Security news that informs and inspires

California Voters Asked to Amend Privacy Law

California voters will vote this Election Day on Proposition 24, on whether to expand the groundbreaking privacy law that was passed just two yeras ago. Proposition 24, or the California Privacy Rights Act of 2020, builds on the California Consumer Privacy Act of 2018 which just took effect this year. Early voting has already begun in the state.

CCPA limits how companies gather personal data and how they could monetize it, and gives consumers the right to know what information a company has collected about them, opt-out of data collection and sale of their data, and to request the data to be deleted. Voters will vote on CPRA, which would allow consumers to prevent businesses from sharing their personal information and also give them the ability to correct errors in any of the collected information.

Considering that enforcement for CCPA began just this summer, it is a startling that there already is an attempt to change the law. Part of the reason is to push California’s privacy law to be more like GDPR, and that way bring parts of the United States closer to the protections that already exist for Europeans under the European Union's General Data Privacy Regulation. While CCPA is considered to be the most comprehensive privacy law currently in the United States, privacy advocates say it is not as robust as GDPR. The idea is that CPRA will add GDPR-elements to the law.

CPRA is full of "nuances" to privacy law that doesn't currently exist in CCPA, said Heather Federman, vice-president of privacy and policy at BigID. It is really difficult to predict right now how the privacy landscape will change (or not change) if the proposition passes and CPRA becomes law.

Proposed Changes

CPRA refers to data sharing, in order to close a perceived loophole based on the CCPA's use of selling data. Many companies have justified their data collection policies or said CCPA doesn't apply to them because they aren't selling or otherwise monetizing the data. The wording change in the CPRA means the privacy law applies to any kind of data exchange, regardless of any money or other service that may be offered.

This isn't just semantics, because the switch in vocabulary would expand the pool of organizations that would have to comply with the law. Adtech would be possibly the most impacted, although the law could potentially apply to non-profits and other organizations that have data-sharing arrangements with other entities.

Another subtle change that sounds positive but will really depend on how businesses respond is the rule around data minimization, Federman said. The idea is that businesses cannot collect personal information just for the sake of having the information; the business should collect only what is necessary to provide the requested good or service. That is the direction privacy laws have been moving, by restricting businesses from rampant collection. Proposition 24 allows businesses to define "necessary" to encompass a whole range of activities even if they aren't actually being used, and that may not match what the consumer is expecting. Whether or not minimization works will depend on how businesses handle this rule.

Another change is the ability to correct the data. CCPA gave consumers the right to ask their data be deleted, but there was no mechanism for correcting the information that had been collected. GDPR gives consumers the right to correct the data, and CPRA's language also includes that right. If Proposition 24 passes, businesses would have to add that mechanism to their current data management workflow.

Being compliant with CCPA does not automatically mean the company is complaint with GDPR, and vice versa, because there have different requirements. The law also affected organizations differently. GDPR applies to all firms, regardless of size, handling personal data of European Union residents. CCPA is limited to companies with gross annual revenues in excess of $25 million that handle the personal data of more than 50,000 consumers— or derive more than half of annual revenue from selling consumer data. And the right is given only to California residents.

For organizations who have spent the few years preparing for GDPR, adding on the new elements required by CPRA won’t be that difficult, said Dan Clarke, president of IntraEdge. However, the changes prposed would be considered a big change for all the companies who would be affected by CPRA but didn't previously have to have to worry about GDPR.

For example, CPRA also creates a new category of data, the "sensitive" information, which refers to precise geolocation, race, ethnicity, and health information. Consumers would have the right to opt-out of sensitive data being collected, which would need to be treated differently from personal information. The new classification would pose a "material operational change" for businesses, Clarke said.

The most intriguing part of Proposition 24 is the creation of a California Privacy Protection Agency to enforce privacy law and issue fines to companies for violating the regulations. Currently, enforcement authority is with the state's Attorney General's office, and Attorney General Xavier Becerra has said the office's limited resources would mean actions taken on only a handful of cases each year. If Proposition 24 passes, a well-funded agency—with an annual budget of $10 million and staffed by 40 people—would have the authority to act against more violaters. Even though the law itself wouldn't be fully in effect until 2022, the agency would be up and running by summer of 2021, which means the agency would be able to take on the workload of enforcing CCPA, as well.

The CCPA originally had language regulating data collection of minors under the age of 13, and those between 13 and 16 years old. Companies trying to collect data of 13-years-old-and-younger crowd would need parental authorization, such as a signed document provided by postal mail, fax, or electronic scan. Minors between the ages of 13 and 16 must separately be informed of their right to opt-out at a later date. CPRA would triple the fine on companies that violate kids’ privacy or illegally collect and share information about minors.

Against the Law

One of the reasons for putting forward CPRA as a ballot measure is to block future lobbying attempts to weaken provisions of the law with exemptions for businesses or proposals to change enforcement rules which seem to change the spirit of the law. As a ballot initiative, the language of the law would be final once passed, and the only way to tinker with the law is to introduce another proposition on the ballot.

“Business is actively seeking to undermine the protections that were just put in place,” Alastair Mactaggart, a San Francisco real estate developer who advocated for CCPA and supports CPRA, told the Associated Press.

There are several big names who have come out in support of Proposition 24, including Common Sense Media and Consumer Watchdog. Former Democratic presidential candidate Andrew Yang is chairing the advisory board. There are just as prominent voices on the other side urging voters to reject the ballot initiative, including the ACLU of Northern California and Electronic Frontier Foundation. The San Francisco Chronicle's editorial board, recommended voters reject the proposition.

The Electronic Frontier Foundation, interestingly, said it "does not support it; nor does EFF oppose it."

It [Prop 24] is a mixed bag of partial steps backwards and forwards. It includes some but not most of the strengthening amendments urged by privacy advocates," EFF's Lee Tien, Adam Schwartz, and Hayley Tsukayama said in a post back in July. In that same post, the writers concluded, "we won’t be supporting Prop 24.

An issue with the CPRA is that it continues to put the onus of privacy on the consumer, Federman said. CCPA places the burden on consumers to opt-out of collection and sale and to request deletions. CPRA adds yet more tasks, to opt-out of sharing and to request corrections. Most people will not be able to go through the requests for every single organization. This means, that regardless of which version of the privacy law is in place, many businesses will be able to retain and sell/share user data, even though many consumers wish otherwise. Privacy should be by default.

Proposition 24 also changes how businesses handle deletion requests, as a business could refuse to delete the data even if a consumer makes the request if keeping the data would “help to ensure security and integrity.” The changes would also reduce the business's responsibility to communicate the consumer's deletion request to all the other companies who got that data. It isn't really reasonable to expect a consumer to identify all the entities the business shared the data with and make individual requests to have the data deleted.

The biggest opposition appears to be around the perception of a loyalty program, as the law would allow businesses to charge customers higher prices (or withold a discount)—“pay for privacy”—if they refuse data collection. There have been echoes of that in the past, such as when AT&T piloted a program that offered different privacy policies for those members, Federman noted. Privacy advocates have pushed back on the perception that privacy is possible only for some people.

"Unfortunately, pay-for-privacy schemes pressure all Californians to surrender their privacy rights," the EFF wrote. "Worse, because of our society’s glaring economic inequalities, these schemes will unjustly lead to a society of privacy “haves” and “have-nots.”