Recommendations for the California Privacy Protection Agency

California Proposition 24 (aka the California Privacy Rights Act of 2020 or CPRA) provides additional rights to consumers (e.g. right to correct personal data, limit use of sensitive personal information such as geolocation data, etc.), adds additional obligations to businesses to better protect consumers’ personal data (e.g. data protection impact analyses must be performed, maintenance of records of processing activity, etc.), but probably most significantly it creates a new regulatory agency to enforce data protection and privacy in California — the California Privacy Protection Agency (CalPPA). 

In this blog post I will provide four recommendations for the CalPPA agency beyond what’s called out in Prop 24 which I will detail in this blog post.  Note these are a complement to the six proposed California roadmap for privacy and data security that I have for California legislators that I provided in my last blog post.  I will first give a short overview of the CalPPA, summarize my recommendations, and then provide the nitty-gritty details of my recommendations.

CalPPA Background

The CalPPA is a dedicated agency with a $10 per year million budget and will have as many people focused on privacy (i.e. 50) as the Federal Trade Commission (FTC) has focused on privacy for the entire US (40).  In terms of impact on the average consumer, it may very likely will be the most significant privacy regulatory enforcement agency in the US even compared to the FTC, with the ability to levy fines and take other administrative actions, and is comparable rival European Union (EU) member states’ Supervisory Authorities that the EU’s General Data Protection Regulation (GDPR) set ups.  

The CalPPA is to be managed by a five-member board, with the chair and one member to be appointed by the Governor, and one member each by the California Attorney General (Cal AG), Senate Rules Committee and the Speaker of the Assembly. These appointments must be made 90 days after the effective date of the CalPPA, which is March 16, 2021.  From there the board appoints an Executive Director, and it is assumed that rulemaking responsibilities for CPRA will be taken over by the CalPPA “on or after the earlier of July 1, 2021, or within six months of the agency providing the Attorney General with notice that it is prepared to assume rulemaking responsibilities.” From there the CalPPA must adopt final regulations by July 1, 2022 and enforcement of the CPRA begins July 1, 2023. 

Executive Summary of My CalPPA Recommendations

To provide more “feet on the street” in terms of finding violations with the CPRA and to provide a streamlined mechanism for reporting issues, I would recommend that the CalPPA set up a Privacy Bug Bounty system that in effect crowd sources the identification of privacy violations. 

I would also recommend that the CalPPA require from a regulation perspective that businesses (as defined under the CPRA) be required to implement privacy “nutrition labels.”  This would build upon what Apple is doing with mandatory app privacy and be in line with Prop 24’s findings and declarations that stated that “in the same way that ingredient labels on foods help consumers shop more effectively, disclosure around data management practices will help consumers become more informed counterparties in the data economy and promote competition.”

The CalPPA should also look to get California “adequacy” with the EU GDPR.  As Consumer Watchdog wrote in its endorsement of Prop 24:  “Californians’ protections would be sufficient for the state to gain “adequacy” under European law to give the state a leg up in fast track commerce with the European Union, assuming the US and EU resolve the national security aspects of privacy laws currently under discussion.”

Finally, I would highly recommend the CalPPA invest heavily in evangelism of the consumer rights afforded to Californians with the CPRA, much more than what the regulator of California’s current privacy law has done (the California Attorney General’s office with the California Consumer Privacy Act or CCPA).  I would make it a contest with California high school kids to design the CalPPA logo, record public service announcements, design curriculum for high school students as part of California government studies, etc. 

I have a few other ideas/suggestions, but these four are a good start.  Below are the nitty-gritty details of each of the four.

Recommendation #1:  Implement a “Privacy Bug Bounty” Program

With the Cal AG currently doing the regulation and enforcement of the California Consumer Privacy Act (CCPA, the predecessor to the CPRA), in viewing the Cal AG Privacy website it is not immediately clear how a consumer would report that a business is violating the CCPA (e.g. not respecting a data subject’s rights to delete their personal information and/or opt-out of the selling of their personal information AND/OR not putting the do not sell link on their website AND/OR not posting their privacy policy etc.).  After much hunting and pecking, a consumer may eventually read a FAQ on the Cal AG website and find that they can fill out a generic consumer complaint form with the Cal AG.  But even after doing that, a California resident has no idea if their complaint is being investigated or even received.

