If Privacy Laws Were Software Development Models, California is Open and Agile while APRA is Closed and Waterfall

I have been in the software industry for over 30 years and have seen firsthand the significant changes in how software is developed. When I first started out, software was closed (i.e., was proprietary, did not interoperate with other solutions, and was difficult to customize) and major new releases took years to come out and followed a waterfall model (i.e., very linear, with each phase such as design needs to be done before you progress to the next phase). Software nowadays strives to be open (i.e., communicates with other software through APIs and is able to be easily customized) and is developed in an agile manner (i.e., iterative and incremental) with new releases coming out in months versus years that you had with the waterfall model.

And over the last 4 years, I have been doing tech public policy, including working on the Prop 24 campaign that gave California the nation’s most robust privacy law (the California Privacy Rights Act or CPRA, which amends the California Consumer Privacy Act or CCPA) and advising politicians on privacy legislation over the last 3 legislative sessions in California. With the CPRA privacy platform now in place and setting a floor and not a ceiling for innovation, I have seen first-hand the impressive ability of different California legislators to propose new legislation that builds upon the CPRA platform and come out with incremental improvements each year, including many bills in the pipeline this year. So, to me, California is doing something exciting — privacy that is, in effect, open and agile, akin to how modern software development is done.

I then compare that to the glacial speed of federal privacy and what is now being proposed with the American Privacy Rights Act (APRA), which acts as a ceiling and preempts any innovation from States. The analogy that immediately came to my mind is that this approach is how software used to be developed — closed and waterfall — and is not appropriate for keeping up with the rapid pace of technological advancements.

Given that I come from the software world and have also been working on tech policy for the last few years, I want to use this blog post to expand on this analogy and compare how privacy law is implemented and proposed in California versus at the federal level.

CALIFORNIA PRIVACY — OPEN AND AGILE

When the CCPA was passed by the California legislature and signed into law in 2018, the United States now had the first-ever comprehensive law. But the very next year the tech industry tried to gut the CCPA in different ways, so Alastair Mactaggart, the author of the original CCPA, stepped in with Prop 24 to set a floor and not allow industry to chip away at it.

Section 25 of Prop 24 sets privacy as a floor in California and basically says that you can only pass new privacy legislation “provided that those amendments are consistent with and further the purpose and intent of this act.” In other words, privacy in California cannot be water-downed, and in doing so also encourages additional privacy-enhancing legislation that is responsive to rapid changes in technology. In other words, Prop 24 and the CPRA truly represent a “one-way, privacy-protective ratchet.”

Since the CPRA became fully operational in January 2023, California has seen a growing number of laws addressing privacy concerns with data brokers, reproductive health, and kids’ online safety. And there are over 12 bills on AI alone being proposed in California.

As Justin Brookman with Consumers Reports noted, “California alone iterates and advances on its own privacy legislation every year.” The California Privacy Protection Agency (or CPPA) also has commented on California’s innovation in privacy:

In 2002, California became the first state to pass a data breach notification requirement, and in 2018, it became the first to adopt a comprehensive commercial privacy law, the California Consumer Privacy Act. That pace has only accelerated as technology has grown more advanced. In the past two years alone, California has adopted multiple pieces of legislation to strengthen privacy protections — including a first-in-the-nation global data broker deletion requirement and new protections with respect to reproductive privacy. These efforts are supported by the CCPA’s unique “floor” on protections, ensuring that any amendments to the CCPA by the California legislature are in furtherance of the law’s intent: to protect privacy.

I have experienced this firsthand with my pro-bono advisory work and support of the California Delete Act, which is an extension of the CPRA and represents the first bill to allow consumers to globally delete their data from data brokers. It fully leverages CPRA’s definitions, exemptions, regulations (e.g., for authorized agents), and even the enforcement agency created when the CCPA was amended by voters with Proposition 24 and the CPRA. The Delete Act is like a Lego piece that attaches to this great platform.

Examples of bills this year that build upon the CPRA like Lego pieces include:

• AB 1949 “prohibits businesses from selling or sharing the personal information of consumers less than 18 years old, up from 16 years old, without affirmative authorization.”
• AB 3048 “requires browsers to include settings that enable consumers to send opt-out preference signals.”
• SB 1223 adds people’s neural data to the definition of personal information.

