A Roadmap for California Privacy and Data Security

California Proposition 24 (aka the California Privacy Rights Act of 2020 or CPRA) resoundingly passed this past November with over 9.3 million votes — the 7th most votes for any candidate or initiative in any State election in US history. The CPRA represents the most significant and comprehensive privacy legislation ever passed in the United States and gets California on par with the gold standard of consumer privacy protection laws — Europe’s General Data Protection Regulation (GDPR). CPRA provides additional rights to consumers (e.g. right to correct personal data, limit use of sensitive personal information such as precise geolocation, etc.), adds additional obligations to businesses to better protect and secure consumers’ personal data, and creates a new regulatory agency to enforce data protection and privacy in California — the California Privacy Protection Agency (CalPPA).

The fact that the 9.3 million “Yes on Prop 24” voters would collectively represent the 11th most populous state in the US strongly suggests there is an overwhelming desire for European-level privacy rights and also holding businesses more accountable for data security breaches.

So, now that Prop 24 has passed, what should California do next vis a vis privacy and data security? This is an important question given:

• Recent headlines (e.g. the massive SolarWinds hack impacting over 18,000 organizations and the anti-trust lawsuits against Big Tech firms that calls into question how these firms profit from the processing and sale of our personal data) clearly show that there is much more work that needs to be done in the areas of privacy and data security legislation. i.e. we can’t rest on the laurels of passing Prop 24 as Californians’ personal data and the fundamental right to privacy is still very much at-risk from both corporations and malicious actors — especially as technology rapidly evolves; and
• California, with the 5th largest economy in the world and having 1 in 8 Americans living here, sets the standard for the nation when it comes to consumer protection (e.g. automobile emission standards), and therefore is in a unique position to influence the national agenda when it comes to both privacy and cybersecurity.

As someone for over 14 years was the founder and CEO of cybersecurity firm, who has researched and written extensively on privacy legislation in my blog, and who recently worked a few months as a full-time volunteer on the Yes on Prop 24 campaign, I figured I would put forth a 2021 roadmap for California lawmakers and regulators that would aim to further protect privacy and data security.

Executive Summary of Proposed Roadmap

The mandate of the California Privacy Protection Agency (CalPPA) — the enforcement and regulatory agency created by Prop 24 — should be broadened to take ownership of the regulation of data brokers as well as be the lead on data breach notification. The regulation of data brokers and the management of breach notification and reporting currently resides with the California Attorney General, but so much more can be done both from a regulation and enforcement perspective in these areas and it is more synergistic to have those functions be part of the CalPPA.

In addition, consumers should have a single website to know if their personal data has been caught up in a data breach. In addition, California should make it significantly easier for consumers in a single click to tell businesses to not sell or share their personal data. Therefore, I am proposing California should also task the CalPPA to implement a centralized “Have I Been Breached” web page as well as a “Do Not Sell or Share My Info” registry.

Finally, I am proposing that whistleblower protections vis a vis California’s privacy, data breach notification and data broker registration laws should also be passed into law.

Now on to the nitty-gritty roadmap items …

#1 Transfer regulation of Data Brokers to the CalPPA

A fair amount of consumers’ privacy concerns involves entities known as data brokers who collect and sell personal data to third parties. One of the larger data brokers, Acxiom advertises it has data on 2.5 billion “addressable consumers” that represents “68% of the world’s digital population” across 60+ countries, and further claims they may have collected up to 10,000 attributes per person.

In October of 2019 California passed AB 1202 that requires “data brokers to register with, and provide certain information to, the Attorney General” and in turn the Cal AG office would provide a website that lists all the registered data brokers. There is a nominal penalty of $100 per day for failure to register. The intent of the law is “to further Californians’ right to privacy by giving consumers an additional tool to help control the collection and sale of their personal information by requiring data brokers to register annually with the Attorney General and provide information about how consumers may opt out of the sale of their personal information.” It went into effect on January 1, 2020.

