could remedy this problem by providing a framework for data privacy regulations, thereby allowing citizens at least a minimum level of protection and giving businesses a baseline requirement for compliance. Ultimately, the upcoming election will likely have a significant influence on both the likelihood and form of federal data privacy legislation.