The Story Behind CPRA: Less Than a Year After the Introduction of the

CCPA, Why is California Voting on Another Privacy Law?

Back in 2018, California lawmakers hurried to pass the CCPA, a new

regulation about privacy and data compliance. This year, Californian voters
faced another privacy-related choice on the ballot. So, why is a new law on the
table so soon after implementing a similar one? The story behind California’s
new data privacy law is about human optimism, philosophical battles over the
right to privacy, tech companies determined to operate within grey areas, and
plenty of confusing acronyms.

On November 3rd, 2020, California voters decided to vote CPRA into law. It will
go into effect in January 2023 (with a lookback provision starting in 2022) and
have major data compliance implications for all companies that do business
with California consumers. To better understand how we got to CPRA and what
it could mean, let’s review a brief history of the last few years of data privacy in
California.

California’s Special Relationship with Data & Privacy

The Golden State is the spiritual home of software and the internet. It’s no
secret that Silicon Valley took a cavalier attitude towards ideas of user privacy
in the early days of the web. There was simply no governing body producing
and enforcing privacy laws suitable for modern digital networks in the 1990s
and early 2000s.

As lawmakers and consumers began to get wiser, and as more concern arose
over the negative consequences of tech titans’ ability to leverage consumer
data, new regulations were tabled to help protect user privacy. But legislative
language is notoriously difficult to get right. It requires highly specific legalese
to ensure that the intended outcomes are achievable.

This helps explain the first major privacy law to go into effect in California: the
California Consumer Privacy Act. It came into effect on January 1, 2020, and
became legally enforceable on July 1. Although many bright minds worked on
the language, it satisfied nearly no one. Behind the scenes of this initial
legislation is a contentious journey that neatly illustrates the difficulties and
opportunities for passing comprehensive data privacy law in the US.

Before the CPRA, We Had CCPA

Alastair Mactaggart is a real estate developer in California who became

interested in the privacy and data management in 2016. Like many others, he
first learned about the issues from a consumer perspective. He was concerned
about how his online behavior was being tracked and monetized without his
consent. So, he decided to do something about it.

With little policy experience or knowledge of the tech industry, Mactaggart

enlisted some neighbors to help craft language for a new policy about data
privacy and data management in the state of California. Some of them, like
Mary Stone Ross, happened to be seasoned political veterans and privacy
observers. So the makeshift team of policy lobbyists was able to craft an
extensive privacy law proposal that, due to widespread public support of any
privacy initiative, stood a good chance of passing into law.

This effort by Mactaggart alarmed California lawmakers – even those that were
pro-privacy. One, state Senator Bob Hertzberg, was particularly alarmed at
how difficult it would be to amend Mactaggart’s version of the law. Said
Hertzberg in Wired: “The reason we thought it was horrible wasn’t that he
didn’t do a lot of good things that were consumer-facing; of course he did. But
he put a 70 percent threshold. And in my world, a 70 percent threshold gives
the other party all the power.”

The California Consumer Privacy Act (CCPA), then, was ultimately Hertzberg
and California’s attempt to appease privacy activists…without putting
Mactaggart’s proposal on the ballot. It was hurried through the legislature and
full of expedient compromise. This can be seen in the way it was received by,
well, pretty much everyone.
The CCPA didn’t meet the brief for consumer usability, nor provide enough
clarity to companies. It placed a disproportionate burden on smaller
businesses, which didn’t have the legal know-how to work the law’s loopholes
in the same way as some of the world’s biggest tech companies. Neither side
could get behind the legislation. Plus, there were major questions about
enforcement; that burden was placed on the California Attorney General, who
was open in their admission that resource constraints would only let them
prosecute a small number of CCPA violations per year.

In the end, Bob Hertzberg himself began urging Mactaggart to put an initiative
to people’s vote. This would, in his view, provide a stronger mandate for a bust
of privacy and suitable mechanisms for regulatory enforcement. Proposition 24,
aka the California Privacy Rights Act (CPRA), is the result.

Californians Set to Vote on Proposition 24

Now, Californians have the opportunity to expand the original CCPA into the
CPRA. This change will see a strong focus on enforcement as well as finer-
grained classification and requirements for businesses that process personal
data. Does this mean that all the CCPA’s issues have been resolved? Far from
it! Many observers (experts included) are still confused about the new
legislation and the specific ways it differs from the previous CCPA.

