If you had an hour with the creator of the CCPA and CPRA, what would you ask?
Well, the entire DataGrail team had the opportunity to do precisely that. We recently met with Rick Arney for a virtual lunch and learn. Hearing the winding journey of drafting and passing the first robust consumer data privacy law in the United States was an educational treat for the entire DataGrail team. The CCPA ultimately drew overwhelming support from millions of Californians, yet it all started from a fateful conversation among friends (yes, you read that right).
Our conversation was so chock full of information that we are dividing it into a three-part blog series. In our first post, we will share the story behind the CCPA as told by Rick. For our second post, we will share the circumstances that led to the introduction of the CPRA. Finally, we share a post on what Rick believes is a pressing challenge for privacy compliance. A special thank you to Rick for the upfront and frank conversation about the future of privacy.
Okay, let’s dive in! Here is what we asked and learned.
Why the CCPA?
The conversation naturally started with “Why?” What led to the privacy policy that many companies are complying with today?
Like many ideas, the CCPA grew from a shared frustration. After Rick shared his unfortunate experience with identity theft with his friend Alistar Mactaggart, the two were determined to do something about data privacy and protection.
Over drinks, Alastair and Rick discussed how Rick had recently had his tax return cloned and illegally claimed by someone else. Their frustration with this sadly common experience set the two on the path that eventually led to the CCPA and CPRA. In fact, by the end of their conversation, they thought, “What if we created a law?”
The two started building their groundswell of support. Living in Oakland at the time, they began talking to their friends and neighbors (many of whom worked at large tech companies), and as they learned more about the issue, their passion continued to grow. They witnessed firsthand the vast support people showed for having control over their data.
“We did a lot of strategy work trying to figure out exactly what do people want… We met with everybody would meet with us, we actually created what we described as kind of a homegrown legislature in Oakland,” Rick elaborated.
Still, for a group of private citizens, passing a law is a huge endeavor. So, how did they pull it off?
How They Brought CCPA To Life
An essential factor in this story is the law-making framework of California. California has ballot initiatives. It gives California residents a way to create laws without the support of the legislature or governor. If a proposed law gets enough signatures, it gets placed on the ballot, and if it receives 50% plus 1 of the vote, it becomes a law. It gives people a unique front-row seat to drafting and passing laws.
Rick and Alastair used this mechanism to their advantage. They launched a campaign dedicated to making the CCPA a reality.
They immediately started polling to gain insights into the electorate’s feelings about the initiative. The results were astounding—an 88% approval rating.
“90 is the ceiling [for polling approval ratings]. Our first poll came out at 88%. And that was hugely powerful for us”, said Rick.
He elaborated that with such high approval ratings, it’s difficult for the opposition to lower support for an initiative significantly enough to stop it from passing. It provides an incredible amount of leverage. Still, they had to circumvent pushback from some companies that felt like CCPA was not the right path forward. At the start, several tech players (who shall not be named) strongly discouraged them from pursuing the effort.
However, Rick and Alastair stayed the course. Digging deep into the privacy space, and seeing the sheer levels of information being collected on people and the profiling that was happening, fueled their determination to continue pushing this privacy “boulder” up the proverbial hill.
For instance, Rick and his group were aware of the many lawsuits around the topic of geofencing and the hyper-targeting of ads. While sending ads to anyone who walks into a specific building may not sound like much, it can result in serious privacy concerns. As Rick further elaborated, “it could be an abortion clinic or a rehab center, and someone clicks on your ad, now you’re collecting information on someone you know is in rehab, or has had an abortion. And then you can sell that list. ”
Their work paid off. Eventually, their campaign gained enough signatures to be placed on the ballot. However, in a surprise twist, they choose not to put it up for a vote. A recent provision in California provides a short window to remove an initiative from the ballot if a solution can be negotiated with the legislature. The legislature embraced a solution given the initiative’s popularity and the fact that under California law, once an initiative passes, typically the legislature cannot amend or repeal it. The bill was passed unanimously in a single day, marking groundbreaking privacy legislation for the country. The CCPA was born!
Fairytale ending? Not quite.
Stay tuned for our second post on why the CPRA (the second version of California’s privacy law) ultimately ended up on the ballot. In the meantime, you can subscribe to our newsletter here.