My Comments on the California Consumer Privacy Rights Act (CPRA) Rulemaking

[Today, I made brief remarks at the CPRA “stakeholder sessions” in the “dark patterns” session. My written transcript:]

I’m Eric Goldman, a law professor at Santa Clara University School of Law, where I direct the school’s Privacy Law Certificate. My blog posts about the CCPA have all featured the “dumpster fire” GIF. I’m still deciding what GIF I’ll use with my CPRA posts.

[UPDATE: I’ve made my decision. All future CPRA posts will be accompanied by the Arkansas “van on fire” GIF. Click on the image to see the animation]

Click on the image to see the animation

I’d like to start by thanking the agency board members and staff for their hard work on the overwhelming project the voters assigned to it. It’s a thankless effort that will garner criticisms on all sides, so I’m grateful for your willingness to serve.

I have two substantive points to make in my limited time, but before that, I want to explain a procedural challenge I had with this hearing. My points relate only loosely to “dark patterns,” but there was no better place for my remarks in the hearing’s initial taxonomy of topics. I understand the topic taxonomy reflected what the agency wanted to hear about, but it also inhibited participation by leaving no identifiable space for other issues that constituents want to raise. It’s a reminder of how easy it can be for a government agency to get so focused on its self-identified priorities that it may not be receptive to the priorities of its constituents.

My first substantive point relates to the bills in the California legislature proposing to add new duties to the CPPA’s remit. I’m baffled by these proposals, because the CPPA’s plate is already very clearly full. The CPPA already cannot meet the deliverable schedule approved by the voters, so it’s in no position to take on additional projects that would further compromise the CPPA’s ability to meet its voter-approved obligations. The CPPA’s workload won’t get better after the CPPA completes its initial batch of rulemaking. The CPPA will then have the enormous and complex challenge of building an enforcement function from scratch.

Even more bizarrely, some of the legislative proposals have proposed adding non-privacy matters to the CPPA’s remit, such as making the CPPA responsible for children’s “well-being” under the guise of defining “dark patterns.” This scope expansion isn’t possible because the CPRA’s directives to the CPPA are privacy-specific, so the CPPA lacks the ability to oversee non-privacy topics while still adhering to its voter-mandated directives.

This takes me to my first suggestion. I encourage the CPPA to proactively and emphatically tell the legislature that (1) it cannot take on new privacy matters until it’s able to satisfy its existing voter directives, and (2) it will never be in a position to take on non-privacy matters without completely restructuring the CPRA’s directives to the CPPA.

My second substantive point is to observe how much of the CPPA’s rule-making—indeed, most of the topics covered by these stakeholder sessions—are essentially addressing empirical questions, but we frequently have minimal or no independent empirical research to answer those questions.

As just one example, businesses apparently have been required to honor the Global Privacy Control since AG Becerra tweeted about it in January 2021. How’s that going? Are there independent empirical studies of the GPC’s costs and benefits since? Is the GPC achieving its purported goals for consumers or not? The CPPA may not know the answers to those questions—but the empirical answers are essential to the efficacy and legitimacy of any further CPPA rulemaking on the topic.

The same is true for any rulemaking on “dark patterns.” The CPPA has received a bit of empirical data on the topic, but every detail of any “dark patterns” rule will be predicated on empirically answerable questions, even if the CPPA doesn’t actually rely on empirics when defining those details.

In particular, there has been far too little independent empirical research into the CCPA’s efficacy despite the fact that the CCPA has generated substantial field data over the past 2 years. Worse, due to its timing, the CPRA did not incorporate any empirical findings from the CCPA’s operation. Given where we are now, it would be very unfortunate to ignore these empirics in the CPRA’s rule-making. Without learning from how businesses and consumers are actually behaving in the field, the CPPA could easily misdirect its efforts or possibly make things worse for everyone.

That takes me to my second suggestion. I encourage the CPPA to make explicit any empirical assumptions it’s basing its rules on. Then, where the CPPA does not currently have data in hand to support the assumptions it’s making, the CPPA should (1) solicit independent researchers to study those empirical questions, and (2) set sunset dates for those rules to ensure they will be reevaluated as new empirical data informs the questions.

The CPPA has an enormous amount of hard work ahead of it, and again I say “thank you” to those of you doing that work.

Prior CCPA/CPRA Posts

* Court Casts Doubt on the Legality of the Data Brokerage Industry–Brooks v. Thomson Reuters
* New Primer on the California Privacy Rights Act (CPRA)
* CCPA Definitions Confuse the Judge in a Data Breach Case–In re Blackbaud
* A Roundup of CCPA Court Decisions (I Only Know of 7)
* CCPA Data Breach Lawsuit Against Walmart Fails–Gardiner v. Walmart
* The Anticipated Domino Effect: Virginia Passes Second State “Comprehensive” Privacy Law (Guest Blog Post)
* SF Chronicle Op-Ed: “Prop. 24 is the Wrong Policy Approach, at the Wrong Time, via the Wrong Process”
* Over 50 Privacy Professionals & Experts Oppose Prop. 24
* Californians: VOTE NO ON PROP. 24, The California Privacy Rights Act (CPRA)
* A Review of the “Final” CCPA Regulations from the CA Attorney General
* The CCPA Proposed Regs’ Data Valuation Calculation Provisions Provide Flexibility, But Raise Ambiguity & Transparency Concerns (guest blog post)
* My Third Set of Comments to the CA DOJ on the CCPA Regulations
* Comments on the DOJ’s Proposed Modifications to the CCPA Regulations
* Eric Goldman’s Comments to the California DOJ Draft Regulations for the Consumer Privacy Act (CCPA) (Part 3 of 3)
* Some Lessons Learned from the California Consumer Privacy Act (CCPA), 18 Months In (Part 2 of 3)
* Resetting the California Consumer Privacy Act (CCPA)…with 2 Weeks To Go! (Part 1 of 3)
* And At the End of the Day, the CCPA Remains Very Much the Same (Guest Blog Post)
* A Recap of the Senate Judiciary Committee Hearing on Amending the California Consumer Privacy Act (Guest Blog Post)
* Want Companies to Comply with the CCPA? Delay Its Effective Date (Guest Blog Post)
* Recap of the California Assembly Hearing on the California Consumer Privacy Act
* A Status Report on the California Consumer Privacy Act
* 41 California Privacy Experts Urge Major Changes to the California Consumer Privacy Act
* California Amends the Consumer Privacy Act (CCPA); Fixes About 0.01% of its Problems
* Recent Developments Regarding the California Consumer Privacy Act
* The California Consumer Privacy Act Should Be Condemned, Not Celebrated
* A First (But Very Incomplete) Crack at Inventorying the California Consumer Privacy Act’s Problems
* Ten Reasons Why California’s New Data Protection Law is Unworkable, Burdensome, and Possibly Unconstitutional (Guest Blog Post)
* A Privacy Bomb Is About to Be Dropped on the California Economy and the Global Internet
* An Introduction to the California Consumer Privacy Act (CCPA)