Skip to main content
You have permission to edit this article.
Thomas M. Boyd column: A Proposition too far
Privacy Rights

Thomas M. Boyd column: A Proposition too far

  • 1

“[A] single State may serve as a laboratory, and try novel social and economic experiments….”

— Justice Louis Brandeis, New State Ice Co. v. Liebmann (1932)

As the most contentious presidential campaign in memory comes to a still-contested close, the ideological paralysis that has typified this Congress has left behind a vacuum. Impatiently waiting to fill that vacuum are states like California, unencumbered by the inconvenient rancor that often accompanies two-party political discourse.

This election, a 56% majority of Californians adopted Proposition 24, a ballot initiative that its supporters claim establishes the “strongest online privacy rights in the world.”

Prompted by San Francisco real estate developer Alastair Mactaggart, Proposition 24 was a sequel to his 2018 privacy initiative that was handed over to the California legislature in lieu of completing the expensive initiative process. The result was the virtually unanimous legislative adoption of the California Consumer Privacy Act (CCPA).

The CCPA, touted at its passage as the strongest state law in the country, provided a consumers with 1) the right to access personal information held by businesses about them; 2) the right to have businesses delete that personal information upon request; and 3) the right to preclude the sale of that information, better known as the “right to be forgotten.”

Also mandated was the establishment by covered entities of data security systems, accompanied by a private right of action if a breach occurred “as a result of” the failure of a business to implement “reasonable security” measures.

California’s attorney general was tasked with rule-making as well as enforcement authority, with the power to bring civil actions for violations of the statute.

This past fall, however, Mactaggart complained that because businesses had begun to lobby the California legislature seeking changes that he believed would “weaken the law,” a new initiative was necessary.

“Unless California voters take action,” he warned, “the hard-fought rights consumers have won could be undermined by big business.”

The result was Proposition 24, designed to supplement rather than replace the CCPA. This initiative, which avoided the legislature rather than risk having reason to alter Mactaggart’s vision, creates the California Privacy Rights and Enforcement Act (CPRA). This, among other things, adds to the CCPA a ban on the sharing of personal information and the retention of such information by businesses any longer than is “reasonably necessary.”

The major change, however, is Proposition 24’s creation of a new, independent stand-alone enforcement agency, called the California Privacy Protection Agency (CPPA), in place of the attorney general. Run by a five-member board, this new agency singularly is empowered to issue regulations and engage in administrative enforcement.

The CPPA, however, also contains seemingly innocuous language that both is unique and potentially perilous. The five board members who will run the agency are to be appointed by four California officials: The governor will appoint the chair and one other member, and the attorney general, the speaker of the Assembly and the Senate Rules Committee will appoint one each, for a term no longer than eight consecutive years.

So far, so good, but this is where “perilous” comes in. There is no normal third-party confirmation or scrutiny of the quality of any of these appointees, with the result that, once appointed, appointees immediately can take office. And once appointed, though, the initiative requires that board members “shall serve at the pleasure of their appointing authority…”

This means that these CPPA members not only can be immediately appointed, without any third-party review, but they can be terminated at will by the official who appointed them. This unique process, in effect, strips the agency of any independence it otherwise might have and, as a consequence, the eight-year term actually is rendered meaningless.

This process potentially allows just two California political officials — the governor and one of the other “appointing authorit[ies]” — to exercise complete control over the CPPA. If the governor and one other official were to work together in concert, for example, they could collude to control a majority of the agency’s five-member board. And if their appointees prove to be too soft on business, or fail to satisfactorily prosecute specific companies or industries, it’s possible for them to repeatedly be fired without cause and replaced without confirmation until their “appointing authorities” are satisfied with their performance.

This blend of the 2018 law with Proposition 24 now has created what Brittany Kaiser, the co-founder of the Own Your Own Data Foundation, has characterized as “the most powerful data protection legislation ever passed in this country,” a measure that former presidential candidate Andrew Yang predicts “will sweep the country” and become a national standard.

Justice Brandeis’ view of states as potential laboratories for change was prescient, but one-party states like California have started to redefine the terms.

Thomas M. Boyd is a former assistant attorney general, appointed by President Ronald Reagan. He is counsel to the National Business Coalition on E-Commerce and Privacy. Contact him at:

Related to this story

Most Popular

Get up-to-the-minute news sent straight to your device.


Breaking News