How the California Privacy Protection Agency Can Better Protect Consumers
With the passage of Proposition 24 (aka the California Privacy Rights Act aka the CPRA aka “V2” of the California Consumer Privacy Act), the California Privacy Protection Agency (PPA) was created. Designed to be an “independent watchdog” for protecting consumer privacy, the mission of the PPA per Prop 24 is to “ensure that businesses and consumers are well-informed about their rights and obligations” and that the PPA “should vigorously enforce the law against businesses that violate consumers’ privacy rights.”
This blog post will explore the core challenge I see facing the PPA which is: how can a small $10m/year agency with 50 people scale itself to effectively protect the privacy rights of 40 million Californians against the most powerful companies the world has ever seen whose business models is predicated on surveilling and processing the personal information of those 40 million people? Especially in light that comparable government agencies (e.g., European Data Processing Agencies, the Federal Trade Commission, etc.) have been mere speed bumps to Big Tech as the problems associated with consumer privacy have arguable gotten worse (e.g. recent exposes on the harm caused by Instagram on teen girls, the tracking and selling of your location, bias in mortgage-approval algorithms, dark patterns, etc.).
Before we dive into this, let’s first get an update on where things stand with the PPA.
The Good News.
With the creation of the PPA, we now have the first ever dedicated agency in the US for Privacy! In terms of PPA’s progress to-date, a 5-member agency board is in place, initial board meetings have occurred, the PPA web site is up and running, an Executive Director has been named and a request for public comments about CPRA regulations have gone out.
And the agency has some teeth — the PPA is tasked with performing 12 functions involving CPRA enforcement, regulation and awareness (which I will refer to as the PPA’s “three legged stool”) — with a budget to implement those functions. The PPA annual budget is $10 million, which is 2.2 times the budget what the California Attorney General (Cal AG) currently provides for regulation, enforcement and awareness around the California Consumer Privacy Act (aka CCPA, which the CPRA supersedes).
In terms of headcount, the Cal AG budget calls for 23 people doing CCPA work, so by multiplying the Cal AG headcount times the 2.2 increase in budget for the CPRA would in theory allow the PPA to hire over 50 people. This would be more than the approximately 40 people that the Federal Trade Commission (FTC) has working on consumer privacy protection for the entire US.
Finally, we have a strong expert and advocate for consumer privacy in the Executive Director role with the appointment of Ashkan Soltani.
The Not as Good News.
The staffing and budget of the PPA pales in comparison to European Data Protection Agencies (DPAs). Ashkan Soltani recently testified to the US Senate that the German DPA has 745 staff and France has nearly 200 staff. In defense of the backers of Prop 24, they no doubt felt that $10m was the Goldilocks number in terms of being enough to have meaningful impact (2.2x greater than the current amount of money being spent by the Cal AG on CCPA, more people than the FTC deploys for consumer privacy, etc.) but not being too much that it would scare away voters as being too expensive or creating a large government bureaucracy. Of course, the California legislature could always vote to spend more in this area but that is not likely to be considered for a few years while the PPA ramps up.
Now granted, unlike European DPAs, the PPA also does not include Data Protection (e.g. breach notification) and Data Broker regulation under its purview, but nonetheless the PPA has comparatively less privacy-focused headcount than European counterparts. [Side note: I have called for data breach notification and the data broker registry to be consolidated under the PPA to morph it into a broader DPA-like agency.]
In terms of stuff the PPA can control, I do think the PPA has had a slow start out the blocks, in that it took 7 months after the PPA board was in place to finally have the ED hired, meaning that 7 months into the PPA they now just have a fulltime dedicated staff of … 1 person. And per this CPRA timeline, there are several large looming deadlines regarding the CPRA Regulations that are due in the near future and it would have been nice if the PPA had made earlier progress on this front.
So, it will be a massive scramble to get the agency staffed and the regulation work done. It appears that the team will be built through a combination of direct hires (where there is unfortunately only one current open job post), getting the Cal AG to temporarily providing staffing (which the law calls for and it appears that has not yet happened), and through the PPA getting supplemental staffing via State Government retirees pitching in. [Update 10/15/21: a few staff attorneys finally appear to be on loan to help.]