The 52-page document includes very technical language that makes it difficult
for everyday citizens to understand. One reason to vote for it is that it’s a
strong stand for consumer privacy that doesn’t exist anywhere else in the
country. On the other hand, it’s not clear how the CPRA would play out in real
life. Will it expand consumer privacy protections or diminish them? Even the
original drafters of the CCPA, Mactaggart and Mary Stone Ross, disagree on
this question.

The passage of the CPRA could set a nationwide precedent for similar data
compliance laws. In the absence of a federal privacy law, it will become the de
facto privacy standard for the entire United States. But it’s yet to be seen if the
enforcement mechanism will work as envisioned.

The only certain thing is that the story of US digital privacy law is at the start,
not the end. This is the beginning of a years-long conversation about the role of
data in business and how to balance consumer privacy with the cost of doing
business. Compliance can be tricky at the best of times, but it becomes a lot
easier when you automate the core tasks with a product like Ethyca.

Initial thoughts about the proposed CPRA regulations

In a surprising development, the California Privacy Protection Agency (CPPA)

published proposed amendments to the CCPA regulations recently. The
proposed amendments were initially made public in a package of materials to
be considered by the CPPA at its upcoming June 8 meeting. The proposed
amendments—which in effect are the draft CPRA regulations—were issued
without advance notice, ahead of the schedule previously announced by the
CPPA.

The proposed regulations are broken into nine (9) substantive areas: General
Provisions, Required Disclosures to Consumers, Business Practices for
Handling Consumer Requests, Service Providers, Contractors, and Third
Parties, Verification of Requests, Special Rules Regarding Consumers Under 16
Years of Age, Non-discrimination, Training and Record Keeping, Investigations,
and Enforcement. Notably absent are regulations relating to automated
profiling, cybersecurity audits, and privacy risk assessments—all areas where
guidance was largely expected.

In general, the draft regulations are dense and highly technical, nearly
doubling in length of the current CCPA regulations. And, the regulations may
grow if subsequent drafts incorporate new sections that are not in the first
draft. In any event, if implemented in their proposed form, the CPRA
regulations will require a substantial expansion of privacy compliance
operations for many businesses subject to the law. The details, potential
compliance problems, technical requirements, and unanswered questions are
far too numerous to address in a single blog post. Over the next few weeks, we
intend to analyze the proposed regulations in more detail, focusing on specific
subject matter areas.

At this stage, here are our initial takeaways.

The Proposed Regulations Are Highly Pro-Consumer

Even for a privacy law as expansive as the CPRA, the proposed regulations are
strikingly pro-consumer, capturing an array of concerns and proposals that
privacy advocates have been articulating for several years. The proposed
regulations, for example, have detailed data minimization requirements that
not only require businesses to collect, use, retain, and share personal data in a
manner consistent with the expectations of the average consumer, but would
require businesses to obtain new consumer consent if they process personal
data in a manner that isn’t consistent with these consumer expectations. This
form of consumer right is not explicitly provided by the CPRA, and it could
create significant operational costs for businesses.

Likewise, the proposed regulations explicitly address the use of “dark patterns”
that limit consumer autonomy through subtle steering techniques. The
regulations provide a number several time examples of prohibited dark
patterns, such as consent banners that provide choices such as “Accept All”
and “Ask Me Later” that are not symmetric or equal. Businesses are also
prohibited from providing mechanisms for exercising consumer rights that are
more difficult in degree than the steps required for exercising pro-business
options. Font size for privacy policy links has to be no smaller than that used
by businesses for other links. There are prohibitions against the use of
unnecessary jargon, and examples of disclosures that are confusing to
consumers. These proposals signal the CPPA’s focus on transparency and the
elimination of unnecessary and confusing privacy disclosures. In addition to
the substance of their disclosures, businesses will need to consider the
presentation of consumer choices.

New Consumer Rights Will Require Big Compliance Changes

Not surprisingly, some of the most significant proposed regulations focus on

the technical details surrounding the new rights the CPRA extends to
consumers; specifically, the rights to opt out of the sharing of personal
information, to limit the processing of sensitive personal information, and the
right of correction. The regulations contain many pages of details explaining
businesses’ options for enabling consumers to exercise these rights which are
likely to trigger compliance headaches.

