My Comments to the CPPA Regarding its Initial CPRA Proposed Regulations

I filed comments with the CPPA on their proposed regulations pursuant to the CPRA. Read my comments here. Preparing those comments was a truly joyless task. Analyzing CPRA regulations is literally “read them and weep.”

Some hot spots:

The CPPA missed their statutory deadline to make regulations, so what are they going to do about that? The CPRA’s July 1, 2022 statutory deadline for rule-making was always a pipe dream, so it’s not the CPPA’s fault that they blew the deadline. But they have blown the deadline, and they have not yet provided any public guidance about badly-needed adjusted schedules for effectiveness and enforcement.

The CPPA wants to conduct “audits” whenever it wants with zero legal basis. The CPRA contemplated that the CPPA could “audit” businesses, subject to rulemaking. In the rulemaking, the CPPA proposes to conduct audits in its capricious and arbitrary discretion, without probable cause or any judicial oversight. Like, what country is this where government agencies can show up at a business and immediately root around for inculpatory evidence without judicial oversight or even a showing of legal cause? Just a reminder, government actors conducting searches without proper legal authorization played an important role in spurring our country’s independence from Britain.

The CPPA’s economic study is very problematic. As my comments explain, it appears the CPPA directed its economic consultant to ignore the costs to businesses that are GDPR-“compliant” (a phrase that should itself set off warning bells). Why? The CPPA contradictorily says elsewhere that the CPRA is materially different from the GDPR. If GDPR compliance doesn’t satisfy the CPRA, then how can CPRA compliance not impose any new costs beyond GDPR compliance?  🤔

To sharpen this point (which I suspect is screamingly obvious to everyone): the CPRA and GDPR may both require “rights to delete,” but implementing that right GDPR-style doesn’t ensure that the implementation satisfies the CPRA regulations. This is true for the dozens/hundreds of other specific requirements in the GDPR and the CPRA. To figure out the recyclability of existing compliance efforts, a business needs to analyze the rules and their existing implementation. That is already an expensive undertaking. Given the arcanity of both the CPRA and GDPR, it will often require very expensive legal review. Then, if the analysis reveals any differences, the business must either change its technology and business practices across the board (assuming there’s a one-size-fits-all solution) or implement a second solution in parallel with the existing one. Those can be extraordinarily costly undertakings.

By playing games like this, the economic study reached the mockable conclusion that its 66 pages of regulations would only require 1.5 hours of compliance work per regulated business, which in total will cost the entire state of California $8M in compliance costs. It’s easy to show that this estimate is not credible. For example, at an average reading speed of 250 words/minute, it would take a reader 2 hours just to read the 66 pages of regs. We exceed the 1.5 hr estimate just reading the damn thing.

By apparently intentionally undercounting the compliance costs, it raises doubts about whether the CPPA even satisfied its obligations in the rule-making process. That seems like a possible angle for future attack by enforcement targets.

Furthermore, by disregarding the compliance costs, the CPPA has denigrated/trivialized the important, complicated, and smart work of thousands of privacy professionals. It sends the counterproductive message to businesses that they shouldn’t value the work of these professionals–or that it should expect these professionals to work compliance miracles with no time and money. If the CPPA wants the privacy community on its side (which is probably the single biggest lever that would actually improve privacy outcomes for consumers), it might start by actually valuing their professional contributions.

The CPPA doubles down on the mandatory transparency requirement (but does it have any empirical justification?). The CADOJ manufactured a new obligation (not required by the statute) for larger businesses to post stats about their CCPA operations. The CPPA rubberstamped this requirement, justifying it as “necessary to inform the Agency, Attorney General, policymakers, academics, and members of the public about businesses’ compliance with the CCPA.” Except…I have not seen any evidence that the disclosures are “necessary” to “inform” ANYONE. We’ve had these transparency reports for over a year–is there any field data showing any benefit from the existing obligations? In other words, when the CPPA says this non-statutory obligation is a “necessity,” where is the evidence to support that?

The corrections requirements are a route to corrupt databases. As I explain in my comments, the CPPA’s proposed solution to correcting contested data errors “does not follow good information governance practices.” Basically, if a business has doubts about the accuracy of the requested correction, the regulations nevertheless functionally allow consumers to force the correction and produce pernicious outcomes.

The regulations are filled with naïve policy ideas. Two examples: (1) The proposed “disproportionate effort” test requires businesses to evaluate how much consumers care about their requests. How are businesses supposed to intuit consumers’ personal situations? (2) The regulation proposes “symmetry” in how options are presented, but “symmetry” is literally never possible, i.e., one consumer option always will have more prominence to consumers than the others.