Finally, while PPA’s enforcement role does not kick in until 2023, I have a concern that the PPA is so “behind the 8 ball” vis a vis the Regulations that it may lead them to forget or short shrift the third leg of the PPA stool — awareness. More on that later.
The Core Challenge the PPA Faces.
Irrespective of the good and not so good news regarding the first 7 months of the PPA’s existence, a big fundamental issue still looms over the PPA. Namely, how can the Cal PPA — a small $10m/year agency staffed with 50–60 personnel — scale itself to effectively protect the privacy rights of 40 million Californians against the most powerful companies the world has ever seen whose business models is predicated on surveilling and processing the personal information of those 40 million people? Especially in light that comparable government agencies (e.g., European Data Processing Agencies, the Federal Trade Commission, etc.) have been mere speed bumps to Big Tech as the problems associated with consumer privacy have arguable gotten worse (e.g. recent exposes on the harm caused by Instagram on teen girls, the tracking and selling of your location, bias in mortgage-approval algorithms, dark patterns, etc.).
In other words, if the PPA goes about doing privacy protection that same way the European DPAs are doing (and who have in fact greater staff), then while the PPA will certainly add some incremental value, it likely won’t make a fundamental change in the protection of consumer privacy here in California. People often use the quote “the definition of insanity is doing the same thing over and over again and expecting a different result.” Can the PPA do something different to be more impactful to better protect Californians’ privacy rights?
Considering Traditional Options.
When people look at an independent privacy watchdog’s three-legged stool of enforcement, regulation and awareness, there is a natural tendency to want and ask for more money for all three. The reality is that Cal PPA is not going to get more money any time before the law fully kicks in and is enforced, so we are talking about the second half of 2023. And even then, there will probably have to be a significant event to cause to have more money thrown at the PPA.
People may then consider tighter and tougher regulations be put in place by the PPA as the difference maker in making the PPA more impactful. I do agree that there is an opportunity to add better and more comprehensive regulations, especially in the areas of dark patterns, automated decision making and profiling and support for Global Privacy Control. But the CPRA Regulations must strike a balance between protecting Californians and not ruining the California innovation economy (i.e., not onerous), so regulations can only go so far.
Furthermore, the regulations are only as good as the enforcement. Per the Cal AG budget, the Cal AG only has 2 Program Analysts focusing on consumer complaints about businesses violating the CCPA. So even though the PPA has 2x the budget, adopting a similar staffing model and growing that Program Analyst team from 2 to 4 is probably not going to cut it.
Crowd Sourcing Enforcement and Awareness.
So, I do think the PPA needs to find creative ways to be impactful. One idea is to really engage the people of California in its mission. The reality is that over 9 million voted for Prop 24 in November 2020 which means that people here in California clearly want more privacy protection. By being created through the passage of a ballot initiative, the PPA has a clear mandate, and the people of California will want it to be successful. Therefore, the PPA should leverage that groundswell desire for more privacy protections and try to engage and leverage the people of California in helping make the CPRA a success. Big Tech firms like Facebook have over 60,000 employees and probably more people assigned to changing lightbulbs than the PPA has staff. But the PPA can and should tap into 40 million Californians.
While there will be public comment on the regulations, the areas where the PPA can really get leverage through the “power of crowds” (i.e., the people of California) are in the areas of enforcement and awareness. The PPA should engage the people of California in the form of Public Service Announcements (PSAs) that give Californians the call to action to help enforce the law by identifying businesses that violate the law, as well as encourage Californians to evangelize to each other their privacy rights (e.g., right to say no to the selling of personal information).
When it comes the “crowd sourcing” of enforcement, Californians should be encouraged via PSAs to report their privacy rights being violated by businesses. The Cal AG has in fact created a “Version 1” reporting tool called the Consumer Privacy Interactive Tool that provides the ability for Californians to report violations, but it is limited to drafting notices to businesses that do not post an easy-to-find “Do not Sell My Personal Information” link on their website. This tool should be greatly enhanced to be more consumer friendly and factor in other privacy rights afforded under the CCPA (and eventually CPRA). It should act as the “call to action” in the PSAs to empower Californians to flag that their privacy rights are being violated. These violations can be flipped over the Cal AG until the PPA takes over enforcement duties in 2023.
