Why I am Voting Yes on Prop 24 — the California Privacy Rights Act of 2020
Having spent the last few months diving into the state of data privacy in both Europe and the United States on my blog, I wanted to use this post to summarize the reasons why I my voting Yes this November on California Proposition 24 — the California Privacy Rights Act (CPRA) of 2020.
My main motivation for writing this particular blog post is to have something I can forward in writing if a friend asks me my opinion of Prop 24 given my background. If you don’t know me and stumbled upon this article, and you are a California voter and you don’t have a strong opinion on Prop 24, consider this as a “letter to the editor” in support of Prop 24.
Let me cut to the chase and give the executive summary of why I am voting Yes on Prop 24, and if you want to get more information then feel to read the rest.
Executive Summary of My Yes Vote
As enshrined in the California Constitution, I believe privacy is an inalienable right, and that privacy rights need to be further extended and enhanced in an increasingly digitized world. I believe additional legislation is needed to secure and protect our personal data and online privacy, especially for minors. After a significant amount of research and having years of expertise in the area of cybersecurity and privacy, I have concluded that Proposition 24 — the California Privacy Rights Act of 2020 (CPRA) — would give California the most comprehensive data protection and privacy legislation in the United States. In fact, it gets California on par with the gold standard of privacy legislation — the European Union’s General Data Protection Regulation (GDPR) — that the CPRA is modeled on.
In light that CPRA represents a “Version 2.0” upgrade of the existing California law (the California Consumer Privacy Act aka CCPA) which businesses already support, and given that many businesses also already support GDPR, the cost on businesses for CPRA compliance would not be burdensome, but the corresponding value to California residents would be immense. Namely it gives Californians additional online privacy rights (e.g. right to correct personal data, limit use of sensitive personal information such as geolocation data, etc.) while creating a new regulatory agency — the California Privacy Protection Agency (PPA) — that will better protect Californians against firms that collect, share and sell our personal data while also being able to levy greater fines for misuse of children’s personal data.
So that’s why I would highly recommend voting Yes on Prop 24. If that’s good enough to convince you, no need to read further, but below is the nitty-gritty details on how I came about to supporting and being a Yes Vote for Proposition 24.
Refresher on CCPA and CPRA
But first, what is Proposition 24 and the CPRA? The CPRA represents “Version 2.0” of the California Consumer Privacy Act (CCPA). The CCPA is the United States’ most comprehensive consumer privacy law that gives consumers both the “Right to Know” (i.e. you can find what personal information has collected on you) and the “Right to Say No” (you can say no the sale of your personal data). It also holds businesses accountable for safeguarding consumers’ personal information. It went into effect on January 1, 2020.
The CPRA is a California state ballot initiative that seeks to amend, expand and clarify the existing CCPA law. The ballot initiative collected over 900,000 signatures (more than the population of states like Vermont, Wyoming, etc.) and is on this November’s California ballot as Proposition 24. The CPRA is an uber/omnibus privacy and data protection law, not a separate law, so it truly represents “Version 2.0” of the CCPA. It provides additional rights to consumers (e.g. right to correct personal data, limit use of sensitive personal information such as geolocation data, etc.), adds additional obligations to businesses to better protect consumers’ personal data (e.g. data protection impact analyses must be performed, maintenance of records of processing activity, etc.), but probably most significantly it creates a new regulatory agency to enforce data protection and privacy in California — the California Privacy Protection Agency (PPA) — that will also be able to levy greater fines for misuse of children’s personal data.
My Privacy Background
Before I jump into the reasons for my support, let me first describe my background in privacy. Whether my background makes me an expert on Prop 24 and whose arguments you can trust, I will let you decide. I will add that I am not currently affiliated with any company or entity or group that has any stake in this matter, and certainly no one is paying me to write this, or asked me to write this, so I am writing this as an independent voice.
