In the United States, California is leading the way toward creating personal privacy rights. Now, a new proposition that will be on the ballot November 3 hopes to both close certain loopholes in the state’s original legislation and make some concessions to businesses. If it passes, it could serve as a template for legislation for other states as they continue to build out privacy rules.
Right now, that’s looking likely. Former Democratic presidential candidate Andrew Yang, Consumer Reports, the NAACP, and the mayor of San Francisco, London Breed, have come out in support of Proposition 24. A September poll from London-based consulting firm Redfield and Wilton Strategies showed that 60% of Californians were in favor of the proposition.
California passed the California Consumer Privacy Act in 2018, four years after Europe passed its General Data Protection Regulation. The law, which gave Californians transparency into how their data is used and the ability to opt out of data collection, went into effect this year. Now, the California Privacy Rights Act—Prop 24—is hoping to make the original rules more nuanced and expansive. If approved, it would essentially replace the CCPA. However, the proposition has caught backlash from privacy experts for not going far enough to protect consumer privacy. Silicon Valley, meanwhile, has been quiet about whether it supports the bill.
The California Privacy Rights Act (CPRA) of 2020 adds a lot of specifics to the CCPA and proposes a new state agency. The act would take enforcement out of the hands of regulators and give it to the California Privacy Protection Agency, which would ensure companies are compliant and fine them when they’re not. This agency would also be in charge of codifying the rules that Prop 24 outlines.
One of the proposed new rules would make it harder for companies to track people who don’t want to be tracked around the web, a phenomenon called cross-context behavioral advertising. People can opt out of this sort of cross-web tracking under the proposition. In addition, the legislation states that the new Privacy Protection Agency will have to create specifications for an opt-out preference signal. The signal would be a piece of code that could alert companies that a person doesn’t want to have their web behavior used for targeted advertising. The regulatory agency would create the technology and operational specifications for the signal, but companies (or a nonprofit) would have to build it.
“A type of company that would do this would be a web browsing software company like the makers of Explorer, Chrome, Safari, and FireFox,” says Kristen Mathews, a partner at law firm Morrison & Foerster, who focuses on cybersecurity and privacy legislation. “They could use this specification to create a signal that is transmitted by the web browser.” Some organizations such as Mozilla and DuckDuckGo have already started building automated controls that let users alert companies when they don’t want to have their data shared or sold.
The rule will also create a much bigger cybersecurity burden for businesses and bring the duty to use reasonable security procedures and practices under the purview of the Privacy Protection Agency. The new regulatory agency will have to come up with rules and enforcement processes that make annual cybersecurity audits and risk assessments mandatory for some businesses. Under the proposition, regulators will also have to determine what kinds of businesses qualify for regular audits.
“It will depend on how much risk is involved in the businesses handling data,” says Mathews. “I expect it will have something to do with how sensitive the data the business handles is and how much of it they handle.”
Good for business
Tech companies have been noticeably silent on the issue. That’s likely because not everything in Prop 24 is bad for business.
Matthews says that businesses are probably in favor of the creation of the opt-out preference signal. While it may mean less ad revenue from those who opt out of targeted advertising, it simplifies the process, making it easier for companies to take people out of their data-gathering systems.
The new rule will also broaden the definition of publicly available data, which companies are already able to use to understand consumers. “Public information” was previously defined as having to come from a government source. Prop 24 will allow companies to collect more kinds of public data about individuals, including public social media posts and other widely available media.
They’ll also be able to use third-party data so long as that third party isn’t required to keep that information confidential. This means that companies can still buy data from data brokers—companies that amass lots of personal information through scraping the web and public records—so long as an individual has not opted out of having their data collected by that data broker or asked that data broker not to share their data. It’s unlikely that most people would seek out a data broker to do either of these things, as many of these companies are secretive and difficult to pin down.
However, other California laws still will require businesses to provide individuals with information about how their data is used. The Shine the Light law, for example, requires businesses that share customer data for direct marketing purposes to disclose names and addresses for all the companies that they have shared data with. However, the CPRA and its new regulating agency won’t be responsible for ensuring that customers can access information about how their data is shared.
One of the big complaints about the new rules is that they continue to put the onus on people rather than companies to protect their own data—just as the CCPA did. Under the rules, businesses can collect data as they always have unless someone opts out of having their data collected. Privacy advocates such as the Electronic Frontier Foundation would prefer that the rules instead made companies ask people for their permission before collecting their data through an opt-in policy.
“EFF advocates for an opt-in model of data processing, where businesses cannot collect, use, share, or store our information without first getting our explicit consent. This makes privacy the default option,” the organization wrote in its dismissal of Prop 24. Overall, the EFF says that the proposition doesn’t go far enough to advance personal privacy rights. However, the organization stopped short of opposing the bill.
The American Civil Liberties Union, meanwhile, has called Prop 24 “fake privacy,” saying the proposition undermines key pieces of existing privacy law and increases the burden on individuals for protecting their own privacy.
In addition, there is concern that the new regulating agency created under the CPRA won’t be well equipped to make sure companies are complying. There were similar worries with the CCPA that the attorney general’s office did not have a large enough team or enough resources to bring more than a few cases per year. The EFF also points out that the new rule does not embolden people to sue companies that mishandle their data. Instead, it relies on the new enforcement agency to ensure companies are in compliance.
Mathews agrees that the new rules won’t change much for Big Tech, even though there are a lot of new specifics in the proposition.
“It probably won’t make a big dent in the big companies’ operations, but it does give consumers [rights] that they don’t have already,” she says. She doesn’t think a lot of people will opt out of data collection and sharing. “But for consumers out there who really do care about this, they will be able to have more control over the data that businesses have about them.”