California’s privacy agency getting out of control

The California Privacy Protection Agency (CPPA) is off and running full speed ahead, and like a runaway train, there is little to do to stop it before we witness a train wreck.

Established through the California Privacy Rights Act of 2020 (CPRA), the CPPA was created to develop the first comprehensive privacy regulations in the nation. While an admirable objective, the issues around process, lack of oversight, enforcement confusion, increased costs, overreach, and aggressive expansion are causes for significant concern.

While the concerns continue to grow and go unanswered, the CPPA has turned into nothing short of a new costly bureaucracy, shaping up to be an empire.

This appears to be another example of empire building at the expense of fulfilling the public’s desire to have their personal information protected.

While legislators have been tasked with keeping an eye on the CPPA, the trajectory of overreach coupled with considerable concerns from California’s small business community puts a fine point on the term “oversight.”

Policymakers and the Newsom Administration must restrain the Board’s actions to allow small- and medium-sized businesses to get a handle on current laws and regulations before moving on to establish more.

It doesn’t stop there. Rather than helping businesses comply with changing laws and regulations, the Board has issued a public relations Request for Proposal to promote themselves, including a paid media strategy, media placement, audience targeting, data analysis, media budgeting, and progress reporting.

All of this comes in at a staggering $8 million price tag for the state and taxpayers. Making matters worse, the Board also announced that they will hire more than 34 new employees, and who knows what the accounting for that entails.

One must ask, “Why does a new state agency need to spend millions on public relations and hire dozens of new employees when the mission is to help businesses comply with regulations?”

This appears to be another example of empire building at the expense of fulfilling the public’s desire to have their personal information protected while they utilize digital tools to enhance their work and home life.

The CPPA is diving into areas such as opt-out preferences, dark patterns, collection of information, the right to correct, expanded enforcement, and audit authority. There is concern among California businesses, especially small businesses, that the regulations will inhibit them from using tools that are helpful in reaching customers and go beyond protecting privacy to regulating the business and advertising operations.

Businesses are unclear on how they will be required to comply with several laws aimed at regulating the same thing.

There is already confusion as to the opt-out requirements for the sale or sharing of consumer information that requires businesses to obtain consent rather than provide a method for consumers to opt-out as required by law.

Surveys indicate that the process is so confusing that consumers are saying yes to all requests to allow the use of personal information. Rather than making the process easier for consumers, the regulations appear to make everything more difficult and less effective.

Companies have spent significant money up front on lawyers and technologists to ensure they are in compliance with CCPA and may be forced to go through the process once again to ensure CPPA compliance.

In addition to the increased costs, the myriad data privacy laws including California Consumer Privacy Act (CCPA), CPRA, General Data Protection Regulation (GDPR), and out-of-state laws have created unnecessary confusion for small- and medium-sized businesses. Businesses are unclear on how they will be required to comply with several laws aimed at regulating the same thing.

At a time when California’s small businesses are struggling to rebound from the pandemic, the global shipping crisis, soaring fuel and energy costs, and now inflation, how can we expect them to take on more burdensome costs and uncertainties?

California’s small business community is now at the whim of the CPPA. It’s incumbent upon California lawmakers and the Administration to step in before it’s too late. The CPPA must refrain from expanding data privacy regulations even more.

It’s time to put the brakes on this runaway train that is headed towards disaster, with small businesses being the collateral damage.
—
Editor’s Note: John Kabateck is California state director for the National Federation of Independent Business, NFIB.