Will California's CPRA become the standard for national consumer privacy legislation? 

Profile picture for user jbowles By Jerry Bowles July 29, 2020
Summary:
The voting result of Proposition 24 on California ballots this November could represent an inflection point in the evolving privacy topic. 

Privacy threat at work - laptop with eyes in screen © Juergen Faelchle - shutterstock
Privacy threat at work - laptop with eyes in screen ( © Juergen Faelchle - shutterstock)

If the California Privacy Rights Act of 2020 (CPRA or CCPA 2.0) passes in November as expected it will expand and amend the existing California Consumer Privacy Act of 2018 (CCPA) and-as I wrote here a few days ago--put the state's privacy regulations on a par with Europe's General Data Protection Regulation (GDPR), the gold standard of privacy protection.

There is wide support for standardized and consistent regulation among businesses and consumers. It is obviously easier and less expensive for enterprises to deal with one set of regulations than with 50 different state variations.  But, the current Congress has seemed frozen in place, partly because of the pandemic, partly because it is an election year, and partly because the House and Senate just don't play that nice with each other right now. 

There have been at least five privacy bills floated in Congress.  Last November, Sen. Maria Cantwell (D-Wash.) introduced the Consumer Online Privacy Rights Act (COPRA) and Sen. Roger Wicker (R-Miss.) released the draft United States Consumer Data Privacy Act (USCDPA). The two proposals framed the issues for the broader privacy debate but so far little or no progress has been made and almost certainly will not be during this term of Congress.

I asked Californian Tom Kemp, a serial entrepreneur who has co-founded/co-built enterprise technology companies such as Centrify, Idaptive and NetIQ and now writes an excellent blog on cybersecurity for his thoughts on CPRA and the prospect of national guidelines:

California tends to take a lead role in consumer protection as witnessed by the world auto industry following California's auto emissions rules.  This is because California is the 5th largest economy in the world and 1 out of 8 Americans live here.  So, the CPRA is bound to be a model because given California's size and scope, as well as for historical reason.

But, the politics of this situation is that in the US House, 20% of the House Democrats are from California.  I think California House Dems would be loath to override or weaken with a Federal law a statewide referendum if CPRA passes, i.e. they don't want to be in a situation of taking away rights that Californians now have.

Even in the absence of federal guidelines, Kemp believes that CPRA and GDPR will become the de facto standards:

Businesses and consumers want consistency when it comes to privacy laws.  It is expensive for a company to have privacy and data retention for one set of customers, and another for a different set.  So, they will default to the stricter version.  That is why companies like Microsoft said they support CCPA regulations for all Americans.  

Given that CPRA (aka Version 2.0 of CCPA) gets California closely aligned EU's GDPR as I summarized here, and that most larger businesses support EU GDPR, it will be easier in the long run to offer support to the higher bar GDPR and CPRA.  

So, the point is the momentum is there for a CPRA and GDPR "standard" of privacy, and if Congress thinks they can enact something weaker or significantly different from the standard, then businesses will be like geez I have to support Betamax and VHS.  So they prefer a standard, and in light that CPRA is closely aligned with GDPR, combined the two makes it more likely the federal law will be more CPRA/GDPR like.

The data privacy discussion has lately taken on a new urgency because of Covid-19. The pandemic has raised a tangle of privacy issues around access to mobility and proximity data, health information, and other forms of personal information that may or may not be useful for public health. They are reminders of the current gaps in the U.S. system of privacy protection.  Said Kemp:

We obviously see a lot of people being concerned about tracing and tracking.  Some of it is clearly crazy - e.g. some people are claiming that Bill Gates is trying to put a microchip in your arm if/when you get a vaccine and track your every move.  My response to that is that Google and Facebook already do that when you use their products.

The more valid concern has to do with tracing and tracking.  If they know your geolocation for seeing if you encountered an infected person, then could they use that same geolocation data for other reasons?  That's why you need a privacy law like CPRA which defines geolocation as sensitive personal data, and lets you tell businesses to limit the use to the intended purpose.  i.e. I don't want a tracing app to sell my location to fast food companies so they can push ads at me.   

In other words, having exact location data is good if you turn on geolocation for Uber (to pick you up at the right spot) or for tracing (so you know if you encountered a sick person), but again we need purpose limitation.  And then not store that info for longer you needed, e.g. in the case of Covid tracking, delete your geolocation data after 2 weeks.  CPRA also adds data minimization and purpose limitation obligations to businesses, so CPRA could actually help dispel concerns.

My take

The digital world that we inhabit these days obviously is not confined to state borders so an individual's privacy should not depend on where they live or travel. The current system puts too much burden on users to understand and manage personal information themselves through limited privacy settings and not nearly enough on companies that collect and use data. The next Congress should make federal guidelines at least as sweeping and tough as CPRA and GDPR a priority.