In BigIDeas on the Go, Mary Stone Ross, co-author of the California Consumer Privacy Act (CCPA) and former President of Californians for Consumer Privacy talks about how she came into the privacy space from “the opposite side” as a counterintelligence analyst to the CIA.
A “Terrifying” Problem to Solve
In a pre-Cambridge Analytica world, the popular sentiment vis-a-vis data privacy boiled down to: “If you want to keep something private, then just don’t put it out on the internet.”
Once introduced to the privacy space—and armed with a background in policy and law—Ross “started digging in and trying to figure out, is there even an issue here? Is there a problem we’re trying to solve?”
As a former member of the House Intelligence Committee that helped oversee the NSA wiretapping program that Edward Snowden later leaked, Ross had unique insight into what that problem might be.
“We truthfully weren’t that concerned about it,” Ross says of the program at the time. “There were quite a few oversight mechanisms in place to check the use of that information and make sure it didn’t go too far.”
From Ross’s perspective, many resounding issues came down to oversight. “When I started doing research and seeing how much information these big companies were collecting and the granularity of detail, it really terrified me. And as I started seeing how much information—things like health information and precise geolocation information—was out there, and how nobody had oversight into it or how it was being used, I knew that was the problem we needed to solve.”
From Privacy Advocate to CCPA Shareholder
Ross started research for CCPA in 2016. “You hear all the time, ‘Oh, it was passed in a week—it was written in a week!’ And that couldn’t be further from the truth.”
Working hand-in-hand with the ACLU, EFF, and multiple privacy organizations, “we really were trying to be thoughtful and approach things in a different way.”
CCPA started as a Freedom of Information Act for private companies. “The idea was, you could go to any business and say, ‘What do you know about me?’ and they would have to tell you.
“Even for people who maybe aren’t interested or don’t have the time to do these things, it’s a check on these businesses…. If they have to disclose in plain language what they’re collecting and what they’re doing with that information, it becomes a soft-powered check. Maybe there are certain types of information they don’t want to collect because they wouldn’t want it to come out in public.”
CCPA: What Worked?
From consumers’ rights over their data to disclosure requirements for companies, CCPA established important regulations.
“What you don’t see behind the scenes is that there are a lot of businesses that for the first time thought about, ‘What information are we collecting about people?’” Organizations started mapping their data and improving their internal processes—not only for regulators, but for their public image.
Under CCPA, companies had to consider: What information do we have? Do we need it? And, if not, should we get rid of it? “That was a huge triumph,” says Ross.
CCPA: What Didn’t Work?
In Ross’s view, enforcement under CCPA suffered from legislative compromises that stripped individuals and officials of the right to bring legal action against non-compliant organizations.
“In the initiative, we had very robust enforcement. We allowed for a private right of action, meaning that any individual who was harmed by a violation of the CCPA could bring suit. That was eliminated.”
District attorneys, city attorneys, and city prosecutors also no longer have the right to initiate legal action—only the California Attorney General. “I think the world of Attorney General [Xavier] Becerra and the people in his office who have really sent very clear signals that they intend to enforce this law and intend to enforce it seriously,” says Ross.
The problem is, the AG has limited resources. Very limited—enough for about three enforcement actions per year. The result is that many businesses do the bare minimum, playing the odds and assuming they will not be one of those three.
Will CPRA Solve the “Enforcement Problem?”
While the latest privacy initiative out of California, the California Privacy Rights Act (CPRA), seeks to put “real teeth” behind CCPA by establishing a new agency dedicated to enforcement, Ross has reservations.
“I think it’s great to have a new California data protection agency,” says Ross, “but the way the new initiative is written, the budget is capped at $10 million per year.”
By contrast, “the FTC’s budget is over $300 million per year, and everybody agrees that’s not enough money for them to bring all the enforcement actions they need to bring. So $10 million is really a small amount. Maybe it’s enough to seed an agency, but I’m just not sure why you would cap the budget at such a small amount when the scope of the problem is huge.”
The Future of Federal Regulation
Much like other initiatives that originated in California—like stricter car emissions standards and breach notification requirements—Ross foresaw the nationwide proliferation and impact that CCPA would have beyond California’s borders.
As both a former federal agent and an ongoing privacy advocate, she considers this a positive sign for eventual federal legislation that would supersede state-wide regulations.
“There is a consistent trickle of privacy legislation that continues to be introduced in Washington…. I do think that within the next few years there will be federal comprehensive privacy legislation. It’s more than just CCPA and CPRA. It’s what other states are doing. I think that the industry fears a patchwork of 50 states. From a business perspective, it makes it a lot harder to comply.”
Ross maintains that the benefits of responsible data privacy practices lie in public trust, easier business processes, and an ultimate competitive advantage. “Privacy,” she says, “is actually very good business.”
Listen to the full interview to learn more about how Ross helps companies navigate privacy law, and where she sees the state of privacy moving.