These are all problematic, but the core assumption is that the onus is on the consumers that upon getting a privacy run around from a business will be motivated enough to complain to the State, find out how to go about reporting the problem, etc.  This is the equivalent of an operator of a website not really testing their website and leaving it to the end users find the problems but not really telling the end user how they can report the problem.  This will lead to a poor customer experience.  Applying this analogy to California’s upgraded privacy law, it means Californians will not have faith in its relevance to themselves.

Now clearly the CalPPA could hire a big team of people to go out and test whether or not businesses are adhering to the law, with the hope that the CalPPA team finds the violating businesses before the mass of consumers bump into the violations.  But this is not productive, as the CalPPA team would be spending a good amount of its time “testing” businesses that respect the law, meaning the CalPPA team finds fewer scofflaws.

Would it not be better to have a large team of independent and motivated people looking for businesses who violate the CCPA / CPRA, and not put the onus on the average consumer to first find and report the problem or the CalPPA to waste cycles on wild goose chases?   i.e. crowd source the finding and reporting on businesses (per the CPRA definition of business) who are not following California’s privacy law.

The tech industry solves an equivalent problem with bug bounty programs, so I would recommend the CalPPA implement the first ever “Privacy Bug Bounty” system.  This would broaden who would be finding and reporting violators, would provide a workflow and reporting system, as well provide a feedback system to those reporting problems.  It would be open to not only average California residents but to others who would want to help that State find businesses who are violating the law (e.g. companies that are not displaying privacy policies, etc.).  This could be funded by a portion of fines paid out by companies.  For more information on a bug bounty system and how it is used, check out this article, and then imagine instead of bugs being reported, that privacy violations are being reported.

Recommendation #2: Require “Privacy Nutrition Labels”

One of the goals of Prop 24 / CPRA was the desire to have businesses provide more transparency around what personal data is being collected, how it is being used, and if it was to be sold or shared.  The analogy as articulated in the actual Prop 24 proposal to voters was that the CPRA would force businesses to put “nutrition labels” on their collection and usage of personal information, as articulated in its findings and declarations:

“in the same way that ingredient labels on foods help consumers shop more effectively, disclosure around data management practices will help consumers become more informed counterparties in the data economy and promote competition.”

This concept is actually being implemented today by vendors such as Apple and what it is doing with mandatory app privacy.  As reported by CNN: 

“Apple said the effort is intended to make it easier for people to understand when data is being accessed or shared, so users will be less surprised to learn later what's been collected.“

And notes

“The label itself features three main sections: "data used to track you," such as information collected for advertising purposes; "data linked to you," or the data tied to a user's identity through their account on the app, device, or other details; and "data not linked to you," which is data collected but not linked to an account.”

I would recommend the CalPPA work with industry (e.g. Apple) and academia, as well as the EU’s European Data Protection Board, to design a standard privacy nutrition label that CalPPA regulations would eventually require businesses to provide on its website.  In light that most businesses will have an app in the Apple store, this probably is not an onerous undertaking.

Recommendation #3: Pursue Adequacy with EU

The CalPPA should also look to get California “adequacy” with the EU in the context of the EU’s privacy law, the GDPR.  Per the EU:

“The effect of such a decision is that personal data can flow from the EU (and Norway, Liechtenstein and Iceland) to that third country without any further safeguard being necessary. In others words, transfers to the country in question will be assimilated to intra-EU transmissions of data.”

GDPR does allow for a State like California to go through the adequacy decision process as it is a territory with a third country.  Per GDPR Article 45:

“A transfer of personal data may take place where the commission has decided that the third country [or] a territory within that third country ensures an adequate level of protection.”

The CPRA was written with adequacy in mind as the CPRA clearly harmonizes California’s privacy law with the GDPR.  As Consumer Watchdog wrote in its endorsement of Prop 24: 

“Californians’ protections would be sufficient for the state to gain “adequacy” under European law to give the state a leg up in fast track commerce with the European Union, assuming the US and EU resolve the national security aspects of privacy laws currently under discussion.”

