California’s data privacy house is divided.
On the Golden State’s November ballot this year is the question as to whether to amend California’s barely-two-year-old data privacy law, the California Consumer Privacy Act. Far from the first attempt to change the fledgling law, Proposition 24 sets itself apart because its primary backer is the same man who ushered in the state’s data privacy law two years ago.
California voters are therefore presented with a strange, legislative about-face: One of the lead architects for California’s privacy law thinks it is already time to change that law—perhaps dramatically so. The proposition seeks to create a new category of consumer data, a new data protection agency, and new carveouts for certain uses of data.
The law-making whiplash isn’t just affecting voters, either, as many privacy advocates disagree with the changes, and the parallel campaigns both supporting and opposing Proposition 24 have split typical bedfellows.
Standing in support of the proposition are the consumer rights advocacy Consumer Watchdog (who we recently spoke with), family tech safety nonprofit Common Sense, civil rights organization NAACP, and multiple privacy scholars and notable politicians, including “surveillance capitalism” expert and Harvard Business School professor Shoshana Zuboff and former Democratic presidential hopeful Andrew Yang.
Standing in opposition are multiple consumer advocacy groups including Consumer Action (not to be confused with Consumer Watchdog) and Public Citizen, privacy and human rights nonprofit Center for Digital Democracy, racial justice organization Color of Change, and ACLU of Northern California.
This division has also produced potentially confusing, conflicting statements for Californians trying to understand which way to vote.
For example, on one side, the NAACP has voiced support for Prop 24 because it “allows consumers to stop companies from using online racial profiling to discriminate against them.” On the other side, however, ACLU of Northern California has asked voters to vote no on Prop 24, arguing that it “will disproportionately harm poor people and people of color.”
Who then is right?
As is usually the case in data privacy debacles, the devil is in the details. In fact, both groups have a point—they’re just focusing on different pieces of the proposition.
Today, let’s look at why this one ballot prop has divided a typically unified group of privacy advocates.
The origin of the California Consumer Privacy Act (CCPA)
More than two years ago, a real estate developer became a privacy advocate.
Alastair Mactaggart has told the story of his transformation many times, and it always begins with a Google engineer disclosing just how much information the company knows about its consumers. After learning about a legislative tool in California politics that allows voters to directly approve policy, Mactaggart began drafting up a ballot proposition with a co-lead named Mary Ross.
That proposition never made it onto the state’s 2018 ballots, but it didn’t have to. By working directly with state lawmakers, Mactaggart and Ross managed to write up a bill eventually signed into law by then-governor Jerry Brown.
On June 28, 2018, the California Consumer Privacy Act, or CCPA, became law. With the governor’s signature, Californians could eventually expect new data privacy rights, including the rights to access and delete their data, port their data to another provider, and opt out of having their data sold.
The success of the law today, however, eludes easy definition. Simply put, not enough time has passed. CCPA did not come into effect until January 1, 2020, and businesses and consumers lacked details on compliance and on how to assert new data privacy rights. California’s Attorney General finally submitted those details, called “regulations,” this summer.
If such little time has passed, then, why already try to change it?
According to Mactaggart, it’s because the law already needs major support, after facing no less than 18 legislative attempts to amend it in the past two years—several of which could have removed any teeth to the law’s protective bite.
“I'm not a politician. I don't want to be a politician. I just want to get a good law in place,” Mactaggart told CNN. “It was a little daunting to see how hard business tried to just destroy it this year."
What is Prop 24?
To its supporters, Proposition 24 is a chance to strengthen a data privacy law that is already a prime target.
If passed by voters, Prop 24—also called the California Privacy Rights Act and which you can read in its full 52 pages here—would amend the CCPA to create a new category of “sensitive personal information,” create a new right of data “correction,” triple some of CCPA’s fines for violations regarding children’s data, amend the liability companies face for some data breaches, and create a new data protection agency to handle enforcement of the CCPA.
