California Privacy Proposal Divides Privacy Advocates As Vote Nears

A privacy proposal on the ballot in California next month has divided advocates as voters in the state appear poised to pass what could become the new de facto standard for the U.S.

Opponents of the California Privacy Rights Act in recent weeks have stepped up closing arguments over how aspects of the 52-page proposal could actually weaken a benchmark privacy law that the state began enforcing in July. The criticisms contrast starkly with the stated purpose of the ballot measure, which privacy experts say will set ground rules for much of the digital economy in lieu of a federal standard.

“The text is riddled with things that seem like small changes but in fact will reduce the privacy protections we have today,” said Mary Stone Ross, who helped lead the group behind the California Consumer Privacy Act—the existing law—and is pushing against the proposed replacement.

Alastair Mactaggart
, the Bay Area real-estate developer who has spearheaded both efforts, said the criticisms are rife with “misinformation” and added that the ballot measure has both a “massive amount of consumer benefits” and “workability fixes” for businesses.

Complying with a new law could prove costly for companies that do business in California, privacy experts say. But Mr. Mactaggart believes firms that also operate in Europe could minimize expenses because the CPRA would in some ways harmonize state rules with the European Union’s privacy standard, the General Data Protection Regulation.

CPRA would create a dedicated enforcement agency for privacy and enshrine consumer rights including the ability to deny companies the opportunity to sell or share their data. Several California lawmakers, former Democratic presidential candidate Andrew Yang and
Shoshana Zuboff
, author of “The Age of Surveillance Capitalism,” back the proposal, among others.

Still, some advocacy groups, such as Color of Change and the Electronic Frontier Foundation, have disagreed with Mr. Mactaggart’s own interpretation of the text or expressed concern over potential impacts.

CCPA allows businesses to charge different prices for consumers who opt out of data processing, as well as offer incentives to those who opt in, as long as the amount is “reasonably related” to the data’s value. CPRA would build upon this idea, which critics call “pay for privacy,” including through a new carve-out for businesses to offer such compensation through loyalty rewards programs.

“To us that step is fundamentally inconsistent with equity and the idea that privacy is a human right,” said Jacob Snow, an attorney at the American Civil Liberties Union of Northern California.

Mr. Mactaggart countered that the provision would give flexibility to ad-supported businesses, such as newspapers and music-streaming services, which may want to sell services at different prices depending on users’ preferences.

“The flip side of opting out for free is very elitist: It means that people cannot monetize their data,” he said.

A similar dispute in the reading of CPRA has emerged around the future use of technology to guard individuals’ data. Phone settings and browser plug-ins, for example, could let users automatically opt out of data processing by sending signals to websites they visit.

Businesses will have to respond to such signals without retaliating against users with higher prices or reduced service, Mr. Mactaggart said.

Ms. Ross, his former ally, argues that the proposed language in CPRA gives companies a loophole by allowing them instead to display a do-not-sell button, which users would have to push manually.

More from WSJ Pro Cybersecurity

“You’ll have to go to every single website or company to opt out,” she said.

These differing interpretations of the text will likely be hashed out in court cases once enforcement of the potential law is slated to begin in 2023, she said.

Representatives for the California attorney general’s office, which has hired more than 20 new staffers this year to enforce CCPA, didn’t immediately respond to requests for comment.

Privacy advocates share an odd alignment with some industry groups in their skepticism about passing a new law, without a legislative process, while its predecessor is still in its infancy.

Some of the companies that fought to shape the CCPA in their favor as it was developed have been publicly mum on CPRA, the would-be replacement. A spokesman for Alphabet Inc.’s Google said the company has no position on CPRA. Representatives for
Facebook
Inc.
didn’t respond to a request for comment.

Write to David Uberti at [email protected]

Source Article