The CPPA embraces jargon. The regulations filled with undefined jargon, including “choice architecture,” “bundles consent,” “unnecessary burden or friction,” “aggressive filters,” and “unnecessarily wait.” Say what?

My comments air additional grievances with the proposed regulations if you are so inclined.

If you don’t think all of this is dumb, then like the line from When Harry Met Sally, I’ll have whatever you’re having. Otherwise, if you do think all of this is dumb, I will remind you of two facts:

1) The California legislature is poised to add a lot of new work to the CPPA’s docket via AB 2273, even though (a) the CPPA can’t handle the workload it already has, (b) the work would be outside of the CPPA’s privacy expertise, and (c) the draft regulations already raise questions about the CPPA’s ability to serve the best interests of Californians.

2) The CPPA and many of California’s Congressmembers, including my representative (Rep. Eshoo), are opposing any federal privacy law that would preempt the CPRA. Why? Because we have such stellar privacy regulation here? The CPRA and CPPA are so riddled with problems that California’s privacy idiosyncrasies are the best reason to FAVOR, not oppose, federal preemption. #MCGA / #DefundCPPA.

Prior CCPA/CPRA Posts

* Will California Eliminate Anonymous Web Browsing? (Comments on CA AB 2273, The Age-Appropriate Design Code Act)
* Can Facebook Stop Data Snarfers?–Meta v. BrandTotal
* Quick Links From the Past Year, Part 1 (CCPA and Privacy)
* Three More Yearbook/People Database Cases Signal Trouble for Defendants
* My Comments on the California Consumer Privacy Rights Act (CPRA) Rulemaking
Court Casts Doubt on the Legality of the Data Brokerage Industry–Brooks v. Thomson Reuters
New Primer on the California Privacy Rights Act (CPRA)
CCPA Definitions Confuse the Judge in a Data Breach Case–In re Blackbaud
A Roundup of CCPA Court Decisions (I Only Know of 7)
CCPA Data Breach Lawsuit Against Walmart Fails–Gardiner v. Walmart
The Anticipated Domino Effect: Virginia Passes Second State “Comprehensive” Privacy Law (Guest Blog Post)
SF Chronicle Op-Ed: “Prop. 24 is the Wrong Policy Approach, at the Wrong Time, via the Wrong Process”
Over 50 Privacy Professionals & Experts Oppose Prop. 24
Californians: VOTE NO ON PROP. 24, The California Privacy Rights Act (CPRA)
A Review of the “Final” CCPA Regulations from the CA Attorney General
The CCPA Proposed Regs’ Data Valuation Calculation Provisions Provide Flexibility, But Raise Ambiguity & Transparency Concerns (guest blog post)
My Third Set of Comments to the CA DOJ on the CCPA Regulations
Comments on the DOJ’s Proposed Modifications to the CCPA Regulations
Eric Goldman’s Comments to the California DOJ Draft Regulations for the Consumer Privacy Act (CCPA) (Part 3 of 3)
Some Lessons Learned from the California Consumer Privacy Act (CCPA), 18 Months In (Part 2 of 3)
Resetting the California Consumer Privacy Act (CCPA)…with 2 Weeks To Go! (Part 1 of 3)
And At the End of the Day, the CCPA Remains Very Much the Same (Guest Blog Post)
A Recap of the Senate Judiciary Committee Hearing on Amending the California Consumer Privacy Act (Guest Blog Post)
Want Companies to Comply with the CCPA? Delay Its Effective Date (Guest Blog Post)
Recap of the California Assembly Hearing on the California Consumer Privacy Act
A Status Report on the California Consumer Privacy Act
41 California Privacy Experts Urge Major Changes to the California Consumer Privacy Act
California Amends the Consumer Privacy Act (CCPA); Fixes About 0.01% of its Problems
Recent Developments Regarding the California Consumer Privacy Act
The California Consumer Privacy Act Should Be Condemned, Not Celebrated
A First (But Very Incomplete) Crack at Inventorying the California Consumer Privacy Act’s Problems
Ten Reasons Why California’s New Data Protection Law is Unworkable, Burdensome, and Possibly Unconstitutional (Guest Blog Post)
A Privacy Bomb Is About to Be Dropped on the California Economy and the Global Internet
An Introduction to the California Consumer Privacy Act (CCPA)