I helped draft California’s new privacy law. Here’s why it doesn’t go far enough

The California Consumer Privacy Act is the strictest privacy law in the country. But it is largely toothless and under threat by corporate lobbyists.

I helped draft California’s new privacy law. Here’s why it doesn’t go far enough
[Photo: Antoine Beauvillain/Unsplash]

Californians woke up this new year with the strongest data protection rights in the United States. The California Consumer Privacy Act (CCPA) is now in effect, granting all Californians oversight and control over how corporations use our personal information. The process itself did not happen overnight or even, as some press reports have mischaracterized, in a week, but instead was the culmination of a two-and-a-half year effort to think critically and thoughtfully on what should be in effective privacy legislation. Now, all Californians have:

  1. The right to find out what personal information corporations collect on us, our devices, and our children;
  2. The right to opt-out of the sale of our personal information; and,
  3. The right to sue companies who place our identities at risk if they fail to implement reasonable security measures to protect our personal information.

But unfortunately, the law itself—which is a compromise between legislators and many of the influential tech companies in California—is a significantly watered down version of the original initiative that I drafted along with privacy advocate and real estate developer Alastair Mactaggart and financier Rick Arney.

Like the legislative compromise, the original initiative included rights of access and rights to opt-out of the sale of personal information. Significantly, it also included a strict non-discrimination provision, which prohibited corporations from charging you more or denying you access if you asked them not to sell your personal information. The initiative also gave individuals the right to sue corporations that ignore these requests. Unfortunately, these rights—along with the state’s ability to adequately enforce the rights people do have—were eliminated in the compromise.

Despite these setbacks, privacy is not dead. It is time to demand even stronger protections to be extended to all Americans.

Why privacy matters

As Harvard professor Shoshana Zuboff eloquently wrote, we live in an era of surveillance capitalism. Many businesses collect personal information from consumers using hundreds of tracking and collection devices, including through Wi-Fi and bluetooth. They not only know where you live and how many children you have, but also how fast you drive, your personality, sleep habits, biometric, and health information, financial information, and precise geographic location—including if you visited a women’s health clinic. Regulation must shine a light on what data is collected and grant consumers control over its use and remedies for its misuse.

Despite these setbacks, privacy is not dead.

Transparency—also known as the “Right to Know” in the CCPA—is the cornerstone of the entire law and should be the cornerstone of any consumer privacy legislation. To date, consumers are consenting to the collection, use, and the sale of their personal information without truly knowing what they are agreeing to when they click the “accept” button. It’s not because they are ignorant, but because it is effectively impossible to be informed. The CCPA will close this gap by empowering consumers to find out what information is collected and how it is used, so that they can make an informed choice on whether or not to use a service.


As a former CIA counterintelligence officer and counsel on the House Intelligence Committee (HPSCI), I have a fundamental understanding of the power of big data. I’ve seen first-hand its potential to do good, including disrupting human trafficking networks and preventing terrorist attacks. But I have also seen that power abused by governments and by corporate interests, as we have seen with Cambridge Analytica, Facebook, Google, and Amazon. When I served on HPSCI, one of our responsibilities was to provide oversight over another surveillance program—the NSA wiretapping program Edward Snowden so famously disclosed. Even this is not nearly as intrusive as the ways that the corporations we do know and the data brokers we don’t know track our online and offline activity.

However, in contrast to the NSA program, there is minimal federal oversight. When it comes to what information corporations can collect, how they can use it, and who they can share it with, effectively no one is watching. This will start to change with the implementation of the CCPA.

Where the CCPA went wrong

The CCPA started its life as an initiative that qualified for the November 2018 ballot. California has a well-established ballot initiative process, designed to shift power away from the legislature and into the hands of the people by giving Californians a process to put amendments on the general election ballot for a popular vote. Any California resident may submit an initiative to the California Secretary of State’s website. If an initiative meets well-established filing deadlines, and collects a constitutionally mandated number of signatures, it qualifies for the ballot. An initiative only needs the support of a simple majority of the electorate to pass and, if it does, the only way to change an initiative is through another one—making it a powerful way to hold corporations with large lobbying arms accountable.