First off, I agree with many others that privacy is a basic human right. The United Nations’ Declaration of Human Rights (UNDHR) in 1948 had privacy enshrined as Article 12: “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence ..”. [I would be remiss to not mention that UNHDR was chaired by one of my heroes, Eleanor Roosevelt]. Taking this as a cue, the Council of Europe adopted the European Convention of Human Rights (ECHR) in 1950, which had very similar language as it relates to privacy: “Everyone has the right to respect for his private and family life, his home and his correspondence.” California even added privacy as an inalienable right to its Constitution in the 1970s.
I am also cognizant of the reality that our personal property is increasingly becoming digitized and stored off our persons and off our premises, i.e. into the cloud. So, as it relates to the US Constitution (which to be clear does not mention the word “privacy”), I do believe, like recent Supreme Court decisions over the last 30 plus years, that our 4th Amendment rights — “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures …” — does give Americans the right to privacy and, furthermore, I believe should also apply to our private “papers and effects” that reside “off premise.” The reality is that it is next to impossible to operate in today’s society in a scenario where are our papers and effects are just physically stored on our persons and/or in our houses, so the advent of cloud computing should not mean we lose our 4th Amendment rights.
Furthermore, my 30+ year professional career here in Silicon Valley has let me see firsthand the massive amounts of data that can be collected and the impact on having that data stolen and compromised. I started my career at Oracle, which is still the leading database company in the world, and witnessed in my role as an on-site database tuning expert the massive amount of data that businesses and governments can collect and the speed that those databases can process and analyze that data.
More recently, as founder and CEO of Centrify, a $100+ million cybersecurity company, I saw how hackers specifically target sensitive personal data, and that better safeguards and regulation of the collection and use by businesses of that data will reduce the cost and number of breaches and the corresponding impact on individuals. This has led me to believe that if us as consumers had more control over who has our most sensitive data and what they can do with it, the less likely that data will be scattered around all over the place and be stolen.
Through my work experience I was also familiar with privacy laws like the EU’s General Data Protection Regulation (GDPR). For example, as CEO of Centrify, we had 1000s of customers (including over 50% of the Fortune 50) that used our solution to help meet privacy legislation like GDPR, HIPAA for US healthcare and GLBA for US financial services, etc. In addition, Centrify ran a cloud service that had servers in data centers and customers in Europe, so my company had to become GDPR compliant itself and was certified under the US Privacy Shield to transfer data to/from Europe.
Finally, after Centrify was acquired and after taking some time off, I decided I wanted to go even deeper in understanding privacy legislation, so I have spent over 100 hours taking 8 online courses in privacy (e.g. “Privacy Law and HIPAA” via UPenn), and also spent probably another 100 plus hours reading and writing on GDPR and CCPA and the proposed CPRA.
So that’s my background on the topic.
Why I am Voting Yes on Prop 24
There are three main reasons I am supportive of Proposition 24:
It gives Californians more privacy rights;
It adds additional obligations to businesses to have them better protect our personal data; and
It provides more enforcement capability to better protect Californians
Let me go into a bit of detail on each one.
Reason #1: Prop 24 gives Californians more privacy rights.
I previously analyzed the CPRA and compared it to existing California law (the CCPA) and the “gold standard” of privacy (the EU’s GDPR). See summary below, but this is what the CPRA gives in terms of net additional privacy rights:
The Right to Correct — what if an application for a good or service is rejected by a business because of bad or incorrect data on you? With the CPRA you will have the right to rectify that data.
The Right to Restrict Processing as well as the Right to Object to Processing — the CPRA adds the right to tell businesses to not share your personal information, building upon the CCPA’s right to not have businesses sell your data.
The Right to Reject Automated Decision Making — the CPRA allows for the creation of regulations to allows consumers to have the right not to be subject to a decision based solely on automated processing, including profiling.
The Right to Limit the Use of Sensitive Personal Information — do we want a business making decisions about us such as approving medical insurance based on data that they buy regarding whether you visited a Cancer treatment center? Or employers making hiring decisions if your location was spotted at an Alcoholics Anonymous or a church or synagogue? The CPRA gives the right to limit the use of sensitive personal information, including your geolocation.
