California Prop 24 Puts More Brakes on Big Tech

California’s Proposition 24 has just recently been passed by California voters, tightening the screws on the California Consumer Privacy Act 2018 (CCPA), and establishing a watchdog agency to oversee and enforce privacy laws.

Among its provisions, California Proposition 24 reins in the powers of Big Tech, preventing them from sharing consumers’ personal information and closing a loophole that meant companies could keep targeting ads with user data even when those users opted out. 

The passing of California Proposition 24, also known as the California Privacy Rights Act 2020, is a win for California consumers specifically, and privacy in the US generally. 

The CCPA is already the most comprehensive consumer privacy law in the United States. The California Privacy Rights Act 2020 goes further.

When it went into effect on January 1, 2020, the CCPA gave consumers in California four rights over the personal information that businesses collect about them: 

  1. The right to know, through a general privacy policy, what personal information a business has collected about them, where they sourced it, what they’re using it for, whether they’re disclosing or selling it, and to whom they’re disclosing or selling it.
  2. The right to opt out of allowing a business to sell their personal information to third parties.
  3. The right to have a business delete their personal information upon request, with some exceptions.
  4. The right to receive equal service and pricing from a business, even if they exercise their privacy rights.

For US residents outside California, the CCPA offers some indirect benefits if a business in scope of CCPA chooses to provide equivalent protections to all of its customers, perhaps because they are a privacy minded company or it’s simply easier to avoid differentiating based on state of residency.

The new California Privacy Rights Act (CPRA) adds specifics to the original CCPA, and increases the penalties for non-compliance, enforced through a new state regulatory agency.

Specifically, the CPRA: 

  • Permits consumers to: 
    • (1) prevent businesses from sharing personal information
    • (2) correct inaccurate personal information; and 
    • (3) limit businesses’ use of “sensitive personal information”—including precise geolocation; race; ethnicity; religion; genetic data; private communications; sexual orientation; and specified health information.
  • Establishes California Privacy Protection Agency to additionally enforce and implement consumer privacy laws and impose fines.

  • Changes criteria for which businesses must comply with laws, specifically changing from “Businesses that purchase, sell or share the personal information of 50,000 or more consumers, households, or devices each year” [CCPA] to “Businesses that control the purchase, sell, or share the personal information of 100,000 or more consumers or households each year” [CPRA]; and changing from “Businesses that earn 50 percent or more of their annual revenue from selling consumers’ personal information” [CCPA] to “Businesses that earn 50 percent or more of their annual revenue from selling or sharing consumers’ personal information” [CPRA].

    CPRA removes the ability of businesses to fix violations before being penalized for violations, and requires businesses to:
    • not share a consumer’s personal information upon the consumer’s request
    • provide consumers with an opt-out option for having their sensitive personal information, as defined in law, used or disclosed for advertising or marketing
    • obtain permission before collecting data from consumers who are younger than 16
    • obtain permission from a parent or guardian before collecting data from consumers who are younger than 13
    • correct a consumer’s inaccurate personal information upon the consumer’s request
  • Prohibits businesses’ retention of personal information for longer than reasonably necessary.

  • Triples maximum penalties for violations concerning consumers under age 16.

  • Authorizes civil penalties for theft of consumer login information, as specified.

California Prop 24 sponsor, Alastair Mactaggart, said in a statement: “We are at the beginning of a journey that will profoundly shape the fabric of our society by redefining who is in control of our most personal information and putting consumers back in charge of their own data.” 

California Prop 24 sponsor, Alastair Mactaggart, said in a statement: “We are at the beginning of a journey that will profoundly shape the fabric of our society by redefining who is in control of our most personal information and putting consumers back in charge of their own data.” 

California privacy laws raise the bar nationally.

A significant advantage of these Californian privacy laws is that they raise the bar on consumer privacy law nationally. Given California has a large population and is home to many large tech sector companies, the CCPA was already a reference point for ongoing discussions about national US legislation, and it also made it easier for companies to say “California citizens have these rights so we’ll just roll out the same”. Microsoft took this approach, and Anonyome Labs does too. 

But not all privacy professionals fully support the new California Privacy Rights Act.

Some observers, including the Electronic Frontier Foundation, the leading nonprofit organization defending civil liberties in the digital world, and the ACLU of Northern California, believe the new legislation does not do enough to advance the data privacy of California citizens. They support the new law in spirit but are critical of some specifics. 

One argument is that while the CPRA makes the original CCPA more “nuanced and expansive”, it still favors business over consumers. Opponents of the new law argue the onus remains on consumers, not companies, to protect personal data, and that there’s been a missed opportunity to implement “opt in” as opposed to “opt out” such that privacy would be the default option and companies would need to seek a customer’s explicit consent before collecting, using, sharing or storing their personal information. The EFF argues the new data minimization provisions don’t go far enough, and that companies can refuse consumer requests to delete their personal information under some circumstances. 

In a statement, the ACLU said the new law has “deep flaws” but “sends a clear message from California voters to the California legislature that they expect and demand action to protect their privacy and safeguard their fundamental privacy rights.”

What Anonyome Labs thinks about the new law

We acknowledge the arguments of both sides of the privacy community and hope that the spirited debate among privacy leaders does not get in the way of progress. In our recent Visions of privacy post, we outlined our hope that by 2030 corporate social responsibility for data processing would be codified into systems design. By the end of this decade, we envision a reality wherein customers’ collective feedback has an immediate effect on a business’ use of personal data. Data protection is explicitly part of system design and elements like data retention and uses of customer data are well controlled. Those controls can be tightened or loosened more easily based on changes in regulation, punishments by regulators for failing to do the right thing, or feedback from customers on how they think their data is being treated.  

We believe the California Privacy Rights Act 2020 is a good step forward because its overall measures strengthen the CCPA and it also offers another proof point for national legislators. Even though there’s little material progress on a national privacy law (yet), this next step in California sends a clear message that privacy matters to consumers. We are always of the mind that some improvements are better than none.

The California Privacy Rights Act comes into effect in 2023.