We were hoping to accomplish something that Sacramento had been unable or, due to deep-pocketed corporate interests, unwilling to do.

While drafting the initiative that would become the CCPA, I was the president of the advocacy group Californians for Consumer Privacy. By attempting to put an initiative on the ballot, we were hoping to accomplish something that Sacramento had been unable or, due to deep-pocketed corporate interests, unwilling to do—update California’s privacy regulations to protect consumers. Ultimately, my coauthors decided to pull the initiative from the ballot and instead go through the legislative process, a decision I was against because I thought we were giving up too much while creating an opening for lobbyists to weaken the ultimate bill.

Unfortunately, my fears came to fruition. Although the legislative deal was struck in good faith, industry has relentlessly lobbied for legislation that will fundamentally undermine the CCPA, while simultaneously attempting to preempt it with equally aggressive lobbying campaigns in Washington. Last session, there were over 20 bills making their way through Sacramento that would weaken the CCPA. Thankfully, due to the efforts of privacy advocates and the courage of Assemblywoman Buffy Wicks and Senator Hannah-Beth Jackson, those efforts largely failed—for now.


For this kind of legislation to work, enforcement is key. Weakened enforcement is one of the most egregious mistakes that was made in the legislative compromise in California. The initiative had a private right of action—which means that individuals would be empowered to sue companies that violated their rights—in addition to enforcement by the state’s attorney general, district attorneys, and city attorneys and prosecutors. In the legislative compromise, only the attorney general can enforce the CCPA (except for data breaches). Unfortunately, the California attorney general’s office predicts that even with additional resources, they will only be able to bring three enforcement actions a year, rendering the CCPA largely toothless.

Along with lax enforcement, the CCPA does not have provisions to protect the most vulnerable in our society, who are often most impacted by privacy abuses. Privacy should not be a commodity that only the wealthy can afford. Future legislation should explicitly prohibit digital redlining and also include a strict non-discrimination provision to protect consumers if they choose to exercise any of their rights.

Looking toward Washington

One way to prevent some of these problems is to pass meaningful privacy legislation at the federal level to protect all Americans. Democratic Representatives Anna Eshoo and Zoe Lofgren provide an excellent model in their proposed legislation, which would create a new data protection agency that is modeled after the Consumer Financial Protection Bureau, with a mandate to enforce privacy protections and investigate abuses. Significantly, the Eshoo and Lofgren bill also allows state attorney generals and individuals to enforce the law by suing businesses that violate our privacy.

Weakened enforcement is one of the most egregious mistakes that was made in the legislative compromise in California.

Despite the narrative of many big tech companies, it is possible to draft effective privacy legislation that does not disrupt legitimate business interests. We wrote the CCPA with the understanding that Silicon Valley and technology businesses in California are important to our state’s economy and way of life, but also that some uses of data are good for consumers.

Privacy can be good for business and good for competition. As Johnny Ryan, Chief Policy and Industry Relation Officer at the privacy-focused browser company Brave, noted in his recent congressional testimony:


“Today, big tech companies create cascading monopolies by leveraging users’ data from one line of business to dominate other lines of business too. This hurts nascent competitors, stifles innovation, and reduces consumer choice.”

There are several successful businesses that offer privacy-focused alternatives, including DuckDuckGo, a search engine that does not collect any personal information, and Wire, a business productivity and communications platform that provides secure end-to-end encryption. Proper regulation can encourage privacy-protective design and shift the cost to business if they choose to collect and use our information.

While I had hoped to put the stronger version of the CCPA in front of voters, I am excited that Californians now have the strongest privacy rights in the United States. I have recently started a position as the associate director of the Electronic Privacy Information Center (EPIC), a public interest research center in Washington, D.C., where I will continue the fight alongside the EPIC team and other privacy advocates to protect privacy, freedom of expression, and democratic values.

As Congress and other states contemplate data protections for more Americans, I hope they learn from California and guard against the relentless efforts of corporations to weaken people’s rights. Ultimately, they should recognize that the keys to effective privacy regulation are transparency and enforcement.

Mary Stone Ross is the associate director of the Electronic Privacy Information Center and the former president of the advocacy group Californians for Consumer Privacy.