California just strengthened its digital privacy protections even more
The California ballot measure Proposition 24, or the California Privacy Rights Act (CPRA), has passed, pushing the state even further ahead of the rest of America when it comes to data privacy legislation.
CPRA adds to California’s existing law, the California Consumer Privacy Act (CCPA). CCPA is one of the strongest privacy laws in a country with few of them, giving Californians the power to know what data businesses have and collect about them and to tell those businesses not to sell that data to anyone else.
CCPA went into effect on January 1, and while it wasn’t perfect by any means, most privacy advocates seemed to agree that it was a good start, both for the state and for any other state or federal laws its passage may inspire.
Californians for Consumer Privacy was behind Proposition 24, which it believed would further strengthen the CCPA and close some of the loopholes businesses were using to get around the law.
The group’s founder, Alastair Mactaggart, is also the reason the CCPA exists. He’s put up millions of dollars of his own money to get CCPA and CPRA passed, beginning with a ballot measure about consumer privacy back in 2018. Mactaggart came to agreement with the state legislature that he would withdraw the measure from the ballot if California passed its own version (which Mactaggart helped write). That became the CCPA. But Mactaggart wanted more from the law and came up with CPRA: a 52-page ballot measure that he thought would fix its shortcomings.
“I think that the regulations are, overall, pretty good, but it can be tightened up,” Mactaggart told Recode.
Mactaggart said the CCPA had weaker consumer protections than his original ballot measure in the interest of getting the law passed (“so businesses couldn’t argue this person is going to shut down commerce”). Now CPRA will add stronger privacy protections to its predecessor, giving California a law on par with the European Union’s General Data Protection Regulation.
“My approach is, now’s the time to close the gap and give Californians first-world privacy,” Mactaggart said.
What California Proposition 24 does, briefly explained
Proposition 24’s provisions give Californians the ability to tell businesses not to use certain categories of sensitive information, including race, health, religion, location, sexual orientation, and biometrics. It makes more explicit that “do not sell” includes data shared between companies. And it triples fines for violations if the affected consumer is younger than 16 years old.
The new measure also makes it very difficult to weaken the law through additional amendments — though any amendments that strengthen it can pass with a simple majority. Finally, it provides funding for a Privacy Protection Agency that would be charged with enforcing privacy laws. The CCPA only gave the state’s attorney general the ability to do that, and Attorney General Xavier Becerra has said that his office has limited resources to do so.
While Proposition 24 had several supporters — including the NAACP of California, a handful of state politicians, US Rep. Ro Khanna (D-CA), Andrew Yang, and privacy advocates and experts including Shoshana Zuboff, Chris Hoofnagle, and Ashkan Soltani (who co-authored the measure) — it also had its opponents.
Most notably, the American Civil Liberties Union of California was very much against it, saying that it actually weakened parts of the CCPA and citing concerns that it allowed companies to charge consumers who opt out of having their data sold or shared more than those who don’t. This, the ACLU argued, means people with lower incomes will have less access to privacy protections than people with greater assets. Still others either reluctantly supported it or declined to endorse or oppose it. The digital civil liberties nonprofit the Electronic Frontier Foundation, for example, said the measure was too much of a “mixed bag” to take a position.
What Proposition 24 means for federal privacy laws
Proposition 24’s passage adds to California’s reputation as the state that pioneers progressive laws that the rest of the country later adopts. Since CCPA, other states have tried to pass their own privacy laws — with varying degrees of success — though none has managed to get one on the books that’s quite as strong.
Some companies have extended CCPA protections to everyone in America, but they don’t have to, and many haven’t. Seeing Californians pass another digital privacy law may be the encouragement the federal legislature needs to get going on its own version. And Mactaggart thinks Proposition 24’s rules that make it very difficult to change the law will tell businesses — and federal lawmakers — that privacy laws are here to stay.
“This is a new reality for one in eight Americans, it ain’t going away,” Mactaggart said. “I think you’ll start to see more of a push to get good protections in the country. And if that doesn’t work, I think other big states will adopt something like ours.”
Companies that make most of their money through internet advertising and the data collection that powers it have been allowed to self-regulate for most of their existence, and data privacy is nonexistent as a result. Over the past few years, however, there’s been an increased focus on, and criticism of, Big Tech — especially Google and Facebook, two of the biggest and most well-known data-sucking companies out there — which has resulted in a push for privacy laws to force those companies to do what they won’t on their own.
Going into 2020, the question wasn’t if a federal privacy law would be passed but what it would look like. The Senate Commerce Committee had a hearing to discuss proposed legislation, and its ranking member, Sen. Maria Cantwell (D-WA), put out her version of a bill. (The committee chair, Mississippi Sen. Roger Wicker, put out his own almost a year later, in September 2020.)
There was also a bipartisan bill from Sens. Amy Klobuchar (D-MN) and John Kennedy (R-LA) back in 2018; Sen. Ron Wyden (D-OR) has released countless privacy bills, including his October 2019 Mind Your Own Business Act; and Sen. Josh Hawley (R-MO) has put out plenty of privacy bills of his own, some of which are bipartisan. California Democratic Reps. Anna Eshoo and Zoe Lofgren unveiled their data privacy bill in November 2019, while Sen. Kirsten Gillibrand (D-NY) rolled hers out in February 2020. Both of those bills provided for a separate federal agency to investigate privacy or data protection violations.
By March, of course, there were more pressing concerns than privacy bills. In the earlier days of the pandemic, there was even a possibility that all that data companies collected about people and their movements would actually help stop the spread of the coronavirus; companies that specialize in location data sure wanted us to think so. Health privacy rules were relaxed to give people greater access to telehealth services. And millions of students being forced into remote learning came with its own privacy issues. In the first few months, Congress was too busy trying to pass pandemic recovery legislation to do much for digital privacy.
By the second half of the year, Big Tech regulation became increasingly politicized, with Republicans taking cues from President Trump and railing against perceived political biases on social media platforms — and turning to legislation that would undo or change Section 230, which protects platforms from liability for the things people say on them, to try to stop it. There is bipartisan support for using antitrust laws to regulate the largest tech companies, part of which includes those companies’ privacy practices. But even here, some Republicans have hijacked antitrust hearings to rail about censorship of conservatives rather than the actual issues.
So now the question is, what will 2021 bring, if anything, to privacy legislation? Democrats have said they are ready and willing to move forward on it if given the opportunity. Republicans have been more focused on Section 230, but that won’t matter much if they lose control of the Senate — or even the presidency.
“We need a Data Protection Agency and comprehensive data privacy legislation,” Gillibrand told Recode. “I am committed to working with my colleagues in Congress to hold tech firms accountable, while maintaining the most innovative, successful tech sector in the world.”
If nothing happens at all on a federal level, well, we’ve still got California, right?