Furthermore, for more complex and impactful violations (e.g., beyond simple lack of Do Not Sell buttons or a business ignoring a consumer’s request to correct etc.) that may take significant research, such as the detection of Dark Patterns, the violations of children’s privacy or discriminatory use of algorithms, there should also be a “Privacy Bug Bounty” program put in place. This would broaden who would be finding and reporting violators, provide an incentive to root these out, would provide a workflow and reporting system, as well provide a feedback system to those reporting problems. It would be open to not only California residents but to others who would want to help the PPA find businesses who are violating the law and corresponding regulations. This could be funded by a portion of fines paid out by companies. For more information on a bug bounty system and how it is used, check out this article, and then imagine instead of bugs being reported, that privacy violations are being reported.
As it relates to “crowd sourcing” for awareness, the PSAs also should encourage Californians to educate other Californians on their privacy rights. The reality is that that law is only going be as effective as the number of people knowing and exercising their rights. The PPA should experiment and see if they can “Game-ify” the knowledge of privacy rights that Californians have and also try to get the messaging to go viral. And the PPA should also do annual surveys to get a feel if Californians are increasingly exercising their privacy rights under CCPA/CPRA. Finally the PPA website should be chockful of helpful videos and content for Californians to learn more about their privacy rights and how to exercise them.
Spend for Awareness Now.
The fact that the PPA is understaffed and will focus its hiring efforts mainly on the drafting of Regulation opens up an opportunity. The PPA fiscal year ends June 30th and given that here we are in October, and they only have 1 fulltime and dedicated employee associated directly with the PPA and only one open job posting, that means it will be a slow ramp from a hiring and spend perspective. So, I would guestimate that this fiscal year that the PPA will only at most spend $2 million of its budget. It is likely that if the PPA does not spend the remaining $8 million this fiscal year that money will not be able to carry it over.
My concern is the PPA is so behind on Regulations that they will solely focus on that. They need to multi-task by looking to significantly enhance the Consumer Privacy Interactive Tool and promote the heck out of it with PSAs, as well as provide helpful and Consumer friendly supporting content and videos on their website. And doing this type of campaign can be easily outsourced to a third party so the burden of hiring is not added to the PPA.
And given that enforcement does not start until July of 2023, there should also be a significant amount of money available next Fiscal Year (July 2022 to June 2023) for awareness as well. I would estimate that amount would likely be in the $5 million range in the fiscal year running July 2022 to June 2023. So, what I am proposing is that the PPA has $13 million to spend on awareness over the next 1.5 years in the form of an advanced consumer reporting tool and Public Service Announcements that drive Californians to the tool. That type of money can have a major impact on people knowing and exercising their privacy rights and getting the people of California behind the CPRA and act as counter to the size and might of Big Tech firms who may not want Californians to fully exercise privacy rights or have their bad privacy practices rooted out by researchers.
The reality is if the PPA does not “go big or go home” now with awareness and utilize the money available in light of the lack of staffing and not having to do enforcement until July of 2023, that holding off until later means the budget for awareness will be minimal, and by then they may have lost the opportunity to leverage the people of California in a crowd source manner. And if Californians are not passionate about the PPA and its mission, or see it as be ineffective, then it will make it more likely for California politicians to not object if a Federal privacy law is proposed that preempts State law and kills the CPRA and PPA.
The point of this blog post is taking the same old approach by a privacy watchdog agency may not work. E.g., One could argue that the record FTC fine of Facebook to the tune of $5 billion did not move the needle vis a vis Facebook’s privacy practice. So, the PPA needs to find creative ways to be able scale well beyond its budget and headcount to be on a more equal footing against Big Tech firms that are not adhering to the law. Leveraging and educating Californians is the best way to ensure the CPRA and the PPA is a success, as well as fully taking advantage of what the law allows the PPA to spend.