Case Study 40-2: The CCPA and the California Privacy Rights Movement — Structural Change Through Democratic Process

Case Study 40-2: The CCPA and the California Privacy Rights Movement — Structural Change Through Democratic Process

Background

In June 2018, California Governor Jerry Brown signed the California Consumer Privacy Act (CCPA) into law. It was the most comprehensive consumer privacy legislation enacted by any U.S. state, and it was enacted in a matter of months — an unusually short legislative timeline for complex regulatory legislation. The story of how CCPA was enacted is a case study in collective action, strategic leverage, and structural change through democratic process — the combination of individual, collective, and policy-level responses that Chapter 40 argues is necessary for structural surveillance reform.

The CCPA gave California consumers the right to know what personal information businesses had collected about them, the right to request deletion of that information, the right to opt out of the sale of their personal information to third parties, and the right to non-discrimination for exercising these rights. It applied to any business that collected the personal information of California residents meeting certain size thresholds — which, because of California's economic significance, meant most major technology companies and data brokers operating in the United States.

The Origin: One Person and a Ballot Initiative

The CCPA originated with Alistair Mactaggart, a real estate developer in San Francisco who became concerned about the scope of personal data collection by technology companies. He engaged Professor William Alsup of Berkeley Law School to review the legal landscape and, after that conversation, hired a political consulting firm to assess the prospects for a ballot initiative on consumer data privacy.

Mactaggart funded the development of a ballot initiative — the Consumer Right to Privacy Act of 2018 — and began gathering signatures. Under California's direct democracy system, a ballot initiative that collects sufficient signatures goes directly to voters, bypassing the state legislature. The initiative Mactaggart funded was strong — arguably stronger than what eventually became law — and technology companies recognized that if it reached the ballot, it would likely pass: polling showed overwhelming voter support for privacy rights.

The threat of the ballot initiative created leverage that would not otherwise have existed. Technology companies, facing the prospect of a privacy initiative drafted without their input passing with large voter majorities and being difficult to amend once enacted, had an incentive to negotiate with Mactaggart over legislation that they could shape — and that could be amended by the legislature later.

The Legislative Process

The legislative process was extraordinarily compressed. The major California technology companies — Google, Facebook, Microsoft, Verizon, Comcast, and others, organized through the Internet Association lobbying group — negotiated with Mactaggart and legislative sponsors over several weeks in June 2018. Mactaggart agreed to withdraw his ballot initiative if legislation was passed before the deadline for removing it from the ballot.

The final text of the CCPA represented a compromise. It was weaker than Mactaggart's original initiative in several respects: the private right of action was limited to data breach cases (not to other privacy violations), the opt-out framework applied to "sale" of data (which excluded some forms of data sharing), and implementation was delayed. But it established, for the first time in the United States, a statutory right for consumers to know about, access, and request deletion of their personal information.

The speed and substance of the legislation reflected the specific leverage created by the ballot initiative mechanism. Without the initiative, the tech industry's lobbying power would have prevented meaningful privacy legislation. With the initiative, the industry had reason to accept a negotiated compromise that it could influence.

The CPRA — Strengthening the Framework

In November 2020, California voters passed Proposition 24 — the California Privacy Rights Act (CPRA), which amended and strengthened the CCPA. The CPRA created a dedicated California Privacy Protection Agency (CPPA), extended privacy rights to employment and business relationships, further restricted the use of sensitive personal information, and strengthened the private right of action in some respects.

The CPRA was again a Mactaggart initiative, this time backed by a broader coalition that had formed around the CCPA's implementation. The two-step process — CCPA establishing the framework, CPRA strengthening it — illustrates a pattern of incremental structural change that Chapter 39 identified as characteristic of how regulatory frameworks develop: initial legislative enactment, implementation experience that reveals gaps, subsequent legislative strengthening.

