California’s New (New) Privacy Law: Part Two

Last time, we talked about the passage of the California Privacy Rights Act (CPRA), a ballot referendum that expands and enhances the scope and consequences of CCPA. Today, we’ll look a little deeper into why CPRA is such a big deal, and also why it may simultaneously be the cause of its own undoing.

When a “Sale” isn’t a “Sale”

You may recall that CCPA instituted a new, mandatory button for websites: “Do Not Sell My Data.” This seemingly-innocuous requirement actually has deep roots in the economics of the Internet, in that a huge portion of the financial benefit associated with data comes from selling it for advertising purposes. In fact, CCPA’s origins lie in concerns that the uncontrolled collection and sale of personal information for advertisers was undermining personal rights — a theory behind the GDPR, as well.

The premise is simply that, when a data subject doesn’t want their personal information sold to a third party, they should be able to halt that sale. Of course, this is substantially easier said than done, given that it isn’t typically a one-off sale of a single person’s details to third parties. Data is almost always sold out of the bulk bin, given that information about one particular data subject is unlikely to be valuable enough on its own to warrant a sale. Consequently, identifying that one data…