In light that regulation of California’s privacy law has been transferred over to the CalPPA from the Cal AG, and AB 1202 is about furthering Californians’ right to privacy vis a vis the usage of personal data (and in fact directly points to the definition of “personal information” in the CCPA that has been updated by CPRA), it makes sense to move the registration of data brokers over to the CalPPA from the Cal AG.

Furthermore, it appears this law needs more teeth to get more data brokers to register. The Cal AG determined per this document that the number of data brokers worldwide was 4,000 and projected that 1,000 would register with California. Yet nearly a year into the law only 414 data brokers have registered with the State per the Cal AG data broker registry website, or 41% of projected and 10% of the actual number of worldwide brokers, so maybe further carrots and sticks are needed to get more registrations.

Even more significant, while the Cal AG requires each data broker to provide answers to how a consumer may opt of the sale of their personal information and how the consumer can demand deletion of their personal information (i.e. two of the key data subject rights under the CCPA), many data brokers give either vague and/or non-helpful answers (“through a link on our website”) and/or even ignore the questions. In fact, Consumer Reports asked volunteers to exercise their CCPA data subject rights with a variety of data brokers and many consumers found it be a “scavenger hunt” including the fact that there is no consistency amongst data brokers on how a consumer would go about exercising your data subject rights. The reality is that it takes dozens of hours to have one’s personal deleted from just a handful of data brokers’ databases and it may take weeks or months for the deletion to finally occur.

In addition, the only other state that has a data broker law is Vermont and they ask important questions of data brokers that California does not ask about, such as has the data broker been breached and if the broker collects data of minors — information that would be of significant interest to California consumers.

Therefore having the management and adding the corresponding regulation of data brokers under CalPPA would (a) result in higher levels of registration by data brokers; (b) provide a more consistent, stream-lined and easier way for consumers to exercise their data subject rights, including the new rights under CPRA such as right to correct and limit use of sensitive personal information such as precise geolocation; and © provide additional insight for consumers regarding what data the data brokers are collecting and if they have been breached.

A simple global search and replace of Cal AG for CalPPA here in the law would do the trick to make this happen. I would also suggest bumping up the fines for non-registration to say $200 from $100 per day to further motivate registrations. Finally, I would also add a sentence to the Data Brokers law that the CalPPA shall solicit broad public participation and adopt regulations to further the purposes of this law, as having the ability to create regulations could help keep up with rapid changes in technology.

#2 Harmonize the definition of personal data between California’s Data Breach Notification Law (DBNL) and the CRPA

As I discussed in this blog post, in the US we now have 50 different State-level data breach notification laws. But there is significant inconsistency between the State laws in terms of what constitutes a breach, if and when consumers get notified, what is the penalty for not disclosing, what information about the breach does a company provide to regulators and consumers, etc.

I have advocated for a national data breach notification law, and I am not the only one. Recently, Alex Stamos (ex-Facebook Chief Security Officer) wrote this in an editorial in the Washington Post describing what needs to be done in the wake of the SolarWinds breach:

“Let’s make sure Congress passes a federal data breach law that covers the thousands of secret breaches that occur every year but aren’t publicly discussed. … Our society can’t respond to the overall risk as long as we’re discussing only a fraction of the significant security failures.”

Based on policy work I did over the fall for various Federal candidates, I don’t see an appreciation for a national data breach notification law like I do for a national privacy law. Which is really too bad, as we need better visibility into the size, scope, and nature of the hacking we are facing. It is crazy that the Federal government tracks hurricanes, pigs, shark attacks, etc. but we don’t accurately track cyberattacks that are costing the economy billions of dollars and endangering consumers and businesses. Furthermore, it appears based on my research from the Spring of 2020 that many businesses are not reporting their breaches even to the State of California that actually has one of the more broader State laws. This means consumers are often blind to the fact that their personal data has been stolen and therefore are at higher risk of identity theft, draining of their bank accounts etc.

