By Terry Collins

California privacy advocate Alastair Mactaggart’s two goals recently leaped major hurdles, but he admits more obstacles still must be jumped to reach the next finish line.

Last month, his Californians for Consumer Privacy (CCP), obtained 931,000 signatures — eclipsing the 685,000 needed — to get his latest initiative, the California Privacy Rights Act (CPRA), on the November ballot.

The initiative would further strengthen the California Consumer Privacy Act (CCPA), which Mactaggart also began and is being enforced statewide.

Still, he believes the law isn’t tough enough.

If voters approve the latest initiative, CPRA would create a so-called California Privacy Protection Agency (CPPA), which would be outside the purview of the California attorney general’s office.

But CPRA wouldn’t take effect until 2023 — and, similar to CCPA, the latter initiative would be applied to data collected in 2022.

Get all of that?

AG Begins Enforcement

This comes as California Attorney General Xavier Becerra has begun enforcing CCPA, after giving businesses six months to comply.

The homepage of a company’s website now must now post a link saying, “Do Not Sell My Personal Information.”

“Remember, it’s your data,” Becerra said in a July 1 announcement of his office’s enforcement. “You now get to control how it’s used or sold.”

Through it all, Mactaggart tries to remain modest, though most signs point to his CPRA initiative likely getting the votes necessary to amend California’s privacy law.

“He wanted a broader set of privacy rights. … Now, he wants more.”

Caitlin Fennessy, IAPP.

It also could move lawmakers in Washington toward adopting a similar federal privacy law.

“Y’know, it’s never over until it’s really over,” Mactaggart told Digital Privacy News. “I don’t want to jinx things.”

Some Experts Positive

However, Mactaggart seems to be making the right moves on privacy rights, one expert said.

“(Mactaggart) saw the success that he had with CCPA — and he has expressed he wasn’t happy with some of the amendments,” said Caitlin Fennessy of the nonprofit International Association of Privacy Professionals (IAPP).

“He wanted a broader set of privacy rights, more akin to” the U.K.’s General Data Protection Regulation,” she added. “Now, he wants more.”

Mactaggart reiterated his belief that a basic human right, privacy, should be protected at all costs. 

“Two years ago, privacy wasn’t an everyday word among opinion-makers, so there was some organized opposition,” he told Digital Privacy News. “This year, you don’t have that.

“I think it’s a riskier bet for companies to try to go against consumer privacy rights.”

Working Toward Compliance

Instead, Mactaggart and Fennessy said organizations appeared to be working to ensure they are complying with CCPA.

But in March, more than two-dozen trade groups, including the California Chamber of Commerce and the Internet Coalition, asked Becerra’s office to delay enforcing the law because of the coronavirus pandemic.

The groups cited that state-issued regulations for the law were not finalized.

Despite the pandemic, the attorney general’s office still prepped for the July 1 enforcement date, sending businesses possible violation warnings and giving them 30 days to fix them or face fines and lawsuits.

“(Becerra’s) not wasting time,” said IAPP’s Fennessy. “That surprises me, because he’s taking really fast action — and it only demonstrates how seriously his office is taking the law.

“As a result, companies are taking notice,” she said. 

Some companies were “still trying to figure out how to operationalize compliance” with CCPA.

Natasha Amlani, Perkins Coie law firm, Los Angeles.

Becerra’s enforcement initially will likely focus on the most obvious violations to set an example, said Natasha Amlani, a lawyer at the Perkins Coie firm in Los Angeles, who specializes in CCPA procedures.

She said some companies were “still trying to figure out how to operationalize compliance with the law, particularly since the CCPA’s regulations have been modified several times” before the final version took effect. 

Other businesses may be delayed with complying due to the financial impact from COVID-19, Amlani added. 

Lawsuits Pending

In addition, nearly two-dozen lawsuits are pending that mention or reference CCPA. They range from possible data breaches to businesses’ failure to meet the law’s requirements.

“We will definitely see suits that squarely fit within the CCPA’s private right of action, which provides for statutory damages of $100 to $750 per violation,” Amlani said, adding that litigation also will be brought under California’s Unfair Competition Law that was predicated on CCPA violations. 

For Mactaggart, however, it’s full steam ahead to get votes for CCRA on Nov. 3.

“It’s going to get interesting,” he said. 

Terry Collins is a writer based in the San Francisco Bay Area.

Source (external link):

• Oag.ca.gov: Calif. Attorney General Becerra’s Statement