blog: Don Marti


CPRA: do I feel lucky?

26 March 2022

The remarkably popular California Privacy Rights Act (CPRA) takes effect on January 1, and that means the California Privacy Protection Agency (CPPA) is coming. But right now, it doesn't look like surveillance marketers are that worried. The agency has a $10 million budget, and that's chump change around here. The Big Tech legal departments and the big Palo Alto law firms probably spend more than that on guacamole.

The CPPA will be able to do a lot per case, but won't have the budget for too many cases. To some extent, they're going to have to rely on uncertainty. As a famous (but fictional) California lawman once said, Did I fire ten million dollars worth of privacy enforcement, or only nine? But being this is the CPRA, the most powerful privacy law in the United States, and would blow your head clean off, you've got to ask yourself one question. Do I feel lucky? Maybe I got that movie quote wrong. Need to check it.

It's not as bad as it looks, though. The new agency doesn't have to deal with a zillion different CPRA violations. All the surveillance marketers did the same Big Tech training. To put it in terms that Big Tech will understand, CPRA enforcement scales. A lot of cases are going to be basically identical because a lot of the violators watched the same growth hacking videos and read the same documentation. The big companies have cleverly shifted a bunch of the CCPA (and soon, CPRA) risks over to the smaller companies. Kind of like how Amazon understands the risks of operating vans on crunch schedules in residential areas, so offloads those risks on Amazon Delivery Service Partners. That's the safe choice for them from one point of view, but it means that the CCPA/CPRA violator is technically not the big, lawyered-up company. The violator is a small company with a small legal budget, breaking the law in the exact same way as a bunch of other companies.

Big Tech's decision to outsource the legal risks means that CPPA will not have to put a lot of lawyer time into each violation. Just like New York City has a Citizens Air Complaint Program to handle one kind of common pollution violation (idling trucks), the CPPA will be able to do the same complaint over and over. Get the person whose info was misused to fill it in with screenshots and/or attachments, and all the CPPA lawyer has to do is check and sign it.

Here are a few common violations where enforcement will be able to scale quickly.

Using a GDPR workflow to do a CCPA job. Under CCPA, you can opt out of sale of your info. Under GDPR, you can object to processing. Similar concepts, but the details are different. Under GDPR, a company can make people go through an extra ID verification step for an objection. Under CCPA (and soon, CPRA), an opt-out has to be handled without ID verification unless the recipient has a good-faith, reasonable, and documented belief that it is fraudulent, and sends it to you in writing when you opt out. GDPR compliance doesn't always get you CCPA compliance. Companies have had a couple years to fix this, but it's still pretty common. Info needed: Forwarded email or screenshot of illegal verification step.

GPC order, followed by sale/share. This is easy to check. Turn on Global Privacy Control in your browser. Order something on the web. Set a reminder to come back later to see if the company transferred (sold or shared) your info to Facebook. Info needed: screenshot of GPC install/activation, screenshot of Facebook Ad Settings.

Inconsistent data. Another good use of Facebook Ad Settings. Many companies default to dumping customer info over to Facebook, without really thinking about it. Then, somehow, some of them leave out the info that went to Facebook when they answer a Right to Know. Easy to spot. Info needed: copy of RtK results, screenshot of Facebook Ad Settings.

The Attorney General's office already has a Consumer Privacy Interactive Tool to help you report companies that fail to include the required Do Not Sell My Personal Information link on their web sites. Similar tools will be easy to add for the common violations—so that $10 million will go further than it looks.

Google is forcing everyone to fund Kremlin propaganda right now

I Have a Message for My Russian Friends

Russia’s war hits Yandex, the ‘Google of Russia’

Want to go fight for Ukraine? Here’s what to do.

China's state media buys Meta ads pushing Russia's line on war

Social media turn on Putin, the past master

Five reasons the sanctions are working

Heat Pumps for Peace and Freedom

How an obscure far-right website with 3 employees dominates Facebook in 2022

Innovation is slowing down—and Big Tech is to blame

Google Search Is Dying

Google And IAB Europe Are Losing Data Privacy Lawsuits In The EU, But What Does It Mean?