IAPP even tracks all California legislation, and they are tracking 31 privacy and AI-related bills in 2024 alone. [Quotes in the bullet above are from the IAPP tracker]. Not all will get past the finish line, but even if a third does, it shows an agility to keep up with rapid technology changes that no other government — State or Federal — is doing. And like the agile software development method, I see some great collaboration between lawmakers on privacy, and these various bills are being authored by different lawmakers, so legislation is not coming from a handful of people.

FEDERAL PRIVACY — CLOSED AND WATERFALL

In contrast, privacy law at the federal level moves at a glacial speed. As Professor Daniel Solove noted:

Congress is notoriously bad at updating laws. If Congress were a landlord, it would be a slumlord, because Congress hardly ever updates privacy laws even when they scream for an update. The Electronic Communications Privacy Act (ECPA) is closing in on being 40 years old. It was passed in 1986. If you were alive back in 1986, recall email, computers and the Internet back then. This was the digital stone age. Despite urging from all sides (law enforcement and privacy advocates) to update ECPA, has Congress done anything? Nope. There have been countless bills that have suffered the same fate as the ark in Raiders of the Lost Ark.

The Family Educational Rights and Privacy Act (FERPA) has a similar story. It’s woefully out of date and has countless shortcomings. It’s about 50 years old. I guess that’s young when so many people in Congress are in their late 70s, but for a privacy law, it is long overdue for an overhaul. As with ECPA, there have been bills, so many bills, but most bills wither on the vine.

Take the Children’s Online Privacy Protection Act (COPPA) which bans collecting data from children under thirteen without parental consent. It was passed in 1998. This is pre-iPhone and pre-social media. We are still waiting for COPPA version 2, which will cover teens up to sixteen and outright ban behavioral advertising for those under sixteen. Ironically, an editorial in support of APRA highlighted COPPA and said this

And APRA can be strengthened over time. That happened with the Children’s Online Privacy Protection Act, passed in 1998 to protect children under age 13. In 2013, the law was broadened and updated by the Federal Trade Commission to reflect evolving technology such as mobile devices.

The fact that it took 15 years for the FTC to broaden the law (and not upgrade it ala COPPA 2) is actually not a good endorsement of how privacy law is done at the federal level. So, it highly resembles the waterfall method of software development, but instead of major releases happening every 1–2 years, as we see with old-time software developed using the waterfall method, we are not even seeing Version 2 after 25 years in the case of privacy laws like COPPA. Meanwhile, California can crank out major innovations such as the California Delete Act or the Age-Appropriate Design Code (AADC) on a yearly basis.

Specific to APRA, it preempts state privacy law. As noted by the Washington Post, APRA also preempts other federal agencies, such as the FCC, when it comes to privacy. Thus, it takes a ceiling versus a floor approach. Besides losing the agility that you get with States like California to rapidly iterate — while at the Federal level, we will be stuck with 20+ year upgrade cycles — we will also lose the ability to innovate. As noted by Justice Brandeis:

it is one of the happy incidents of the federal system that a single courageous state may, if its citizens choose, serve as a laboratory; and try novel social and economic experiments without risk to the rest of the country.

Thus, with APRA, we will lose the ability for states to be the laboratories of Democracy when it comes to consumer privacy. I am concerned that shutting down this laboratory of innovation when it comes to consumer protection in the new world of AI is not a good thing to do. So, to me, APRA represents a closed versus open approach. And doing so in a federal waterfall model where things move at a glacial speed exasperates things further.

SUMMARY

I wish others could experience what I have seen first-hand here in California, which is rapid innovation and iteration to protect consumers and do so in a way that keeps up with the changing technological landscape. When it comes to privacy laws, California is agile and open, and the Legislators work on these problems in a highly collaborative manner, just like the best startups in Silicon Valley. At the federal level, things just don’t happen that fast, if at all. So, locking us into a closed privacy platform that acts as a ceiling and that does not allow innovation would exasperate the problems and not improve things in the wrong run, and will likely have us repeat the failures of not putting up guardrails for social media, etc. but for new and emerging technologies like AI. I would much prefer that APRA take a high-floor approach versus its current medium-level ceiling approach.