The new right of correction, for example, will require many U.S.-based
companies to build new intake and processing mechanisms. Whether a
business must honor a correction request, the records that it may need to
provide consumers to justify a decision not to honor a correction request, and
the documentation to support business decisions not to correct may require an
adjudication process not dissimilar to FCRA correction mechanisms. For
companies that rely on personal data provided by third parties – as opposed to
their records the correction process is even more complex.

In one of the few pro-business amendments, the proposed regulations do

introduce a “disproportionate effort” defense for companies facing overly
burdensome consumer requests. But in keeping with the general pro-
consumer tilt of the CPRA, the standard for using this defense to a consumer
request is high and requires companies to demonstrate that the cost of
compliance “significantly outweighs” the benefit to the consumer of honoring a
request. A business that fails to establish adequate procedures for honoring
consumer requests cannot claim a disproportionate effort.
Regarding the new opt-out rights, the regulations contemplate that businesses
can enable these rights via “Do Not Sell or Share My Personal Information” and
“Limit the Use of My Sensitive Personal Information” links or via a “My Privacy
Rights” link that combines these different opt-out rights or by recognizing
browser opt-out signals. The details in this section of the regulations are very
granular, however, and businesses will need to spend significant time
considering the practical and legal costs and benefits of the differing
mechanisms. Notably, the proposed regulations explicitly reject the use of
cookie banners as a mechanism for enabling opt-outs for the sale or sharing of
personal information because the opt-out only addresses the collection of
personal data, not the sale or sharing.

One thorny operation issue involves the processing of browser opt-out signals
that conflict with specific privacy settings chosen by consumers, for example
with loyalty programs where consumers consent to provide certain personal
information. In many cases, these conflicts must be resolved in favor of
maximizing opt-out rights unless the business obtains additional consumer
consent. For many businesses, managing such conflicts may alter the calculus
of choosing a particular manner of enabling opt-out rights. The operational
complexity of enabling opt-out rights may trigger deeper consideration about
what ad tech model businesses may want to utilize once the CPRA becomes
effective.

First Party Obligations Are Now Third-Party Obligations

One of the more notable ways in which the CPRA broadens consumer privacy
rights is through the expansion of obligations on third parties. Whereas the
CCPA required that businesses push certain privacy obligations onto service
providers through required contractual language, the CPRA goes even further
by introducing “contractors” as a new category of service provider and
expanding the provisions that must be included in a contract with a service
provider or contractor to avoid vicarious liability. The proposed regulations do
allow a service provider or contractor to use the personal data of consumers to
improve its applications.

The proposed regulations also modify the safe harbor afforded to businesses
that meet the contractual requirements for service provider and contractor
agreements by noting that businesses that don’t conduct any due diligence or
auditing of their service providers or contractors may not be able to argue that
they were unaware of a contractual violation.

The proposed regulations also impose new obligations on third parties in

several different ways. Third parties that collect personal data on first-party
platforms are required under the proposed regulations to provide a notice at
collection to these consumers, which is a wholly new obligation. Businesses
must also forward opt-out requests, as well as consumer deletion requests to
third parties processing that consumer’s data. Third parties, in turn, must
honor opt-out requests unless they become a service provider or contractor and
honor deletion requests. Third parties that recognize browser opt-out signals
on first-party sites must also honor the opt-outs. In addition, the proposed
regulations impose new contractual requirements for third parties subject to
the CPRA.

The combined effect of these expanded obligations on service providers,

contractors, and third parties is to broadly share compliance obligations across
the entire ecosystem in which a consumer’s data flows. Businesses thus must
analyze their obligations as first parties as well as obligations they may face as
third parties receiving consumer data through sharing arrangements. Among
other things, these expanded obligations will require improved data tracking
and communication with third parties.

The use of Third Parties Tools May Be Unavoidable for Some Companies

There are numerous provisions in the proposed regulations that incentivize or

make easier the use of third-party tools. For example, the regulations remove a
requirement that authorized agents be registered in the state of California,
opening the door for more third-party services to serve as agents to help
Californians exercise their consumer rights. This change, coupled with the
expansion of consumer rights under the CPRA – as well as four other state
privacy laws – makes it quite likely that businesses will experience a significant
surge in consumer requests once the CPRA becomes effective.