One thing California could easily do is update the California Data Breach Notification law (CalDBNL) to simply point to the definition of personal information found in the CPRA ala what the Data Broker Registry law does. The CalDBNL has a much narrower definition of personal information and does not reflect a more up-to-date view of personal information that the newly passed CPRA reflects, e.g. it misses items in the CPRA definition of personal information such as internet activity information and commercial information such as purchasing histories, as well as “sensitive personal information” including genetic information and email and text messages.

Having consistency on what constitutes personal information would be helpful to businesses. It would also advantage consumers in that businesses would find less loopholes regarding if a breach should be reported or not, that in theory should increase the number of reported breaches to reflect the reality of the problem. This of course assumes businesses are motivated to report their breaches, which is addressed by my next suggestion.

#3 Move enforcement and regulation of the CalDBNL under the CalPPA

The CalPPA has responsibility for enforcing and regulating whether “a business that collects a consumer’s personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure.” Given that breaches are typically about the theft of personal information (except in the case of the theft of trade secrets) and a breach is a key indicator if a business is implementing proper security procedures or not, it better fulfills the intent of the CPRA for the regulators of these inter-related matters to be one and the same.

Europe’s GDPR requires businesses to report breaches to their country’s “supervisory authority” (an EU member state’s regulatory agency akin to California’s PPA), so having breach notification under CalPPA would further harmonize CPRA and GDPR. Point is this is standard operating procedures for countries that have a privacy law.

In addition, the Cal AG office stopped publishing annual breach reports in 2016, so it appears that their focus is not as much on this issue compared to other issues that they are dealing with. Furthermore, it makes it harder for businesses to “hide the ball” when it comes to reporting breaches if they are dealing with a more well-funded agency than the resources being put into privacy in the Cal AG office.

All that is required to make this happen is a single replacement of the words “Attorney General” for “CalPPA” in the CalDBNL. I would throw in a sentence that the CalPPA shall solicit broad public participation and adopt regulations to further the purposes of this law, thus making it easier for breach notification reporting rules to evolve more quickly and be strengthened to ensure compliance.

#4 Create a centralized “Have I Been Breached” system

While in theory businesses will follow the CalDBNL and send their customers letters or emails informing them of a breach, that notification is a one-time event and consumers may initially disregard that communication and/or the communication may get lost in a spam filter etc. Or they may lose track that their data was breached in the past, and the impact of that breach may surface a year or so later.

The reality is that consumers have no centralized place to determine if their personal data was caught in reported breaches across a wide spectrum of businesses. i.e. they are not likely to spend hours looking at 100s of rows of company names who reported to the Cal AG that they were hacked, and even if they do, consumers may not easily match the listed company names to the names of popular web services that the consumers use.

Now there are websites like https://haveibeenpwned.com/ that can help consumers determine if their email address was caught up in a breach, but these websites only tell if your hacked data was subsequently found on the dark web (which may not happen if the hacker does not release or share the data with other hackers). And it only reflects as of 12/26/20 the personal data found in 486 breaches, which equals only about 1.5 years of reported breaches reported to the Cal AG office. i.e. the 486 is a subset of reported breaches to the State of California, and as I have proposed above, more carrots and sticks are needed for better and more accurate reporting.

My proposal is the CalPPA sets up a web page where consumers can simply enter their email address and in doing so they will then get an email response telling them if their account was caught up in any of the breaches that were reported to the State (per the current law, this would apply to breaches involving > 500 California residents).

To make this happen, the CalPPA would require if a company has been breached and the breach meets the notification requirements per the CalDBNL, the business must also set up a web service that would return true or false if a submitted email address was part of the breach of the business. The web service would only be accessible by a secure communication (i.e. API call) from the CalPPA web site, so this would protect against others trying to get customer addresses from the affected business. This implementation also means that the business maintains and owns its customer data (i.e. it does not upload its breached customer database to CalPPA). If the business does not want to maintain the web service, the breached business can tell the CalPPA that it is using a trusted third party that is hosting the web service on their behalf.

