Los Angeles, CA — The nonprofit Consumer Watchdog today endorsed the California Privacy Rights Act (CPRA), Proposition 24, as a major step forward to enshrine the privacy rights of Californians and safeguard it from legislative assault, add key new protections, and introduce a tough European privacy regime to California.
“Under Prop 24, a consumer can limit the use of their sensitive information to stop Uber from profiling them based on race, stop Spotify from utilizing their precise geo-location and prevent Facebook from using their sexual orientation, health status or religion in its algorithms,” said Carmen Balber, Consumer Watchdog’s executive director. “In addition, Californians won’t have to worry about the legislature repealing key privacy rights, will have stronger rights to personally enforce privacy laws and will have the protection of a well-staffed and funded European-style privacy commission to protect their rights.”
Consumer Watchdog pointed to the huge benefits for consumers from Prop 24:
- Since the enactment of the landmark California Consumer Privacy Act (CCPA) in 2018, 18 bills in the California legislature have sought to directly amend the law and 6 would have eviscerated its major provisions. Many more statehouse assaults are expected from the wealthy industries opposed to the law. The CPRA enshrines Californians’ new privacy rights so that legislative amendments can only “further its purposes” and be more privacy protective. A body of case law developed under legislative assaults on insurance reform Prop 103 makes clear that “furthering the purposes” allows for the addition of pro-consumer protections but not changes that undo the purpose of the law.
- Consumers can opt out of the use of sensitive personal information – such as race, religion, health status, sexual orientation, precise geo-location, genetic disposition – by companies, a key addition to existing protections under the CCPA that only allows consumers to prevent the information from being sold by a company.
- Individuals’ private right of enforcement when a data breach occurs is enhanced by taking away the provision in current law that gives companies 30 days to fix the data breach before being liable. Email and password are added to categories of data under which an individual can hold the company accountable for breach.
- Significant new privacy rights will be available to Californians – including the right to data correction, purpose limitation, storage limits, and data minimization – in line with the protections provided in Europe under the GDPR. Californians’ protections would be sufficient for the state to gain “adequacy” under European law to give the state a leg up in fast track commerce with the European Union, assuming the US and EU resolve the national security aspects of privacy laws currently under discussion.
- A European Union style privacy commission will be funded to enforce the law. The commission must develop expansive new privacy rules for consumers: For instance, a right to know meaningful information about the logic behind Google’s automated targeting algorithms and behind the information they see popping up in their Facebook feed.
Consumer Watchdog noted that opponents of the law have misrepresented or misinterpreted its provisions.
Prop 24 takes away the ability of companies to retaliate against consumers by charging more, if they remove “Do Not Sell” pop-ups in favor of respecting a “Do Not Track” signal.
Some opponents complain that Prop 24 relieves websites of the responsibility to post a “Do Not Sell” notice. In fact, Prop 24 gives companies the choice between a) posting the notice and being able to discriminate against consumers who exercise their rights (current law); or b) not posting the notice, and agreeing not to discriminate against consumers who exercise their rights. All companies will still have to respect a “Do Not Sell” signal sent by a consumer through a browser or app, but if a company chooses not to post the “Do Not Sell” notice, then it is barred from retaliating against the consumer for making the “Do Not Sell” choice by charging more or throttling back speed. This ability for companies to retaliate against consumers for making the “Do Not Sell” choice has been a chief complaint against the existing CCPA, and its elimination for some companies is a substantive gain under Prop 24.
Prop 24 creates an inviolable floor for privacy protections, allowing only legislative changes that would increase, not reduce, people’s privacy.
Some opponents mistakenly claim Prop 24 will prevent the legislature from enacting more generous privacy laws.
Prop 24’s stated intent is “to further protect consumers’ rights, including the constitutional right of privacy” and warns that “the Legislature considered many bills in 2019 to amend the [California Consumer Privacy Act of 2018], some of which would have significantly weakened it. Unless California voters take action, the hard-fought rights consumers have won could be undermined by future legislation.” The measure states that “Rather than diluting privacy rights, California should strengthen them over time.”
Prop 24 also states: “The provisions of this Act may be amended after its approval by the voters by a statute that is passed by a vote of a majority of the members of each house of the Legislature and signed by the Governor, provided that such amendments are consistent with and further the purpose and intent of this Act as set forth in Section 3 . . .
As Berkeley law professor David Carrillo writes, “This statement of intent unambiguously sets the floor and creates a one-way ratchet: the legislature can only amend this initiative by increasing privacy protections. Some opponents of Proposition 24 apparently argue that a legislative amendment of the law must satisfy everysection of the law for it to be valid. That misstates the standard described above, and there is little danger a future court will use that approach.” His full article explaining the case law that supports his position can be found here: http://scocablog.com/how-california-lives-with-two-legislatures/
Prop 24 adds needed detail to definitions to increase privacy protections overall and make the law consistent with European standards and US law.
Some opponents mistakenly claim definitional changes under Prop 24 weaken the law. The definitions taken overall strengthen the law, making it easier to use and conforming several definitions with European Union and US constitutional standards. For example, the definition of service provider has been amended to prevent a service provider from combining data it collects from different clients, an issue the CCPA is silent on. Standards related to “public availability” were altered to conform to constitutional lawyers’ understanding that information consumers put into public use themselves cannot be protected constitutionally.
7 Ways The CPRA Better Protects Californians
1. When your email and password are breached, consumers can sue the company at fault directly.
2. Your personal health condition can no longer be used against you or used at all by companies if you choose to opt out of its use.
3. The algorithms that dictate what we see in our Facebook feed or what ads we receive in our Google searches will no longer be allowed to use our most sensitive information – like race, sexual orientation, or genetic history – when we don’t want them to.
4. A one touch “do not track” setting on a browser or app can prevent a company that doesn’t display “A Do Not Sell” sign on its website from selling our private information and using our most sensitive information at all, and unlike current law, it will have no ability to penalize us for that choice.
5. Hate groups will no longer be able to buy data that track those who seek abortions to clinics to terrorize them, or find people to target them based on their sexual orientation, because such sensitive data will not be allowed to be used if consumers opt out.
6. When a consumers’ information is breached because a company was negligent it can be sued immediately.
7. Data brokers and tech companies will not have the ability to use their cash-clout to weaken privacy standards in the legislature.