The proposed regulations, as noted, permit businesses to enable consumer

outrights by recognizing browser opt-out controls. The proposed regulations
incentivize businesses to recognize these signals by allowing businesses who do
so in a “frictionless” manner (a newly defined term) to avoid the need to provide
Do Not Sell or Share and similar links on the website. The new requirements
imposed on third parties require enhanced data tracking, documentation, and
communication with first parties. For many businesses, it may not be possible
to meet these enhanced technical requirements without the use of third-party
privacy compliance tools.

CPRA Regulations May Complicate Plans for a Singular Approach to

Privacy Compliance

Even before the release of the proposed regulations, California was arguably
the most pro-consumer privacy law in the U.S. The proposed regulations, as
noted, move the law in a decidedly more pro-consumer way. Other states’
laws, particularly Utah and Virginia, are decidedly more business-friendly and
will not be subject to the same kind of detailed rule-making as California. It is
therefore a distinct possibility that when the CPRA regulations are finalized,
they will impose significantly more onerous requirements than other states.

The complexity of the proposed CPRA regulations may cause companies to

think twice about plans to adopt a singular “most restrictive law” approach to
complying with the five new U.S. state privacy laws that become effective in
2023. For example, does it make sense for a business to build opt-out
mechanisms for California that will not be required for other states and may
reduce ad-based revenue?

Much will depend on what shape the final CPRA regulations take and how
closely other states hew to the CPRA model. Colorado is also going through a
rule-making process for the Colorado Privacy Act (CPA) and if the state lands
somewhere close to California in its rule-making, the calculus may again shift
toward a singular model for businesses that are subject to multiple state
privacy laws. If other states pass Utah-style privacy laws in 2022 or 2023,
businesses may begin to balkanize their privacy compliance programs. The
potential for this schism may push Congress to pass a federal privacy law.

Needless to say, there is more to come. As businesses fully digest the proposed
CPRA regulations, we are likely to see a significant push by the business
community for the relaxation of the proposed regulations. We will provide
more analysis about particular proposed regulations soon.

Significant Changes from CPRA That You Should Know

1. “Special rules regarding “Sensitive Personal Information”

The first major change from CCPA to CPRA is the definition of “sensitive data.”
The definition is still admittedly broad, but the category items include
government-issued identifiers, account log-in credentials, financial account
information, precise geolocation, contents of certain types of messages, and
many more.

It is certainly broader than the definition of “special categories of personal

data” under the GDPR, to which some might be tempted to compare it. Here it
is worth noting that under CPRA, while additional rules would govern the
processing of sensitive data, doing so would not require express consent, as is
the case with the narrower set of “sensitive” data under the GDPR.

2. Further limitations on the use of sensitive personal information

collected
CPRA also iterates on CCPA about consumers’ ability to limit the use and
disclosure of their sensitive personal information. Specifically, a consumer
could direct a business to use sensitive personal information only for purposes
necessary to perform the service or provide the goods requested or as
prescribed by the CPRA or implementing regulations. Businesses would be
required to respect such requests unless a consumer provides subsequent
authorization to use the sensitive personal information for additional purposes.

CPRA would also require a business to inform consumers of the length of time
the business intends to retain each category of personal information and
sensitive personal information or the criteria used to determine that period.

This highly significant new business obligation is somewhat hidden among the
CPRA’s notice obligations, forcing businesses to take a careful look at the
personal data they have stored and delete unnecessary data much more
regularly.

Finally, the CPRA places new contractual and direct obligations on service
providers, contractors, and third parties. This change to aligns with the
separate and distinct obligations the GDPR places on processors.

New obligations are also placed directly on service providers and contractors.
CPRA mandates that they cooperate with and assist businesses in providing
requested personal information in response to verifiable consumer requests as
well as correcting or deleting information or limiting the use of sensitive
personal information in response to such requests, each with some exceptions.

3. “Changes to the definition of “publicly available information”

Publicly available information includes not only public records from federal,
state, or local governments, but CPRA takes it a step further.

CPRA includes as public information:

  Information that a business has a reasonable basis to believe is lawfully
made available to the general public by the consumer,
 Information from widely distributed media, and
 Information made available by a person to whom the consumer has
disclosed the information if the consumer has not restricted its use
4. Employee data moratorium extended

Many covered businesses will surely appreciate the expanded employee data
moratorium, which the CPRA extends until Jan. 1, 2023. The act makes clear
that personal information collected by a business in the employment context
would not be covered until 2023, providing time for the adoption of another bill
to govern data protections in that context.