So in the end what this means that once a consumer enters in their email address on a page on the CalPPA website, the CalPPA web site makes a web service call to each and every business who has reported a breach to the State, and then summarizes the results and sends an email to the email address if any of businesses reported true for that account. The email could also send a supplied link to the business’ web site from where the consumer can get more information.

In addition, the CalPPA web site could also further make programmatic calls to https://haveibeenpwned.com/ and other similar websites to help the consumer determine if their email address was caught up in a non-reported breach.

In the end, this would give consumers the easiest and best visibility in the world if their personal data was hacked in a reported and/or unreported breach — simply go to a website and put in their email address and an hour or so later get a report via email with corresponding links if their data was caught up in a hack.

#5 Implement a Do Not Sell or Share Registry

One of the current criticisms of opt-out privacy laws like the CPRA is that it forces consumers to have to go to each and every website and tell the business to “Do Not Sell or Share My Personal Information” (“Do Not Share” was added via the CPRA from the “Do Not Sell” that CCPA offers). CPRA also adds the ability for consumers to tell businesses to limit use of their sensitive personal data. Critics have called this “privacy paperwork” and claim this would put a burden on consumers to spend all the time requesting opt-outs OR would not want to potentially pay for a third-party removal service who would act as an “authorized agent” on their behalf.

A solution does exist with the concept of Global Privacy Control (GPC). As noted by Wired:

“the [CCPA] regulations interpreting the law specify that businesses must respect a “global privacy control” sent by a browser or device. The idea is that instead of having to change privacy settings every time you visit a new site or use a new app, you could set your preference once, on your phone or in a browser extension, and be done with it.”

This has also been carried further by the CPRA, but the issue with GPC is that businesses and/or browsers may not adopt this technology, or consumers may not know how to turn it on as a browser option or mobile setting.

My proposal is a “Do Not Sell or Share My Personal Data” registry modeled after the Federal Trade Commission’s (FTC) “Do Not Call” registry. Note the “Do Not Call” registry has been challenged in court and found to be Constitutional, so a “Do Not Sell or Share My Personal Data” would also fair well to any challenges.

As I wrote in this blog post proposing this, the way it works is simple for consumers: they visit a CalPPA “Do Not Sell or Share My Personal Data” web page, put in their email address, and get a verification email in their inbox (note other personal identifiers could be added). The CalPPA then maintains this database/registry of consumers who don’t want their data sold or shared.

Therefore, when a data broker registers with California (i.e. with the Cal AG, or as I proposed above, the CalPPA) they are then given an Application Programming Interface (API) that makes requests to the registry. This will require the data broker to use the API to determine if there are any matches to registry before they plan to sell or share personal information. i.e. any flagged matches and corresponding records cannot be sold or shared. Compliance can be checked by adding to the registry “honeypot data” to sniff and test out violations.

Thus consumers get a simple (and free!) one-stop shopping to stop the sale of their personal data — a quick win vs. having to play “whack-a-mole” and contact 100s if not 1000s of businesses to stop the sale of their personal data OR pay for a third-party service. i.e. it reduces the “privacy paperwork” concern. This type of proposal has come up before, e.g. Senator Hawley proposed a national Do Not Track Registry, but California could be in a unique situation to implement this given it requires registration by data brokers.

#6 Add Whistleblower Protection for Privacy and Cybersecurity Issues

Various proposed federal privacy legislation has put forth whistleblower protection language as part of their proposed bills (e.g. see Senators Cantwell’s and Wicker’s bills), and I would add the same for California’s data broker registration, data breach notification and privacy legislation. This would mean that any employee or contractor of a business who voluntarily provides to the CalPPA original information relating to noncompliance with, or any violation or alleged violation of, these California laws would get appropriate protection. I think this would motivate further compliance to the law and further protect consumers.

I have a few more other roadmap items, but this blog post is getting a bit long and I already suggested 6, so will hold off on more suggestions for now. In my next blog post I will provide some suggestions for the CalPPA outside of these roadmap items.