Did these laws accomplish the privacy goals you set out to achieve for California and the nation?
I would say largely. I do think the way the initiative is structured is it’s a one-way ratchet—things can get more privacy-protective, but not less, in California. Would I like to see something roll out across the country? Yes. It would be great to have all Americans covered. There’s a greater likelihood it happens now after the initiative because it’s essentially like saying we’re going to have food labeling in California but not in Oregon or not in Kansas. I don’t think it’s going to be sustainable for companies to have two tiers of privacy protections in the United States. Almost regardless of what happens in Congress, and almost regardless of what happens in other states, I think a lot of companies will offer these rights—just like we saw Apple and Microsoft do last time with the CCPA. And I think over time states will feel pressure to do this as well.
The CPRA was meant to close loopholes in the CCPA—what happens when advertisers and marketers find loopholes in the new law?
Now [that] we have a new agency that has rulemaking authority just like with the attorney general, it's only a question [of when] you catch up with these people over time. Sure, there are people who invent tax vehicles to get around taxes, but generally those loopholes get closed. We're headed in a one-way direction, which is going to be more privacy-protective for people. I actually sent my friend a screenshot of a [website cookie control label]. No matter what you did to your screen, you couldn't read it. It was white writing on a very light blue background. People do this intentionally; it was just so obvious. I think that kind of thing has got to stop, and I think it will stop over time. Some people are still clinging on to this notion that if we just pushed back hard enough, we can make it go away. I guess it’s just denialism.
What’s next for privacy?
This is maybe just, to quote something, the end of the beginning. There's a lot of work to do in terms of getting reasonable laws out here that people can comply with. The real emphasis is on clarity for everybody, for businesses. There should be clear rules, but also clear consequences. I liken that again to food labeling, that's brilliant. I don't know about you, but I use it often. You're like, 'Whoa, it says granola bar, but it's got like 48 grams of sugar! No, I'm not going to do that.'
Will you propose more legislation?
I’m focused on trying to make sure this law gets implemented properly and well. The really important part about this law now is we essentially achieved GDPR parity. That’s one of the things that I was interested in: Is there an opportunity to get adequacy with the EU? Now we have this provision where [the state government in] Sacramento can't weaken the law because we have this initiative that just went with over 2 million votes. In 2019 that was my big worry: Gosh, all these businesses are really excited about trying to weaken the law and there were multiple attempts to just gut the law. Now we have a provision which basically says to those businesses, don't even try, because you'd be thrown out in court, even if you got it past the legislature.
You came to the fight with coffers big enough to fund a sustained, multiyear battle. Does this suggest that only the wealthy can change things?
It's a reasonable question, the people outraged by 'Oh, here's a rich guy doing his thing.' But Apple's a trillion-dollar company, Microsoft, a trillion-dollar company. Google's a trillion-dollar company. The miracle actually is that an individual was able to get this done. I don't mean I want to pat myself on the back—I just mean that that's California for you. We have the process that allows for this, and the voters who would vote for it. It does reaffirm your faith in democracy for all the lamenting about it going out the window here at the national level. People were willing to take steps to rein in the most powerful corporations the world's ever seen.
Is future privacy legislation likely to come from the state level or the federal level?
I'd welcome it at the national level, as long as it doesn’t preempt California. And I think change will happen, just like with data breach laws where California passed the first law. Twelve years later, Alabama was the 50th state to ratify a data breach law. Congress could have acted and chose not to. I think likely the same thing will happen with privacy because it's so complicated.
Will the CPRA create pay-for-privacy schemes, where you either pay for access or surrender your privacy?
This is an area where I expect change over time, but for now I think this is the right policy. What this does is respect where we are in the internet right now. If you're not going to be able to benefit from your data, you know who is? Google and Facebook. At least if there's the possibility of consumers being able to monetize their data, that will take some of the value away from the companies who are now using it for free resulting in trillion-dollar valuations. And by the way, what we say in CCPA and CPRA is the charge has to be reasonably related to the value of the information. It can't be like, 'Hey cell phone company, please don't sell my information.' And then the charge is 200 bucks a month extra, well then no one's going to do it, you know?