On November 4, 2020, the YES on Prop 24 campaign announced the passage of the California Privacy Rights Act (CPRA), with a majority of Californians supporting the measure to strengthen consumer privacy rights. The new law aims to give Californians the strongest online privacy rights in the world, including protecting sensitive personal information, tripling fines against companies that violate kids' data, establishing an enforcement arm for consumers, and making it harder to weaken privacy laws in the future.
But, does the CPRA do enough to advance the data privacy of California consumers? Many security and privacy leaders argue that it does not. Instead, they think, it is a mixed bag of partial steps backwards and forwards. To find out more, we talk to David Bodnick, Chief Technology Officer and co-founder of Startpage, a private search engine.
Security magazine: What is your title and background?
David Bodnick: I am a technical co-founder of Startpage, and have led many of our key privacy engineering initiatives. I also lead WebINTENSIVE Software, a New York City-based organization that engineers secure, scalable and resilient enterprise systems for many large public sector and private-sector organizations. And I founded Expertly.com, a digital operations platform that lets an organization’s experts create and refine processes the way they naturally think, and manage those processes securely, at scale.
Security magazine: Why isn’t the CPRA a privacy panacea?
Bodnick: Pew Research reports that most American adults are concerned about the data that is collected about them, feel they have little or no control over this tracking and profile building, and don’t understand it.
The CPRA creates privacy rights that otherwise would not exist. But there are gaps, large and small, that will prevent most people from benefiting from it.
Most importantly, it requires consumers to “opt out” to avoid the collection and sharing of their personal information. Few will do so. An opt-in model of data processing, which is supported by the Electronic Frontier Foundation, would require businesses to get our consent before the collect, use share or store our information.
CPRA also allows businesses to charge for that privacy. It is too easy for companies to price this in a prohibitive or unfair way.
Security magazine: Why is it, in your opinion, a mixed bag of partial steps backwards and forwards?
Bodnick: Proposition 24 makes it easier for businesses to only offer privacy to those who are willing to pay an extra fee. This neuters much of the law’s power, and shrinks the number of people who will benefit. The legislation also gives service providers (who process data) more power to combine consumer data sets from multiple businesses or from consumers directly “for any business purpose” defined later by regulators. The adtech industry demonstrates how invasively information aggregators compromise personal privacy.
Additionally, Proposition 24 provides businesses with more latitude to deny a consumer’s request to delete their data. And it halts protection of consumer biometric information afforded under the California Consumer Privacy Act (CCPA) when the business processing a user’s biometric info does not use it to establish or plan to establish an identity with it. This comes at a time in history when the threat of mass surveillance using biometric data has been increasing so rapidly.
Security magazine: Prop 24 would expand “pay for privacy” schemes. Why would pay-for-privacy schemes pressure all Californians to surrender their privacy rights?
Bodnick: It is too easy for “privacy fees” to be set to levels that either prevent most consumers from opting in or that take advantage of consumers who do by charging too much. And California’s economic inequality issues mean these schemes will likely exacerbate such inequalities and lead to what the EFF calls “a society of privacy ‘haves’ and ‘have-nots.’”
Also, few consumers using services that are ordinarily free will accept the tremendous friction of a purchase workflow. And ironically, requiring an online purchase to try to buy privacy may compromise one’s privacy even more by taking away your anonymity.
Security magazine: What is a better solution to the CPRA?
Bodnick: The CPRA is well-intentioned and helpful, but substantial improvements could be achieved through:
- Privacy by default—users should not need to “opt out” in order to prevent your personal information from being collected in the first place, shared, combined, or sold. Web users rarely opt out from default behaviors, so ‘privacy by default’ would dramatically increase the proportion of people who are given the privacy they want.
- Restrict services that combine multiple businesses’ information about you so that a clear and separate opt-in is required.
- Limit businesses’ ability to charge more for a non-private alternative. When there must be an extra cost for a private option, it should not exceed the actual cost for the business to provide it.
- Consumers should be able to sue businesses that violate their privacy rights. Today, they have little recourse and effective enforcement against businesses – often big ones – that breach their trust and privacy.