The California Consumer Privacy Act Should Be Condemned, Not Celebrated (Cross-Post)

[I initially published this with the IAPP. They are the ones that chose “CaCPA” over “CCPA.”]

giphy-300x200For years, many privacy professionals yearned for a comprehensive U.S. privacy law. So when California enacted the California Consumer Privacy Act, a comprehensive privacy law, you’d expect the privacy community to cheer loudly. However, the celebration has been muted—for good reason. It’s impossible to cheer a terrible law that passed via a terrible procedure.

Here are some reasons why the law hasn’t been enthusiastically received:

The law covers too many enterprises. The law was supposed to curb the purportedly abusive privacy practices of internet giants (like Google and Facebook) and data brokers. Unfortunately, the law overshot this goal; it reaches most businesses, online or off. Facebook may have been the target, but the local pizzeria will bear the law’s brunt.

Specifically, the law reaches businesses that collect personal information from 50,000-plus consumers per year, regardless of revenue. This applies to businesses that accept credit cards from 137-plus unique customers per day, including Walmart, Amazon, and a typical frozen yogurt stand.

The law also reaches commercial online services that collect IP addresses from 137-plus unique visitors per day, including tiny websites. For example, my blog gets 50,000-plus visitors per year and makes about $400 per year in ad revenue, yet the law treats my blog like Google and Facebook. If the law doesn’t change, I’ll likely shut down ads and forego the associated revenue to avoid compliance costs that would vastly exceed my revenues.

The cost/benefit problem. CaCPA requires businesses to adopt a variety of nominally consumer-friendly offerings, such as letting consumers learn more about, and opt-out of, privacy-invasive practices. While this sounds like a win for consumers, businesses will pass along the compliance costs to consumers; or to the extent the law inhibits currently profitable practices, businesses will stop providing those services to consumers or find other ways to charge consumers more. Thus, consumers will pay for the CaCPA-mandated offerings one way or another, regardless of whether they value, or take advantage of, them. It’s not a question of whether consumers value privacy; the question is whether the law is a good value for them.

Duplicative CaCPA/GDPR compliance. Because the CaCPA’s requirements don’t track the EU General Data Protection Regulation, GDPR-compliant businesses will incur additional compliance costs. Perhaps the duplicative compliance has some benefits (other than to privacy professionals!), but it’s more likely the extra costs won’t make businesses or consumers better off.

Ends don’t justify the means. CaCPA’s path to approval sounds like a failure of democracy. A wealthy Californian spent $3 million to qualify a privacy initiative for the November 2018 ballot. The text was drafted behind closed doors without multi-stakeholder input. Not surprisingly, a wide range of constituencies considered that text unpalatable.

Once the initiative qualified for the ballot, the initiative sponsor made the California legislature an “offer” it couldn’t refuse: pass a bill like the initiative, or if California voters approve the problematic initiative text, the bad provisions would become functionally permanent and beyond legislative supervision. This sparked a one-week frenzy where a few lobbyists made minor changes to the initiative’s text, and then the legislature passed an important, incredibly long (10,000-plus words) and complex law without adequate scrutiny or public input.

Due to these process deficiencies, the law doesn’t reflect the will of many affected stakeholders. Instead, it was just the less-odious option in a Hobson’s Choice.

Worse, CaCPA’s procedural trick is instructive to other policy entrepreneurs with pet topics and money to burn. CaCPA’s success encourages these policy entrepreneurs—with potentially more dubious objectives—to similarly strong-arm the California legislature.

The law is riddled with mistakes. A law as lengthy and complicated as CaCPA requires careful editing. Because of its speedy approval process, the final bill has many wince-inducing errors — such as the counterproductive requirement that businesses publish all of their consumers’ personal information in their privacy policies (see 1798.110(c)(5)). CaCPA also has innumerable ambiguities, such as whether employees are defined as “consumers” or how “personal information” excludes “de-identified information.” I’ve detailed a fuller list of problems here.

Collectively, the law’s mistakes make it look like the legislature was moving too fast (it was) and did an amateurish job (you can form your own opinion about that). The avoidable and embarrassing mistakes make it impossible to respect the law or the process that produced it.

CaCPA isn’t a model for other states. It’s not even a model for California. Other states will be interested in using CaCPA as a model law. However, with its many drafting defects, CaCPA isn’t ready for prime-time in California, let alone anywhere else. Plus, the California economy is about to bear an unanticipated, expensive, and business-chilling burden as hundreds of thousands of businesses scramble to comply with CaCPA. Other states would be well-served to wait-and-see how California’s “experiment” goes before dropping a similar bomb on their economies.

Conclusion. There are many other unresolved questions about CaCPA, including its constitutionality. Even if CaCPA survives the inevitable constitutional challenges, it is bad policy resulting from an unacceptable process. Because of this, I don’t think the privacy community will ever fully embrace CaCPA, no matter how much it supports consumer privacy.

Related Posts

A First (But Very Incomplete) Crack at Inventorying the California Consumer Privacy Act’s Problems
Ten Reasons Why California’s New Data Protection Law is Unworkable, Burdensome, and Possibly Unconstitutional (Guest Blog Post)
A Privacy Bomb Is About to Be Dropped on the California Economy and the Global Internet
An Introduction to the California Consumer Privacy Act (CCPA)