On Election Day, Californians chose not only the direction of their government but also the direction of some of the laws that government will administer. With 56% of voters approving it thus far, Proposition 24, also known as the California Privacy Rights Act (CPRA), is on its way to replacing key components of the California Consumer Privacy Act (CCPA), one of the more robust data privacy laws in the country.
While the CPRA is not without controversy, it raises the stakes for non-compliance and encourages businesses, including cryptocurrency exchanges, to take additional steps to respect user privacy. It also has the potential to bring those businesses closer to complying with the General Data Protection Act, the European Union privacy law that goes further than the CPRA.
“The silver lining is that an exchange that has been attempting to achieve compliance under the GDPR (e.g., employing accepted hashing techniques to effectuate data ‘deletions’) could use some of those same measures to demonstrate compliance under the CPRA,” said Steven Blickensderfer, a technology and privacy lawyer at the firm Carlton Fields. “In effect, the CPRA may force exchanges to look globally and think holistically about their privacy compliance, which may not be a bad thing after all.”
The CCPA vs. the CPRA
The CCPA was the first law of its kind in the United States. The law empowers California consumers to know when private companies collect, share or sell their data and to stop that sale if necessary. It applies to companies with annual gross revenue of more than $25 million or that possess information on 50,000 or more consumers.
The CPRA adds additional protections for sensitive data including biometric data, location data and racial data, among others. A new state agency with a budget of $10 million will enforce the law, set to go into effect in 2023. Previously, this task had fallen to the arguably understaffed California Attorney General’s office.
Cryptocurrency and Universal Basic Income advocate Andrew Yang, who ran for U.S. president in the Democratic primary, was the chair of the proposition’s advisory board. He said this could set the bar for other states.
“After this becomes the law in California, I believe other states are going to look up and say, ‘Why do Californians have all these data and privacy rights that we don’t have?’” Yang told ABC7 News. “So, as usual, California could end up leading the way.”
At least one crypto company supported the passage of the law. Kosala Hemachandra, the founder and CEO of Los Angeles-based MyEtherWallet (MEW), said the company is a big proponent of initiatives like Proposition 24, as well as laws that increase data privacy and give people control over how their data is used and distributed.
“An increasingly digital world means that more and more personal data is available for companies to profit off of, and laws like this are a good step towards ensuring user privacy,” said Hemachandra in an email to CoinDesk.
“MEW doesn’t collect data on our users, and we’re against the practice of mass data collection without the proper consent. User privacy will continue to become an increasingly important issue in the days and years to come, and it’ll continue to be a right that we uphold for our users.”
Not a data privacy panacea
The law is not without controversy, however. In a statement released in mid-October, the American Civil Liberties Union and several of its California chapters opposed the proposition.
“Proposition 24 won’t strengthen privacy rights for Californians,” wrote Jacob Snow and Chris Conley of the Northern California ACLU. “Instead, it will undermine protections in current law and increase the burden on people to protect themselves – in ways that will disproportionately harm poor people and people of color.”
The CPRA allows people to manually opt out of data collection, which they would have to do for the relevant digital services they use, placing that burden on the consumer rather than the companies.
In July, the Electronic Frontier Foundation (EFF) wrote about its concerns that the law could result in expanded “pay for privacy” schemes.
“Specifically, the initiative would exempt ‘loyalty clubs’ from the CCPA’s existing limit on businesses charging different prices to consumers who exercise their privacy rights,” wrote Lee Tien, Adam Schwartz and Hayley Tsukayama.
Effectively, this means that companies could charge people more if they asserted their privacy rights. One example of this could be a media company offering a free subscription if customers chose not to exert their rights. Privacy advocates contend this would disproportionately impact low-income consumers.
The impact going forward
Criticism of the law deserves further consideration and action, but Blickensderfer laid out a few benefits to the law when it’s implemented.
“The creation of an agency dedicated to enforcing California’s consumer privacy laws is a potential game-changer,” he said.
One criticism of the CCPA by privacy advocates is the California Attorney General’s office is spread too thin and not in a position to enforce the law effectively, according to Blickensderfer. Having a dedicated privacy watchdog in the U.S. would change that and mirror how privacy is enforced in Europe and other parts of the world.
It also introduces another, more proactive model of enforcement aside from “private causes of action,” he said. A private right of action allows an individual to sue for relief from injuries caused by a violation of a legal requirement, but only if harm or injuries have already occured.
Also, the CPRA brings California a few steps closer to Europe’s GDPR.
“In fact, I would not be surprised if eventually we see efforts made to determine that California is an adequate jurisdiction under the GDPR for purposes of approving cross-border transfers from the European Economic Area to California,” he said.
As CoinDesk has previously reported, in July the Court of Justice of the European Union (CJEU) struck down a key data-sharing agreement between the United States and European Union.
The 2016 agreement, known as the Privacy Shield, let American companies self-certify they are complying with data privacy laws such as the GDPR. The ruling focused in large part on the lack of a federal privacy law in the U.S., and the ways the U.S. security agencies conduct extensive surveillance of individuals including their data.
“That could be a potential boon for business in California, as everyone is still struggling to figure out the legality of such transfers,” said Blickensderfer.
Businesses will have to likely go beyond CCPA compliance and further in the direction of the GDPR to be compliant with CPRA. With 2023 set for implementation, though, there are a couple of years to work this out. But that doesn’t mean there is any reason to delay.
“As in Europe, once enforcement starts the new regulator will likely have little compassion for businesses that have had two years to come into compliance,” said Blickensderfer