More specifically, the CPRA states that it does not apply to personal
information collected from an individual acting as a job applicant, an employee,
owner, director, officer, staff member, or contractor, including benefits
administration and maintenance of emergency contact information.

There is a similar exclusion for communications or transactions between

businesses and consumers, where the consumer is acting as an employee or
one of the other roles cited above. The CPRA’s introductory provisions,
outlining its purpose and intent, make clear that while the privacy interests of
employees and contractors should be protected, the relationship between
employees and businesses is different from that and should be a consideration.

5. Establishment of a California Privacy Protection Agency

The CPRA creates the first agency in the United States dedicated solely to
privacy – the California Privacy Protection Agency or CPPA. This agency will
implement and enforce the act as well as have subpoena and audit powers. The
CPPA would also be charged with building public awareness about privacy
risks, providing guidance to businesses and consumers, and “be [appointed]
from among Californians with expertise in the areas of privacy, technology, and
consumer rights.”

The agency could levy administrative fines of up to $2,500 per violation of the
act or up to $7,500 per intentional violation or violation involving minors. It
would also absorb the rulemaking authority granted under the act from the
Attorney General’s Office. The CPPA would receive at least $10 million in
annual funding beginning in 2021–22 with $5 million in the first year.

Best Practices Recommendations

CPRA is not going to be the last privacy law of its kind in the United States. It
is important now, more than ever, for organizations to develop a compliant
privacy program that can adapt to the current privacy laws as well as future
legislation.

As you do, keep the following best practices in mind:

 Know what the regulations (in each location) require.

 Be sure your data-sharing partners are compliant.
 Know what your contracts say.
 If you’re on the receiving end of a privacy and security boilerplate, read
it.
 Include that boilerplate in the
 contracts with your data-sharing partners.
THE HISTORICAL NARRATIVE OF THE CODE OF PROFESSIONAL
RESPONSIBILITY AND ACCOUNTABILITY

The Independence of a lawyer in the discharge of the professional duties

without and improper influence, restriction, pressure or interference, direct or
indirect ensures effective legal representation and is ultimately imperative for
the rule of law

1. Independent, accessible, efficient and effective legal service

2. Merit-based practice
3. Freedom from improper consideration and external influences
4. Non-interference by a lawyer unless authorized by law or court
5. Lawyer’s duty and discretion in procedure and strategy

A lawyer shall at all times act with propriety and maintain the appearance of
propriety in personal and professional dealings, observe honesty, respect and
courtesy, and uphold the dignity of the profession consistent with the high
standard of ethical behavior

1. Proper conduct
A lawyer shall not engage in unlawful, dishonest, immoral or deceitful
conduct
2. Dignified conduct- A lawyer shall respect the law, the courts, tribunals,
and other government agencies, their officials, employees, and processes,
and act with courtesy, civility, fairness and candor towards fellow
members of the bar
3. Safe environment; avoid all forms of abuse or harassment- A lawyer shall
not create or promote an unsafe environment, both in private and public
settings, whether online, in workplaces, educational or training
institutions, or in recreational areas.
4. Use of dignified, gender-fair, and child and culturally-sensitive language-
A lawyer shall use only dignified, gender-fair, child and culturally-
sensitive language in all personal and professional dealings.
5. Observance of fairness and obedience- A lawyer shall in every personal
and professional engagement, insist on its observance and obedience to
the law.
6. Harassing or threatening conduct- A lawyer shall not harass or threaten
a fellow lawyer, the latter’s client or principal, a witness, or any official
employee of a court, tribunal or other government agency.
7. Formal decorum and appearance- A lawyer shall observe formal decorum
and appearance before all courts, tribunals and other government
agencies.
8. Prohibition against misleading the court, tribunals, and other
government agency. -a lawyer shall not misquote, misrepresent or
mislead the court as to the existence or the contents of any document,
argument, evidence, law or other legal authority, or pass off as one’s own
the ideas or words of another, or assert as a fact that which has not been
proven.
9. Obstructing access to evidence or altering, destroying, or concealing
evidence- A lawyer shall not obstruct another lawyer’s access to
evidence, including testimonial evidence, or alter, destroy, or conceal
evidence.