And of course, because CPRA is “Version 2.0” of the CCPA, you do get the rights that you have with CCPA such as Right to be Informed, Right to Access, Right to Delete, etc. As you can see below, the CPRA matches the gold standard GDPR. Net net: the CPRA is a big and very useful upgrade with new privacy features.
Reason #2: Prop 24 adds additional business obligations that better secures and protects our personal data.
The CPRA adds additional requirements on businesses to better protect our personal data that they store and process, thus giving us as citizens more security by reducing the likelihood our data will be stolen or compromised. See the table below a for a comparison of the CPRA vs. CCPA vs. GDPR. Namely the CPRA adds the following business obligations:
Enforces Data Protection by Design and Default — the CPRA adds the requirement that a business shall not collect additional categories of personal data that are "incompatible with the disclosed purpose for which the personal information was collected.” Furthermore, it requires that a business shall not collect this data "for longer than is reasonably necessary for that disclosed purpose" and the "business's collection ... of a consumer's personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed." And it mandates that a business must also "implement reasonable ... procedures and practices appropriate to the nature of the personal information to protect." This is all good stuff, as it forces the business to collect only the personal data they really need and for the time period that they really need it for.
Makes business maintain records of processing activity — the CPRA simply states that if a business collects our most sensitive personal data and/or sells it and/or shares it, they should have a record of that activity. Makes it easier to track where personal data is flowing.
Requires a data protection impact analysis — the CPRA states that if a business collects sensitive personal information, it should have a plan for protecting that data.
To me these are not unreasonable asks. Just like society requires bank to have a set of security standards for their safe deposit boxes, should we not also ask businesses to do the same with our most sensitive personal information that they store? Businesses support CCPA and GDPR, they can support the new features in CPRA. Per the chart below, just like for privacy rights, the CPRA gets us even closer to the gold standard GDPR vis a vis business obligations and helps makes our personal data more safe.
Reason #3: Prop 24 adds additional enforcement to better protect our privacy
The CPRA adds additional enforcement in the form of Privacy Protection Agency (PPA), whose primary mission would be to “protect the fundamental privacy rights of natural persons with respect to the use of their personal information.” Europe through the GDPR has “Supervisory Authority”, while in California we have not such dedicated agency. This will help better protect California consumers.
In addition, the CPRA really puts more teeth into fines for violations involving minors’ personal data as compared to the CCPA.
Furthermore, consumers’ private right of actions have been enhanced with the CPRA vis a vis CCPA, in that it enables a consumer’s private right of action if their “nonencrypted and nonredacted personal information” and “whose email address in combination with a password or security question and answer that would permit access to the account” was “subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices.” So, under the CPRA, a consumer has more rights in terms of private actions.
As you can see form the summary below, again the CPRA puts California on par with the EU and the GDPR with respect to enforcement.
Conclusion
Because I believe privacy is a human right that needs to be extended to the digital world, and that more needs to be done to protect our online privacy (especially the privacy of minors), and combined with the 3 reasons above, I am in support of Prop 24. I also believe it would be great to have a law that gets California on par with the EU’s GDPR and that in turn could act as a spur to a Federal law.
Besides planning to vote yes, and writing this blog, I also recently donated $500 to the group sponsoring the CPRA (Californians for Consumer Privacy), but as I write this I am not affiliated with this or any other group who may have a dog in this fight. I also created a CPRA News account on Twitter as a means to catalogue the various articles published on the CPRA. I created this separate Twitter account so I won't mix and match all this CRPA and CCPA stuff with the sports and political stuff I tend to tweet about on my personal @TomKemp00 twitter account.
So, if you are a California voter, please Vote Yes on Prop 24! If you want to do more, follow the group behind Prop 24 https://twitter.com/caprivacyorg or look to donate at https://www.caprivacy.org/donate/ like I did. Or follow my CPRA news feed at https://twitter.com/yeson24.