First in the Nation: California’s Consumer Privacy Act

Add a comment

Introduction


California became the first state to establish digital privacy protections in 2018. However, it was not a state legislator or the governor who sought to protect their constituents. Instead, a San Francisco resident in real estate named Alastair Mactaggart attempted to employ California’s ballot initiative process to create and harness public support for a data privacy protections. Although the initiative was scheduled to be on the ballot, Mactaggart negotiated with two Democrats in the California Congress in which they proposed AB375, a limited version of the original ballot initiative.

After realizing how much data platforms like Facebook and Google gleaned from our digital lives, Mactaggart began to think their intrusion into our lives needed to be curbed. Eventually, he realized he could make a change. As the New York Times outlines in The Unlikely Activists Who Took On Silicon Valley – and Won:

Silicon Valley had come to transform politics itself…The surveillance capitalists didn’t just sell more deodorant; they had built one of the most powerful tools ever invented for winning elections.

Therefore, the push simply wasn’t going to come from inside the corridors of power. Silicon Valley companies (several of which have begun relocating to Texas) wielded power in the forms of information and money to dissuade politicians on both the state and federal levels from looking too closely at how they were using consumer’s data. Once Google and Facebook (now Meta) discovered the work Mactaggart and Rick Arney had done, they met with representatives from the companies seemingly to find common ground. Facebook, Google, Amazon, and other corporations alternatively formed a nonprofit with each entity donating $200,000 to oppose the ballot initiative called the Committee to Protect California Jobs. The group issued a press release stating the ballot

is unworkable, requiring the internet and business in California to operate differently than the rest of the world…The only real beneficiaries of this measure will be trial lawyers, who will be allowed to sue businesses for violation of the measure even if they cannot prove anyone has been harmed

even though European Union had already passed their General Data Protection Regulation in 2016. Facebook eventually pulled their support from the Committee to Protect California Jobs after Mark Zuckerberg testified before congress concerning Cambridge Analytica. Ultimately, a version of the bill was passed but as Mary Stone Ross laments, it didn’t go far enough. Additional rights were eventually added to the legislation in 2020.

California Consumer Privacy Act of 2018 (CCPA)


The original law provided new rights to Californians. Both the first in the United States as well as providing the strongest protections, the CCPA original main protections are the:
When updated by Proposition 24, the CCPA added two additional rights to the protections enjoyed by Californians. These included the following:
  • Right to Correct
  • Right to Limit
    • An individual may tell a business to limit how they use their sensitive personal data such as your social security number, genetic data, or financial account(s) to name a few
    • As with the right to correct, the framework for this right recently became part of law as of January 1, 2025
The CCPA board is currently in the process of adding an additional right to the body of protections. Automated decision-making technology (ADMT) has currently come under its purview. As a practice, the level of automation (i.e. deficit of human input) varies greatly. The types of activities included under ADMT are resume-screening, facial recognition, and different tools supporting targeted advertising.

While the CCPA does provide a generous umbrella of protections, there are several holes in the safeguards. Residents do not have the right, as other states with privacy bills often do, to opt in for sensitive data processing. Under this protection, an individual has to permit a business to process sensitive data. Placing power in the hands of individuals by having consumers have to opt in to a system is a powerful tool for taking back control of our personal data. Californians are also limited in their “private right to action” thereby curbing their ability to take legal action against an organization who does not adhere to the CCPA.

The other eighteen states (Colorado, Conneticut, Delaware, Indiana, , Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia have many, if not all, of the California protections. We need, however, to have our data privacy rights protected on a national level. As I mentioned previously, attempts were made under the Biden Administration but were removed by executive order. The U.S. Senate Committee on Commerce, Science, & Transportation, chaired by Ted Cruz from Texas, put forth the The American Privacy Rights Act of 2024 to establish uniform national data privacy rights, protect our civil rights, as well as hold companies accountable for inappropriately using or selling our data. Such legislation is a necessary next step for all of our current protections only reference the Federal government and not the many companies scarping the Internet for our data.

Individual states are also starting to draft and pass legislation against questionable use of AI in the private sector. Only three, Colorado, Utah, and California, have passed any type of protections. In my next post, I will discuss the first bill of its kind passed. The European Union has been well ahead of any other government by providing both data and AI.

Leave a comment