CPRA: do I feel lucky?
26 March 2022
The remarkably popular California Privacy Rights Act (CPRA) takes effect on January 1, and that means the California Privacy Protection Agency (CPPA) is coming. But right now, it doesn't look like surveillance marketers are that worried. The agency has a $10 million budget, and that's chump change around here. The Big Tech legal departments and the big Palo Alto law firms probably spend more than that on guacamole.
The CPPA will be able to do a lot per case, but won't have the
budget for too many cases. To some extent, they're going to have
to rely on uncertainty.
As a famous (but fictional) California
lawman once said, Did I fire ten million dollars worth of
privacy enforcement, or only nine? But being this is the CPRA, the most
powerful privacy law in the United States, and would blow your
head clean off, you've got to ask yourself one question.
Maybe I got that movie quote
wrong. Need to check it.Do
I feel lucky?
It's not as bad as it looks, though. The new agency doesn't have to deal with a zillion different CPRA violations. All the surveillance marketers did the same Big Tech training. To put it in terms that Big Tech will understand, CPRA enforcement scales. A lot of cases are going to be basically identical because a lot of the violators watched the same growth hacking videos and read the same documentation. The big companies have cleverly shifted a bunch of the CCPA (and soon, CPRA) risks over to the smaller companies. Kind of like how Amazon understands the risks of operating vans on crunch schedules in residential areas, so offloads those risks on Amazon Delivery Service Partners. That's the safe choice for them from one point of view, but it means that the CCPA/CPRA violator is technically not the big, lawyered-up company. The violator is a small company with a small legal budget, breaking the law in the exact same way as a bunch of other companies.
Big Tech's decision to outsource the legal risks means that CPPA will not have to put a lot of lawyer time into each violation. Just like New York City has a Citizens Air Complaint Program to handle one kind of common pollution violation (idling trucks), the CPPA will be able to do the same complaint over and over. Get the person whose info was misused to fill it in with screenshots and/or attachments, and all the CPPA lawyer has to do is check and sign it.
Here are a few common violations where enforcement will be able to scale quickly.
Using a GDPR workflow to do a CCPA job. Under CCPA, you can opt out of sale
of your info. Under GDPR, you can object to processing.
Similar concepts, but
the details are different.
Under GDPR, a company
can make people go through an extra ID verification step for an
objection. Under CCPA (and soon, CPRA), an opt-out has to be handled without
ID verification
unless the recipient has a good-faith, reasonable, and documented
belief
that it is fraudulent, and sends it to you in writing when you opt out. GDPR compliance doesn't always
get you CCPA compliance.
Companies have had a couple years to fix this, but it's still pretty common. Info needed: Forwarded email or screenshot of illegal verification step.
GPC order, followed by sale
/share. This is easy to check. Turn on Global Privacy Control in your browser. Order
something on the web. Set a reminder to come back later to see if the company transferred (sold
or shared)
your info to Facebook. Info needed: screenshot of GPC install/activation, screenshot of Facebook Ad Settings.
Inconsistent data. Another good use of Facebook Ad Settings. Many companies default to dumping customer info over to Facebook, without really thinking about it. Then, somehow, some of them leave out the info that went to Facebook when they answer a Right to Know. Easy to spot. Info needed: copy of RtK results, screenshot of Facebook Ad Settings.
The Attorney General's office already has a Consumer Privacy
Interactive Tool to help
you report companies that fail to include the required Do Not Sell My Personal Information
link on their
web sites. Similar tools will be easy to add for the common violations—so that $10 million will go further than it looks.
Bonus links
Google is forcing everyone to fund Kremlin propaganda right now
I Have a Message for My Russian Friends
Russia’s war hits Yandex, the ‘Google of Russia’
Want to go fight for Ukraine? Here’s what to do.
China's state media buys Meta ads pushing Russia's line on war
Social media turn on Putin, the past master
Five reasons the sanctions are working
Heat Pumps for Peace and Freedom
How an obscure far-right website with 3 employees dominates Facebook in 2022
Innovation is slowing down—and Big Tech is to blame
Google And IAB Europe Are Losing Data Privacy Lawsuits In The EU, But What Does It Mean?
