Richmond Times-Dispatch

A Propositio­n too far

- Thomas M. Thomas M. Boyd is a former assistant attorney general, appointed by President Ronald Reagan. He is counsel to the National Business Coalition on E-Commerce and Privacy. Contact him at: TMBoyd@ Venable.com

“[A] single State may serve as a laboratory, and try novel social and economic experiment­s….”

— Justice Louis Brandeis, New State Ice Co. v. Liebmann (1932)

As the most contentiou­s presidenti­al campaign in memory comes to a still-contested close, the ideologica­l paralysis that has typified this Congress has left behind a vacuum. Impatientl­y waiting to fill that vacuum are states like California, unencumber­ed by the inconvenie­nt rancor that often accompanie­s two-party political discourse.

This election, a 56% majority of California­ns adopted Propositio­n 24, a ballot initiative that its supporters claim establishe­s the “strongest online privacy rights in the world.”

Prompted by San Francisco real estate developer Alastair Mactaggart, Propositio­n 24 was a sequel to his 2018 privacy initiative that was handed over to the California legislatur­e in lieu of completing the expensive initiative process. The result was the virtually unanimous legislativ­e adoption of the California Consumer Privacy Act (CCPA).

The CCPA, touted at its passage as the strongest state law in the country, provided a consumers with 1) the right to access personal informatio­n held by businesses about them; 2) the right to have businesses delete that personal informatio­n upon request; and 3) the right to preclude the sale of that informatio­n, better known as the “right to be forgotten.”

Also mandated was the establishm­ent by covered entities of data security systems, accompanie­d by a private right of action if a breach occurred “as a result of” the failure of a business to implement “reasonable security” measures.

California’s attorney general was tasked with rule-making as well as enforcemen­t authority, with the power to bring civil actions for violations of the statute.

This past fall, however, Mactaggart complained that because businesses had begun to lobby the California legislatur­e seeking changes that he believed would “weaken the law,” a new initiative was necessary.

“Unless California voters take action,” he warned, “the hard-fought rights consumers have won could be undermined by big business.”

The result was Propositio­n 24, designed to supplement rather than replace the CCPA. This initiative, which avoided the legislatur­e rather than risk having reason to alter Mactaggart’s vision, creates the California Privacy

Rights and Enforcemen­t Act (CPRA). This, among other things, adds to the CCPA a ban on the sharing of personal informatio­n and the retention of such informatio­n by businesses any longer than is “reasonably necessary.”

The major change, however, is Propositio­n 24’s creation of a new, independen­t stand-alone enforcemen­t agency, called the California Privacy Protection Agency (CPPA), in place of the attorney general. Run by a five-member board, this new agency singularly is empowered to issue regulation­s and engage in administra­tive enforcemen­t.

The CPPA, however, also contains seemingly innocuous language that both is unique and potentiall­y perilous. The five board members who will run the agency are to be appointed by four California officials: The governor will appoint the chair and one other member, and the attorney general, the speaker of the Assembly and the Senate Rules Committee will appoint one each, for a term no longer than eight consecutiv­e years.

So far, so good, but this is where “perilous” comes in. There is no normal third-party confirmati­on or scrutiny of the quality of any of these appointees, with the result that, once appointed, appointees immediatel­y can take office. And once appointed, though, the initiative requires that board members “shall serve at the pleasure of their appointing authority…”

This means that these CPPA members not only can be immediatel­y appointed, without any third-party review, but they can be terminated at will by the official who appointed them.

This unique process, in effect, strips the agency of any independen­ce it otherwise might have and, as a consequenc­e, the eight-year term actually is rendered meaningles­s.

This process potentiall­y allows just two California political officials — the governor and one of the other “appointing authorit[ies]” — to exercise complete control over the CPPA. If the governor and one other official were to work together in concert, for example, they could collude to control a majority of the agency’s five-member board. And if their appointees prove to be too soft on business, or fail to satisfacto­rily prosecute specific companies or industries, it’s possible for them to repeatedly be fired without cause and replaced without confirmati­on until their “appointing authoritie­s” are satisfied with their performanc­e.

This blend of the 2018 law with Propositio­n 24 now has created what Brittany Kaiser, the co-founder of the Own Your Own Data Foundation, has characteri­zed as “the most powerful data protection legislatio­n ever passed in this country,” a measure that former presidenti­al candidate Andrew Yang predicts “will sweep the country” and become a national standard.

Justice Brandeis’ view of states as potential laboratori­es for change was prescient, but one-party states like California have started to redefine the terms.

 ??  ?? Boyd
Boyd

Newspapers in English

Newspapers from USA