“Proposition 24” has been passed by voters, with 56.1% of the 10.5m votes in California cast in favour and with it, new privacy protections will come into law. PrivSec Report takes a look at some of the reactions to the Act’s provisions and finds out why some in the privacy world are not huge fans.

3rd November 2020 is a big day in the US electoral calendar – with not all of it Trump/Biden-related.

There are significant electoral implications for privacy in California, with passing of the “California Proposition 24” ballot, bringing the California Privacy Rights Act (CPRA) into law. With Alistair Mactaggart (a San Francisco real estate developer who many will remember for his California Consumer Privacy Act [CCPA] campaign just two years ago) at its helm, the initiative aim has aimed to beef up existing privacy protections in California and to track more closely with the GDPR.

With the CCPA itself only coming into enforcement in January this year, the new Act truly comes hot on the heels of what many already considered to be trailblazing privacy protections for consumers in California.

The new Act notably establishes the California Privacy Protection Agency – an independent agency to handle regulation and enforcement. It also allows consumers to prevent businesses from sharing personal data, amend their personal data, and limit the use of “sensitive personal information” such as precise geolocation, race, ethnicity and health information. Companies would need to apply data minimisation and consumers are able to find out the length their data will be retained. Businesses now have until 1 January 2023 to comply.

With more stringent provisions, there is even speculation that the CPRA could lay the groundwork for future adequacy with the EU – GDPR provides for the possibility of geographical adequacy that doesn’t include a country in its entirety – although any conjecture along these lines is currently just that.

“Given the aim of the CPRA to provide additional rights, one might expect support to have been unanimous among privacy campaigners or commentators – but this was not the case”

Privacy is a popular topic in California, and the state’s enthusiasm for it has already set a high bar with the CCPA, considered to be at the front of the pack among US state privacy legislative regimes. For this reason, some find the ballot process, outside the usual legislative process, to be unhelpful – not least its timing, given the fact that modifications to the CCPA are still in progress through the California legislature and no CCPA court rulings have so far emerged.

“Given that CCPA and its amendments could form the baseline for a national privacy rights act, it would be beneficial to understand how the court system would interpret its provisions prior to making significant changes outside the legislative process,” says Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Centre.

Daniel Castro, director of the Center for Data Innovation, adds his objection that the lack of legislative process has meant less engagement with business.

“Usually even if we’re talking about any state legislature or in Congress, even if there’s disagreement with industry about what the final bill should look like, there’s usually agreement that at least it needs to be realistic for industry to comply with. That’s part of the negotiating process, where industry comes and says, Well, okay, we might disagree with this proposal, but if we’re going to do it, here’s how we can do it effectively and efficiently. And that’s where these proposals have really not taken on board any kind of feedback that you would typically have in a legislative process. I think that’s to the detriment of the final outcome.”

Given the aim of the CPRA to provide additional rights to Californians, one might expect support to have been unanimous among privacy campaigners or commentators – but in the run up to Tuesday’s ballot, this was not the case.

But for some, the Act either doesn’t go far enough, or falls short of a net gain to protections.

“Prop 24 is a bit of a mixed bag when it comes to consumer privacy,” explains Paul Bischoff, Privacy Advocate at Comparitech.com.

“Prop 24 says it will let consumers tell companies not to share their personal data, but the CCPA already requires companies to allow consumers to opt out of the sale of their data to third parties. Prop 24 also promises greater protections for children’s data, but COPPA, a federal law, already offers many of these protections. Although COPPA isn’t all that effective, I have no reason to suspect that Prop 24 would do any better,” he says.

Among expanded rights afforded by the CPRA is the right to opt out of the sale of personal information to third parties, and of the sale and sharing of personal data for cross-context behavioural advertising. Opting out is a clear difference from some other regimes – the GDPR, for example, which specifies that consent for processing personal information must be given in a “clear, affirmative act”.

“You’re still leaving in this opt out of sale which is in and of itself very different fundamentally from the rest of the privacy world, but it’s still kind of facilitates that conversation with executive management, with employees, around how do we now approach data privacy?” says Ross Parker, Head of Privacy Operations and Global Strategy for S&P Global Inc.

Says Chris Hauk, Consumer Privacy Champion at Pixel Privacy, however: “I would prefer to see an opt-in system instead of the opt-out system outlined in the proposition, but that is probably one barn door that will forever be unable to be closed.”

But the expansions to opting mean considerable changes for some sectors such as AdTech, according to Jordan Abbott, Chief Data Ethics Officer of Acxiom:

“It will expand current definitions in the CCPA, like expanding the definition of ‘sell’ to include the mere act of sharing, even if there is no exchange of consideration. It will impose new obligations such as correction and opt out for use of sensitive information. It will also require downstream notification of deletion requests.

“The CPRA could substantially alter the way digital advertising works by ushering ‘do not track’-type technology by default, making it increasingly more difficult to activate advertising at an individual level. However, it could also compel many companies, including very large tech companies, who felt they fell outside the scope of the current law, to comply.”

Some even believe that the new Act could actually reduce protections for consumers.

“Overall, Prop 24 would benefit businesses more than it would benefit consumers… Businesses get more loopholes through which they can collect, process, retain, and share user data, even if a user opts out or requests deletion. Protections for biometric privacy will be weakened, and consumers can’t sue companies when their right to privacy is violated,” explains Paul Bischoff, Privacy Advocate at Comparitech.com.

Chief among the concerns of many privacy advocates is the risk that companies will be able to charge consumers for their privacy rights. The Electronic Frontier Foundation (EFF) earlier this year explained that the CPRA’s exemption of “loyalty clubs” from the CCPA’s limit on setting different pricing for consumers who seek privacy allows businesses to withhold discounts unless data is provided, which could then be disclosed to others.

“Unfortunately, pay-for-privacy schemes pressure all Californians to surrender their privacy rights. Worse, because of our society’s glaring economic inequalities, these schemes will unjustly lead to a society of privacy “haves” and “have-nots,” the EFF said in a statement.

“You’re still leaving in this opt out of sale which is in and of itself very different fundamentally from the rest of the privacy world”

“The part of the measure that allows companies to charge customers more for goods and services if they decide not to share their data with them is simply wrong,” says Hauk at Pixel Privacy.

“Most loyalty card programmes I’ve seen will offer discounts off regular prices to members willing to share their data, while non-member pay the retail price. While this makes sense, a system that would allow companies to charge more for their items would erase any benefit of such a programme, as members would likely end up paying retail, while non-sharing customers would pay a premium on top of retail. Being allowed to charge people for the ‘privilege’ of keeping their privacy is wrong.”

Undoubtedly the CPRA ushers in key changes to the rights of Californians over their personal information. But the reverberations could go beyond the state, and onto the national stage, where the lack of a federal law is a privacy-shaped hole that is likely to be filled by the new administration.

“It will hopefully increase the likelihood of a national privacy law passing within the next 2-3 years,” says Abbott at Acxiom.

“Consumers and businesses would both benefit from a uniform law that protects consumers while at the same time preserving and encouraging innovation. Until a national privacy law is passed, we can expect other states to pass CPRA-like laws in their state.”

Eyes were already on the California privacy regime, but now it seems that the lens will be focused more squarely on what happens next in this agenda-setting state.