On election day, Californians chose not only the direction of their government, but also the direction of some of the laws that the government will administer.
With 56% of voters approving it so far, Proposition 24, also known as the California Privacy Rights Act (CPRA), is on its way to replace the main components of the California Consumer Privacy Act (CCPA), one of the most robust forms of privacy for country laws.
Although CPRA is not without controversy, it increases the risk of non-compliance and encourages companies, including cryptocurrency exchanges, to take additional steps to respect user privacy. It also has the potential to bring these companies closer to complying with the General Data Protection Act, the European Union’s privacy law that goes beyond CPRA.
“The silver lining is that a purse that has been trying to achieve compliance under the GDPR (for example, employing accepted hashing techniques to perform data ‘exclusions’) could use some of these same measures to demonstrate compliance under CPRA,” he said. Steven Blickensderfer, technology and privacy attorney at Carlton Fields. “In fact, CPRA can force exchanges to look globally and think holistically about their privacy compliance, which may not be a bad thing, after all.”
The CCPA vs. the CPRA
The CCPA was the first such law in the United States. The law enables California consumers to know when private companies collect, share or sell their data and to stop selling, if necessary. It applies to companies with annual gross revenue of more than $ 25 million or who have information on 50,000 or more consumers.
Sign up for Blockchain Bites , our daily update with the latest stories.
CPRA adds additional protections for confidential data, including biometric data, location data and racial data, among others. A new state agency with a budget of $ 10 million will enforce the law, which is expected to come into force in 2023. Previously, this task was left to the California attorney general’s office, undoubtedly with few employees.
Defender of cryptocurrency and Universal Basic Income, Andrew Yang, who ran for the US presidency in the Democratic primaries, was chairman of the proposal’s advisory board. He said it could set the standard for other states.
Read more: Privacy laws are as effective as the companies that implement them
“After this becomes the law in California, I believe other states will look up and say, ‘Why do Californians have all these data and privacy rights that we don’t have?'” Yang told ABC7 News . “So, as always, California could end up leading the way.”
At least one crypto company supported the passage of the law. Kosala Hemachandra, founder and CEO of MyEtherWallet (MEW) based in Los Angeles, said the company is a big proponent of initiatives like Proposition 24, as well as laws that increase data privacy and give people control over how your data is used and distributed.
“An increasingly digital world means that more and more personal data is available for companies to profit from, and laws like this are a good step towards ensuring user privacy,” Hemachandra said in an email to CoinDesk.
“MEW does not collect data about our users and we are against the practice of mass data collection without proper consent. User privacy will continue to become an increasingly important issue in the days and years to come, and will continue to be a right that we defend for our users ”.
It is not a data privacy panacea
The law is controversial, however. In a statement released in mid-October, the American Civil Liberties Union and several of its chapters in California opposed the proposal.
“Proposition 24 will not strengthen privacy rights for Californians,” wrote Jacob Snow and Chris Conley of ACLU in Northern California. “Instead, it will undermine the protections of the current law and increase the burden on people to protect themselves – in ways that will disproportionately harm the poor and people of color.”
CPRA allows people to manually choose not to participate in data collection, which they would have to do for the relevant digital services they use, placing this burden on the consumer and not on the companies.
In July, the Electronic Frontier Foundation (EFF) wrote about its concerns that the law could result in expanded ” privacy payment ” schemes .
“Specifically, the initiative would exempt ‘loyalty clubs’ from the existing CCPA limit for companies that charge different prices to consumers who exercise their privacy rights,” wrote Lee Tien, Adam Schwartz and Hayley Tsukayama.
In effect, this means that companies could charge people more if they claim their privacy rights. An example of this could be a media company offering a free subscription if customers choose not to exercise their rights. Privacy advocates say it would have a disproportionate impact on low-income consumers.
The impact going forward
The criticism of Proposition 24 deserves more consideration and action, but Blickensderfer has shown some benefits for the law when it is implemented.
“The creation of an agency dedicated to enforcing California consumer privacy laws is a potential game changer,” he said.
A criticism of the CCPA by privacy advocates is that the California attorney general’s office is very dispersed and is in no position to enforce the law effectively, according to Blickensderfer. Having a watchdog dedicated to privacy in the US would change that and reflect how privacy is applied in Europe and other parts of the world.
It also presents another more proactive model of enforcement, in addition to “private causes of action,” he said. A private right of action allows an individual to pursue legal proceedings to obtain relief from injuries caused by violating a legal requirement, but only if the damage or injuries have already occurred.
In addition, CPRA brings California closer to Europe’s GDPR.
“In fact, I would not be surprised if, eventually, we saw efforts to determine that California is an appropriate jurisdiction under the GDPR for the purpose of approving international transfers from the European Economic Area to California,” he said.
As CoinDesk previously reported , in July the Court of Justice of the European Union (CJEU) closed an important data sharing agreement between the United States and the European Union.
The 2016 agreement, known as Privacy Shield , allows American companies to self-certify that they are in compliance with data privacy laws, such as the GDPR. The decision focused largely on the lack of a federal privacy law in the United States and the ways in which United States security agencies conduct extensive surveillance of individuals, including their data.
“This could be a potential benefit for businesses in California, as everyone is still struggling to discover the legality of such transfers,” said Blickensderfer.
Companies are likely to have to move beyond CCPA compliance and even more towards GDPR to comply with CPRA. With 2023 set for implementation, however, there are still a few years to go. But that does not mean that there is reason to delay.
“As in Europe, once the inspection begins, the new regulator is likely to have little compassion for companies that have had two years to comply,” said Blickensderfer