By Jonathan Greig, TECH REPUBLIC
November 5, 2020
Millions of California voters have backed a controversial amendment to the state's consumer privacy laws, voting in favor of Proposition 24 by a 56%-44% margin.
A state guide for voters describes the proposition, also called the California Privacy Rights Act (CPRA), as a way for consumers to prevent businesses from sharing personal information, correct inaccurate personal information, and limit businesses' use of "sensitive personal information," including precise geolocation, race, ethnicity, and health information. The act would also create the California Privacy Protection Agency.
The proposition has ardent supporters and detractors on both sides of the online privacy debate, with some saying it was needed to fill loopholes in the landmark California Consumer Privacy Act and others bashing it for not going far enough or reinforcing dangerous practices.
In a statement, Alastair Mactaggart, chair of Californians for Consumer Privacy and the sponsor of the proposition, hailed it as the "beginning of a journey that will profoundly shape the fabric of our society by redefining who is in control of our most personal information and putting consumers back in charge of their own data." Mactaggart, a real estate developer, spent at least $5 million of his own money to support the proposition.
Carmen Balber, executive director of Consumer Watchdog, added in another statement that said "Prop 24 enshrines Californians' privacy rights and safeguards them from legislative assault, adds groundbreaking new protections for sensitive information like our race, sexual orientation and location, and creates a European-style privacy agency to protect our rights."
But now that the proposition has been officially passed and will take effect in 2023, experts are poring through the fine print to figure out how it will be enacted.
Chris Hauk, a consumer privacy advocate working for Pixel Privacy, called the proposition "a mix of a few steps forward and a few steps backward" and criticized it for adding "yet another layer of California government bureaucracy by creating a dedicated state agency to enforce the law."
The Los Angeles Times noted that the five-seat board that would lead the agency would be made up of appointees by the state's governor, state attorney general, state Senate rules committee, and speaker of the state Assembly.
"I would prefer to see an opt-in system instead of the opt-out system outlined in the proposition, but that is probably one barn door that will forever be unable to be closed. Also, the part of the measure that allows companies to charge customers more for goods and services if they decide not to share their data with them is simply wrong," Hauk said.
"Most loyalty card programs I've seen will offer discounts off regular prices to members willing to share their data, while non-members pay the retail price. While this makes sense, a system that would allow companies to charge more for their items would erase any benefit of such a program, as members would likely end up paying retail, while non-sharing customers would pay a premium on top of retail. Being allowed to charge people for the 'privilege' of keeping their privacy is wrong."
Comparitech privacy advocate Paul Bischoff echoed many of those criticisms and concerns, adding that much of what is covered in the act is already in other existing laws, including the CCPA. He also took issue with the "pay-for-privacy" scheme described in the act and said it would lead to discrimination against consumers who decide against sharing their personal data.
"Protections for biometric privacy will be weakened, and consumers can't sue companies when their right to privacy is violated," Bischoff added.
Other experts hailed the act as a massive step forward for privacy regulations in the United States and expressed hope that it would spur voters in other states to push lawmakers into enacting similar legislation.
KnowBe4 data privacy director Lecio De Paula Jr. said the proposition was exciting but noted that it will force companies to spend more to protect the privacy rights of consumers and may have a harsher impact on small- to medium-size businesses due to lack of resources.
"CPRA is going to do more than simply add 'teeth' to current CCPA requirements; it's going to transform it into something much closer to the EU's GDPR. Under CPRA, companies will be responsible for the way third-party vendors handle data, similar to GDPR's construct of data controllers and data processors," said 1touch.io's director of marketing Luis Marte.
"It will also require completing regular risk assessments and cybersecurity audits for high-risk data, which is straight out of GDPR. In terms of rights extended to consumers, it will triple fines for violations involving minors, and the opt-out will now apply to shared data, not only data that is sold. CPRA is a ballot initiative, which means that amending it will be a much harder process. This fortifies the status of the provisions."
Marte explained that it will force companies to collect only the data they need, limit the retention time of personal information, restrict the further transfer of personal information, and much more.
Saryu Nayyar, CEO of cybersecurity company Gurucul, said that while it will force costs on many companies, the shift to improved personal and consumer privacy "should be seen as a good thing."
"The added costs are likely to be offset by increased customer confidence, and the added security that will come with compliance efforts," Nayyar said.
But other experts noted that the new act places increased burden on consumers as well. Chloé Messdaghi, vice president of Strategy for Point3 Security, told TechRepublic that both the ACLU and the Electronic Freedom Foundation were either against the proposition or did not actively support it.
Messdaghi said one of the main issues is that many people aren't going to be willing to pay extra in order to have their privacy protected. Messdaghi added that it missed the opportunity to change the paradigm of privacy into an opt-in model, where businesses cannot store consumers' information unless the consumer opts in and expresses permission.
Forcing users to opt out still allows businesses to automatically collect information from user visits to websites unless consumers specifically opt out.
"That's unfortunate because many consumers won't know how to do that, some companies may even make the opt-out process unnecessarily complex and hard to locate. The fact is that most consumers don't want their data to be harvested and sold," Messdaghi said.
"The act says that businesses must be prohibited from collecting data beyond that which is required by them to provide the goods and services the customer has requested. This really lets businesses collect what they want. It also limits the power of consumers who want businesses to delete their data. Businesses can claim security and integrity concerns."
She added a bevy of other concerns, including the fact that the act ends the CCPA's protection of biometric data such as DNA and facial recognition data and also doesn't empower consumers to sue businesses that break their privacy rights.
Maureen Mahoney, policy analyst at Consumer Reports, said the new act fills gaps in the CCPA that tech companies were exploiting rampantly.
Companies like Amazon and Spotify say in their privacy policies that they don't "sell" your data as defined by the CCPA, so you can't opt out—though they share it with third parties to target ads to you, she said.
She added that companies have also exploited the service provider exemption in the CCPA to continue to deliver targeted advertising outside of the opt out.
"Prop. 24 will close up those gaps, and as a result, consumers will be more in control of their personal information. But, 2023 is a long way away, so we will continue to call on regulators to make clear that these loopholes are unacceptable," she said.
"Prop. 24 will help set an important precedent for other states by making clear that consumers have control over targeted advertising—that precedent is particularly important as industry is lobbying for wide exemptions for that privacy-invasive behavior in bills in other states, including New York and Washington."
She lauded the act for adding a provision that allows consumers to opt out in a single step through a browser privacy signal, but said it needed to go farther by providing consumers with privacy by default.
IntraEdge president Dan Clarke also highlighted that the creation of a new fully funded privacy enforcement agency will help actually enforce some of the rules in both the act and the CCPA as opposed to simply leaving everything up to California's Attorney General.
"If the Attorney General sends out 40 privacy notices in a month, a dedicated enforcement agency could efficiently review 40 websites in a day, which means more companies need to make an effort to comply with the CPRA," Clarke said.
Jacob Snow, technology and civil liberties attorney for the ACLU of Northern California, said the proposition passed "despite its deep flaws" but added that it "sends a clear message from California voters to the California legislature that they expect and demand action to protect their privacy and safeguard their fundamental privacy rights."
"Now is the time for the California legislature to build on Proposition 24 to make sure companies get permission before using or sharing our personal information, prohibit companies from charging us more for exercising our fundamental rights, and impose substantial consequences on companies that break the law," Snow said.
"Californians will not—and should not—accept anything less."