Why would this be significant?  As the privacy lawyers at Akim Gump note:

“Earlier this year, the Schrems II decision struck down the EU-U.S. Privacy Shield that facilitated data transfers from the EU to the U.S. and also put into question the effectiveness of Standard Contractual Clauses, a popular data transfer mechanism.2 Thus, a decision by the European Commission that California provides an adequate level of data protection for cross-border transfers from the EU would be welcomed and unprecedented for any state in the U.S. Such a decision could also spur other states to adopt privacy legislation similar to the CPRA.”

But to likely make this happen, the Biden administration must resolve national security issues as noted by Akim Gump (and also Consumer Watchdog per the quote above):

“However, whether the European Commission would be prepared to take such a bold step is unclear, particularly because the EU Court of Justice raised concerns in Schrems II regarding the reach of certain U.S. federal laws (Section 702 of the Foreign Intelligence Surveillance Act, Executive Order 12333 and Presidential Policy Directive 28). As those laws apply to companies in California, the European Commission might find it tricky to grant the state adequacy and still comply with the reasoning in Schrems II.”

Point is California and the CalPPA can’t make this happen in isolation, but hopefully the CalPPA can evangelize both to the EU and the Biden Administration to make this happen.  Speaking of evangelism …

Recommendation #4:  The CalPPA Should Make Evangelism of Privacy Rights a High Priority

If CPRA is to be successful, it requires not only balanced regulation and enforcement by the CalPPA, but it also requires support from California residents who are aware of its value and exercising their new privacy rights.  Otherwise the CPRA and the CalPPA may find itself at the losing end of future ballot initiatives or courts may not hesitate to chip away at it as the general population is not being impacted.  Or the legislature may decide not to give it any additional funding to pursue additional enforcement that the CalPPA believes it needs over and beyond the $10m per year budget.

So, evangelism should be very important to the CalPPA and in fact is called out by the law itself in Section 1798.199.40.  The CPRA states that the CalPPA shall …

“Promote public awareness and understanding of the risks, rules, responsibilities, safeguards, and rights in relation to the collection, use, sale, and disclosure of personal information, including the rights of minors with respect to their own information, and provide a public report summarizing the risk assessments filed with the agency ...”

and

“Provide guidance to consumers regarding their rights under this title.”

So, here are some ideas to “promote public awareness”:  

1. See if the Franchise Tax Board can add the California Privacy Fund as an option for taxpayers to donate to ala the California Sea Otter fund;

2. See if the California Secretary of State can let the CalPPA slip in a piece of paper promoting California’s consumer privacy rights in the mailings for driver’s license and car registration renewals;

3. Be very active and creative on social media with posts that promote the privacy rights that Californians have under CPRA;

4. Create a robust set of web content and videos that are prominently promoted from the CalPPA website and social media properties that evangelize Californians’ consumer privacy rights;

5. Have a contest open to high school students to design the logo of the CalPPA;

6. Create curriculum for high school students that can used as part of California government studies that includes a lesson plan that has students exercise their privacy rights with web sites that students commonly use as well as have students record privacy-related public service; announcements (e.g. in the form of TikTok videos) that are judged as part of an annual contest.

7. Record and/or use student public service announcements re: CPRA privacy rights and make available to TV stations;

8. Train Privacy Evangelists who can set up tabletops at Farmer’s Markets and hand out brochures (post Covid of course);

9. Require businesses in their breach notification letters to add a paragraph highlighting links to privacy rights content on the CalPPA web site; and

10. Participation by CalPPA employees in community (e.g. State Assembly or Senator constituent briefings) and industry events to raise awareness and visibility.

The CalPPA needs to find creative ways to have this promotion and evangelism to occur on a minimal budget to not pull too much from the funds needed for regulation and enforcement.  Maybe a “Friends of the CalPPA” non-profit foundation can be created that can help fund this evangelism, e.g. the equivalent of additional funding that public schools get from parent groups.

....

Those are some of the initial recommendations I have for the CalPPA.  Be sure to check out the 6 recommendations I have for California lawmakers to further advance privacy and cybersecurity in California.