Welcome to the second post of our three-part series, where we are sharing highlights from our lunch and learn with Rick Arney. This post shares insight from Rick on why the CPRA ended up as a ballot initiative after all. If you haven’t yet, check out our first post, where we shared how Rick and a close friend built the CCPA from a shared frustration.
CCPA 2.0, aka the CPRA
So, back to where we left off. Rick and Alastair accomplished their goal—the CCPA transformed into law! However, that is just the beginning of their story.
After the success of passing the CCPA, many in the privacy community were elated. Other legislation had touched on privacy, but in the US, we had never seen legislation that went as far as the CCPA. The CCPA was aligned to the GDPR much more than anything else historically has been. Their excitement was well justified, but it didn’t last very long.
If you recall from our previous post, there is a provision in California that allows initiatives to be removed from the ballot and instead enacted legislatively. Rick, Alastair, and their coalition took this route after receiving enough signatures to be placed on the ballot. They choose to do this because it could be an accelerated route to seeing the CCPA enacted. Legislators generally like this route as well. After all, it gives them the continued ability to enact legislation on that topic in the future. Otherwise, once an initiative passes through the ballot process, legislators cannot amend the law in any way unless they specify otherwise in the initiative language. An initiative essentially takes the jurisdiction of the topic matter away from the legislature permanently.
Unfortunately, because it was a legislatively passed law, it was still subject to amendment. “In the next 12 months, 45 bills were submitted in the legislature to try to amend the thing,” Rick shared. The amendments were painful to watch. Frustratingly, almost every one of the amendments would weaken the CCPA, not strengthen it. The primary focus was on increasing exemptions to the CCPA. Several industries actually wanted to exempt themselves from the entire law. Rick and his partners couldn’t just sit back and watch. They sought to not only protect the law but to make it better. At first, they attempted to handle the process legislatively. “We hired some lobbyists, we tried to fight that off, but we realized that was kind of a losing battle.”
After recognizing the futility of this approach, they knew they had to pivot their efforts to ensure the privacy rights of Californians were protected. They decided to do two things: renew the initiative and address the myriad of technical shortfalls in the CCPA that became evident after enactment. They renamed the initiative the CPRA and hit the ground running.
Differences Between the CCPA and the CPRA
One significant improvement to the CCPA was creating the California Privacy Agency, an agency dedicated to enforcing the CPRA compliance. The CPRA endows that agency with a substantial amount of power to protect the privacy of Californians. For instance, this new agency can wield subpoena power, audit power, and regulatory rule-making powers. The CPRA even provided $10 million per year in the state’s recurring budget to support the agency. That amount is comparable to the FTC, which enforces privacy for the entire United States.
Rick and his partners also included a provision in the CPRA that allows the legislature to pass laws to amend the CPRA, but only if it advances the cause of privacy. Rick and his group recognized that technology changes quickly, and they wanted the legislature to be empowered to adapt the law to address that without weakening privacy. Essentially, the CPRA became “the floor” of privacy rights, with the legislature allowed to only enhance privacy protection.
Rick, Alastair Mactaggart, and their partners not only gained enough signatures for the initiative to be placed on the ballot in November 2020. They also received the support of over 6.3 million voters who voted in favor of the initiative. The CPRA rocketed past the necessary 50% threshold to become a law enacted directly by California voters. The CPRA will take effect in January 2023 and includes a look-back period that starts in January 2022.
The need for companies to consider proper compliance with the CPRA has already arrived. During our lunch, we asked Rick about what he believes is a pressing challenge for privacy compliance. Stay tuned for the third post in our installment to find out what he shared.