Prop 24’s new category of “sensitive personal information” would receive new data protections, too, as Californians could separately choose to protect this data from certain uses.
According to the bill, “sensitive personal information” would include precise geolocation data, information revealing racial or ethnic origin, religious or philosophical beliefs, or union membership, email and text message content, genetic data, and biometric information that is specifically collected and analyzed “for the purpose of uniquely identifying a customer.” The proposition would also include Social Security, driver’s license, state ID, or passport numbers into its definition of “sensitive personal information.”
Granting people the ability to stop companies from using sensitive information in ways that they do not approve of is a major boon to Californians, said Carmen Balber, executive director for Consumer Watchdog.
“Under Prop 24, a consumer can limit the use of their sensitive information to stop Uber from profiling them based on race, stop Spotify from utilizing their precise geo-location and prevent Facebook from using their sexual orientation, health status or religion in its algorithms,” Balber said.
Further, the creation of a data protection agency has won over several supporters, including entrepreneur and former presidential candidate Yang. In a recent piece for The San Francisco Chronicle, Yang wrote positively about the data protection agency which could serve as a “watchdog over big tech.”
But for several privacy rights advocates, Prop 24 also includes too many concessions—and too many lost opportunities—to earn their support.
Electronic Frontier Foundation, which neither supports nor opposes the proposition, said instead:
“Prop 24 does not do enough to advance the data privacy of California consumers. It is a mixed bag of partial steps backwards and forwards.”
Prop 24 opposition
Though Prop 24’s detractors have several, separate concerns, each organization cites one same problem with the proposition: It expands the CCPA’s current allowance for “pay-for-privacy” schemes.
Pay-for-privacy schemes rear up in data privacy bills every few months, and they always present the same risk. In fact, Malwarebytes Labs already wrote about a pay-for-privacy provision included in a data privacy bill introduced last year. In that bill, consumers could have been penalized for exercising their potential right to not be tracked online, after signing up for a universal “Do Not Track” website.
Prop 24, however, packages the pay-for-privacy risk a little differently. According to Prop 24, businesses could withhold discounts from customers exercising their privacy rights strictly when operating “loyalty club” programs.
The carve-out may sound small, but, according to ACLU of Northern California, the expansion of any pay-for-privacy scheme would disproportionately harm at-risk communities first. The argument is similar to the organization's concerns with any "data as property" proposals—struggling families who need the money the most would not be able to say no to any bargain that puts a dollar amount on their data privacy.
“The fact is that working families are already struggling to stay healthy, find a job, keep food on the table, and maintain their housing,” the organization wrote. “No one should be put in the position of choosing between the necessities of survival and their privacy.”
Separate from the pay-for-privacy risk, the No on Prop 24 Coalition—which includes ACLU of Northern California, Oakland Privacy, Indivisible SF, and the California League of Women Voters—published a list of complaints about the proposition.
The group said that Prop 24 would allow companies to collect Californians’ data as soon as they leave state borders, override an incoming law that grants more data transparency for employees, and, as a bit of a mini-bombshell, it includes a carveout for credit reporting agencies that, according to one news site, is lifted “almost verbatim” from a lobbyist’s demands.
Finally, the No on Prop 24 Coalition said that Prop 24 would re-shift the burden of data privacy back to the consumer, forcing Californians to opt out of data usage and sales with each and every individual website and app that they visit and use.
This is a known problem in data privacy, and it is in part why just this year, US Senator Sherrod Brown of Ohio passed around a federal data privacy bill that no longer hinges on the idea of consent.
Californians will finish voting with the rest of the nation on November 3. According to recent polling released by the Yes on Prop 24 campaign, the proposition could smoothly sail into becoming law. According to that data, a whopping 77 percent of likely voters in California plan to vote yes.
That statistic is, admittedly, a shock, not because Malwarebytes Labs has a position on the ballot proposition, but because of an entirely separate, non-controversial opinion: 52 pages is a lot to ask voters to read through.