In BigIDeas on the Go, Mary Stone Ross, co-author of the California Consumer Privacy Act (CCPA) and former President of Californians for Consumer Privacy talks about how she came into the privacy space from âthe opposite sideâ as a counterintelligence analyst to the CIA.
A âTerrifyingâ Problem to Solve
In a pre-Cambridge Analytica world, the popular sentiment vis-a-vis data privacy boiled down to: âIf you want to keep something private, then just donât put it out on the internet.â
Once introduced to the privacy spaceâand armed with a background in policy and lawâRoss âstarted digging in and trying to figure out, is there even an issue here? Is there a problem weâre trying to solve?â
As a former member of the House Intelligence Committee that helped oversee the NSA wiretapping program that Edward Snowden later leaked, Ross had unique insight into what that problem might be.
âWe truthfully werenât that concerned about it,â Ross says of the program at the time. âThere were quite a few oversight mechanisms in place to check the use of that information and make sure it didnât go too far.â
From Rossâs perspective, many resounding issues came down to oversight. âWhen I started doing research and seeing how much information these big companies were collecting and the granularity of detail, it really terrified me. And as I started seeing how much informationâthings like health information and precise geolocation informationâwas out there, and how nobody had oversight into it or how it was being used, I knew that was the problem we needed to solve.â
From Privacy Advocate to CCPA Shareholder
Ross started research for CCPA in 2016. âYou hear all the time, âOh, it was passed in a weekâit was written in a week!â And that couldnât be further from the truth.â
Working hand-in-hand with the ACLU, EFF, and multiple privacy organizations, âwe really were trying to be thoughtful and approach things in a different way.â
CCPA started as a Freedom of Information Act for private companies. âThe idea was, you could go to any business and say, âWhat do you know about me?â and they would have to tell you.
âEven for people who maybe arenât interested or donât have the time to do these things, itâs a check on these businessesâŚ. If they have to disclose in plain language what theyâre collecting and what theyâre doing with that information, it becomes a soft-powered check. Maybe there are certain types of information they donât want to collect because they wouldnât want it to come out in public.â
CCPA: What Worked?
From consumersâ rights over their data to disclosure requirements for companies, CCPA established important regulations.
âWhat you donât see behind the scenes is that there are a lot of businesses that for the first time thought about, âWhat information are we collecting about people?ââ Organizations started mapping their data and improving their internal processesânot only for regulators, but for their public image.
Under CCPA, companies had to consider: What information do we have? Do we need it? And, if not, should we get rid of it? âThat was a huge triumph,â says Ross.
CCPA: What Didnât Work?
In Rossâs view, enforcement under CCPA suffered from legislative compromises that stripped individuals and officials of the right to bring legal action against non-compliant organizations.
âIn the initiative, we had very robust enforcement. We allowed for a private right of action, meaning that any individual who was harmed by a violation of the CCPA could bring suit. That was eliminated.â
District attorneys, city attorneys, and city prosecutors also no longer have the right to initiate legal actionâonly the California Attorney General. âI think the world of Attorney General [Xavier] Becerra and the people in his office who have really sent very clear signals that they intend to enforce this law and intend to enforce it seriously,â says Ross.
The problem is, the AG has limited resources. Very limitedâenough for about three enforcement actions per year. The result is that many businesses do the bare minimum, playing the odds and assuming they will not be one of those three.
Will CPRA Solve the âEnforcement Problem?â
While the latest privacy initiative out of California, the California Privacy Rights Act (CPRA), seeks to put âreal teethâ behind CCPA by establishing a new agency dedicated to enforcement, Ross has reservations.
âI think itâs great to have a new California data protection agency,â says Ross, âbut the way the new initiative is written, the budget is capped at $10 million per year.â
By contrast, âthe FTCâs budget is over $300 million per year, and everybody agrees thatâs not enough money for them to bring all the enforcement actions they need to bring. So $10 million is really a small amount. Maybe itâs enough to seed an agency, but Iâm just not sure why you would cap the budget at such a small amount when the scope of the problem is huge.â
The Future of Federal Regulation
Much like other initiatives that originated in Californiaâlike stricter car emissions standards and breach notification requirementsâRoss foresaw the nationwide proliferation and impact that CCPA would have beyond Californiaâs borders.
As both a former federal agent and an ongoing privacy advocate, she considers this a positive sign for eventual federal legislation that would supersede state-wide regulations.
âThere is a consistent trickle of privacy legislation that continues to be introduced in WashingtonâŚ. I do think that within the next few years there will be federal comprehensive privacy legislation. Itâs more than just CCPA and CPRA. Itâs what other states are doing. I think that the industry fears a patchwork of 50 states. From a business perspective, it makes it a lot harder to comply.â
Ross maintains that the benefits of responsible data privacy practices lie in public trust, easier business processes, and an ultimate competitive advantage. âPrivacy,â she says, âis actually very good business.â
Listen to the full interview to learn more about how Ross helps companies navigate privacy law, and where she sees the state of privacy moving.