What CCPA/CPRA Changed (and Didn't)

What changed:

California consumers have enforceable rights to know what data is collected about them, request its deletion, opt out of its sale, and receive non-discriminatory treatment for exercising these rights
Data brokers operating in California are required to register with the CPPA
The "sale" of personal data is restricted, requiring businesses to honor opt-out requests
The CPPA has enforcement authority with meaningful investigative and penalty powers

What didn't change:

The surveillance capitalism business model: companies that comply with CCPA can still collect enormous amounts of behavioral data, use it for advertising, and sell products built on that data — they just have to disclose it and honor opt-out requests
The consent fiction: privacy policies are still complex, opt-out mechanisms are often cumbersome, and the default in most systems is still data collection rather than privacy
The commercial surveillance of public behavior that doesn't involve "personal information" as legally defined
Federal surveillance and intelligence programs, which CCPA doesn't reach
The racial disparities in surveillance burden, which CCPA doesn't address

CCPA is a real structural change: it established legal rights that did not previously exist, created an enforcement agency with real authority, and changed the practices of major technology companies. It is not the structural transformation that would resolve the surveillance problems documented in this book. It is a step in a process.

The Federal Implications

The CCPA's enactment created pressure for federal privacy legislation in ways that more modest state laws had not. Several states enacted CCPA-inspired legislation in 2021, 2022, and 2023 (Virginia, Colorado, Connecticut, Texas, Utah, and others). The proliferation of state laws created compliance complexity for companies operating nationally, creating industry pressure for a preemptive federal framework — a federal law that would set a national standard.

As of this writing, comprehensive federal privacy legislation has not been enacted in the United States. The American Data Privacy and Protection Act (ADPPA) passed a House committee in 2022 with bipartisan support but did not reach a floor vote. The tension between federal preemption (industry preference, favoring a weaker standard than California's) and federal floor (consumer advocates' preference, maintaining states' ability to enact stronger standards) has been the primary sticking point.

The CCPA story — from individual initiative, to ballot leverage, to legislative negotiation, to enacted law, to subsequent strengthening — provides a model for how structural change in the surveillance landscape might be pursued through democratic process. It also illustrates the limits: a decade after the Cambridge Analytica scandal, after years of documented data breaches, after Snowden, after the documented harms of surveillance capitalism, the United States still lacks the comprehensive federal privacy framework that exists in the European Union, Canada, Japan, Brazil, and dozens of other countries.

What the CCPA Case Teaches About Chapter 40

The CCPA case illustrates several of Chapter 40's core arguments:

Individual action was necessary but insufficient. Alistair Mactaggart's initial decision to fund a ballot initiative was a necessary first step. It was not sufficient: the initiative became law only because it was drafted into legislation through a collective negotiation process, passed by a legislative body, signed by a governor, and subsequently strengthened by voters in a second ballot process.

Leverage matters. The ballot initiative mechanism created leverage that would not otherwise have existed. The lesson is not that ballot initiatives are the primary tool — they are available only in states with direct democracy systems — but that structural change often requires the creation of leverage: a cost to maintaining the status quo that makes change preferable to inaction.

Incremental change can build. CCPA was not the final answer; it was a first step that created the institutional infrastructure (the CPPA, the legal rights framework, the enforcement apparatus) for subsequent strengthening. Structural change frequently works this way: each step creates the conditions for the next.

The work continues. Federal preemption of California's stronger standard remains a significant risk. The adequacy of California's framework for the problems documented in this book is limited. The story is not over.

Discussion Questions

The CCPA was enacted in part because the ballot initiative mechanism created leverage that would not otherwise have existed. What other mechanisms create comparable leverage for privacy reform at the federal level or in contexts without direct democracy systems?
The CCPA's consent framework — opt-out rather than opt-in for data sale, notice-and-choice as the primary mechanism — has been criticized as insufficient. Evaluate this criticism. What would a more robust consent framework look like?
The case study notes that CCPA does not address racial disparities in surveillance burden. Is this a failure of the legislation, or is it asking too much of a privacy law to address a racial justice problem? How would you connect privacy law reform to racial surveillance accountability?
The CCPA strengthened over time: CCPA → CPRA → anticipated further amendments. Does this incremental process suggest that democratic channels are adequate for surveillance reform, or that the incremental approach will never keep pace with the pace of surveillance technology development?
Chapter 40 argues that "what we should demand" includes democratic governance of surveillance. The CCPA process involved significant industry participation in the drafting of legislation designed to regulate that industry. Does industry participation in regulatory design compromise the democratic character of the outcome?