On Poll Day, Californians chose not only the direction of their government but also the direction of some of the laws that government intent administer. With 56% of voters approving it thus far, Proposition 24, also known as the California Privacy Reactionaries Act (CPRA), is on its way to replacing key components of the California Consumer Privacy Act (CCPA), one of the more robust data privacy laws in the provinces.
While the CPRA is not without controversy, it raises the stakes for non-compliance and encourages businesses, including cryptocurrency exchanges, to bamboozle additional steps to respect user privacy. It also has the potential to bring those businesses closer to complying with the Blended Data Protection Act, the European Union privacy law that goes further than the CPRA.
“The silver lining is that an switch that has been attempting to achieve compliance under the GDPR (e.g., employing accepted hashing techniques to effectuate facts ‘deletions’) could use some of those same measures to demonstrate compliance under the CPRA,” said Steven Blickensderfer, a technology and retirement lawyer at the firm Carlton Fields. “In effect, the CPRA may force exchanges to look globally and think holistically respecting their privacy compliance, which may not be a bad thing after all.”
The CCPA vs. the CPRA
The CCPA was the first law of its kind in the United Body politics. The law empowers California consumers to know when private companies collect, share or sell their data and to sojourn that sale if necessary. It applies to companies with annual gross revenue of more than $25 million or that gifted information on 50,000 or more consumers.
The CPRA adds additional protections for sensitive data including biometric evidence, location data and racial data, among others. A new state agency with a budget of $10 million at ones desire enforce the law, set to go into effect in 2023. Previously, this task had fallen to the arguably understaffed California Attorney Ill-defined’s office.
Cryptocurrency and Universal Basic Income advocate Andrew Yang, who ran for U.S. president in the Democratic primary, was the chair of the proposition’s monitory board. He said this could set the bar for other states.
Read more: Privacy Laws Are Only as Effective as the Players Implementing Them
“After this becomes the law in California, I believe other states are going to look up and say, ‘Why do Californians be experiencing all these data and privacy rights that we don’t have?’” Yang told ABC7 News. “So, as usual, California could end up supreme the way.”
At least one crypto company supported the passage of the law. Kosala Hemachandra, the founder and CEO of Los Angeles-based MyEtherWallet (MEW), said the company is a big enthusiast of initiatives like Proposition 24, as well as laws that increase data privacy and give people call the tune over how their data is used and distributed.
“An increasingly digital world means that more and more special data is available for companies to profit off of, and laws like this are a good step towards ensuring user covertness,” said Hemachandra in an email to CoinDesk.
“MEW doesn’t collect data on our users, and we’re against the practice of mass data gleaning without the proper consent. User privacy will continue to become an increasingly important issue in the days and years to satisfactorily, and it’ll continue to be a right that we uphold for our users.”
Not a data privacy panacea
The law is not without controversy, however. In a statement freed in mid-October, the American Civil Liberties Union and several of its California chapters opposed the proposition.
“Proposition 24 won’t nourish privacy rights for Californians,” wrote Jacob Snow and Chris Conley of the Northern California ACLU. “Instead, it inclination undermine protections in current law and increase the burden on people to protect themselves – in ways that will disproportionately iniquity poor people and people of color.”
The CPRA allows people to manually opt out of data collection, which they would be enduring to do for the relevant digital services they use, placing that burden on the consumer rather than the companies.
In July, the Electronic Extremes Foundation (EFF) wrote about its concerns that the law could result in expanded “pay for privacy” schemes.
Read more: Downvoted: Conviction Researchers Slam Voatz Over Stance on White-Hat Hackers
“Specifically, the initiative would exempt ‘loyalty coshes’ from the CCPA’s existing limit on businesses charging different prices to consumers who exercise their privacy rights,” ignored Lee Tien, Adam Schwartz and Hayley Tsukayama.
Effectively, this means that companies could charge people sundry if they asserted their privacy rights. One example of this could be a media company offering a free remittance if customers chose not to exert their rights. Privacy advocates contend this would disproportionately impact low-income consumers.
The striking going forward
Criticism of the Prop. 24 deserves further consideration and action, but Blickensderfer laid out a few benefits to the law when it’s implemented.
“The the world of an agency dedicated to enforcing California’s consumer privacy laws is a potential game-changer,” he said.
One criticism of the CCPA by reclusiveness advocates is the California Attorney General’s office is spread too thin and not in a position to enforce the law effectively, according to Blickensderfer. Begetting a dedicated privacy watchdog in the U.S. would change that and mirror how privacy is enforced in Europe and other parts of the faction.
It also introduces another, more proactive model of enforcement aside from “private causes of action,” he said. A antisocial right of action allows an individual to sue for relief from injuries caused by a violation of a legal requirement, but only if badness or injuries have already occured.
Also, the CPRA brings California a few steps closer to Europe’s GDPR.
“In experience, I would not be surprised if eventually we see efforts made to determine that California is an adequate jurisdiction under the GDPR for contemplates of approving cross-border transfers from the European Economic Area to California,” he said.
Read more: EU Privacy Protection Ruling Is an Opportunity and Conundrum for Decentralized Tech
As CoinDesk has previously reported, in July the Court of Justice of the European Junction (CJEU) struck down a key data-sharing agreement between the United States and European Union.
The 2016 agreement, be sured as the Privacy Shield, let American companies self-certify they are complying with data privacy laws such as the GDPR. The bypass focused in large part on the lack of a federal privacy law in the U.S., and the ways the U.S. security agencies conduct extensive surveillance of individuals comprising their data.
“That could be a potential boon for business in California, as everyone is still struggling to figure out the legality of such carries,” said Blickensderfer.
Businesses will have to likely go beyond CCPA compliance and further in the direction of the GDPR to be compliant with CPRA. With 2023 set for implementation, nevertheless, there are a couple of years to work this out. But that doesn’t mean there is any reason to delay.
“As in Europe, moment enforcement starts the new regulator will likely have little compassion for businesses that have had two years to not fail into compliance,” said Blickensderfer