Security news that informs and inspires

Privacy Prevails at the Ballot Box

For many voters, Election Day in the United States was more than just about voting for government officials such as the president, lawmakers, judges, and sheriffs. They were also asked to weigh in on referendums, new state laws, and amendments to the state constitution.

Voters in 32 states voted for 120 ballot measures this year, encompassing topics such as education, healthcare, and criminal justice. There were 18 measures in 14 states on election policies such as campaign finance, redistricting, and term limits; and 19 measures in 12 states dealing with tax-related policies; and four states voted on legalizing recreational marijuana (two states were for medical marijuana only). California, Massachusetts, and Michigan considered three measures that would have significant impact on privacy policy. Voters approved all three—and each one will influence individual privacy and security in very different ways.

Ballot Measures

Proposition 24, which would modify the two-year old California Consumer Privacy Act, was approved by 56 percent of California voters. The initiative calls for more stringent provisions, an expanded definition of what constitutes “personal data,” and the creation of a Privacy Protection Agency to enforce the law. Of the three ballot measures, Proposition 24, or the California Privacy Rights Act of 2020, had prominent people on both sides of the initiative, making it really difficult to tell whether the passage was a win or a loss for consumer data privacy.

Supporters included Common Sense Media, Consumer Watchdog, former Democratic presidential candidate Andrew Yang, and Congressman Ro Khanna. Opponents included the ACLU of Northern California and Electronic Frontier Foundation. One concern was that CPRA may wind up giving businesses more power to decide what to do with consumer data, instead of giving consumers more control over their own information.

With CPRA's passage, the law will change to include companies that share data with third-parties, and not just those that sell data to third-parties. It will also help "clarify some of the discrepancies and clarifications from CCPA and puts in some interesting operalization requirements for companies, like retention limits, minimization, audits & risk assessments for high risk processing, and more," said Heather Federman, vice president of privacy and policy at BigID.

Even though CPRA won't be fully in effect until 2022, the Privacy Protection Agency will be up and running by the summer of 2021, which means there will be more resources at the state level to investigate complaints (under CCPA) and enforcing the privacy law. The dedicated agency would be the first agency in the United States dedicated solely to privacy, similar to how members of the European Union have their own Data Protection Authorities. Enterprises who had avoided the work of addressing CCPA's requirements will likely need to make changes to comply with CPRA.

One of the main practical challenges for enterprises moving forward will be ensuring they know their consumer's data, especially when it comes to their 'sensitive personal information'," Federman said. "For companies that have been taking a half-baked approach to CCPA compliance, this could make CPRA compliance tricky.

While California voters considered data privacy, Massachusetts voters weighed in on the Right to Repair law. Question 1 proposed updating an existing automobile-repair law to address data sharing. Automobiles are increasingly collecting and sharing wireless data, which raises the question of who has access to that wireless car data and how secure it is. The Coalition for Safe and Secure Data, backed by major automakers, urged voters to reject Question 1, claiming that letting vehicle owners and independent repair shops access to the data could pose data security risks. Supporters said voting "Yes" would mean that cars would be required to use a standardized platform, which means vehicle owners and independent repair facilities would also have access to the data instead of keeping it locked up with the repair shops owned by dealerships and automakers. Question 1 passing in Massachusetts could have a ripple effect beyond the state borders, and “could set the national standard for cars,” Kyle Wiens, the founder of California-based iFixit and a vocal right-to-repair advocate, told Wired.

Finally, 88 percent of Michigan voters overwhelmingly approved Proposal 2, an amendment to add language to the Michigan State Constitution that requires a search warrant to access electronic data or electronic communications. Proposal 2 stated that electronic data and electronic communications are secure from unreasonable searches and seizures. Michigan's vote is significant because of the sheer amount of user information that is online. Forcing law enforcement to get a search warrant means there will be less "fishing" expeditions where investigators cast a wide net and see who comes up, rather than focusing on specific individuals and crimes. For companies with consumer information, Michigan's Proposal 2 defines the steps law enforcement has to follow in order to gain access. This could have an impact beyond Michigan, as well.

Harbinger of Change

The fact that just three states had consumer privacy on the ballot is not an anomaly, but rather an indicator that this topic is going to become a bigger deal over the next few years. Ballot measures often act as bellweathers, indicating which issues are becoming important to voters. For example, California was the first state to legalize medical marijuana using a ballot initiative in 1996, which sparked a flurry of similar initiatives in other states. Colorado and Washington were the first to legalize recreational marijuana in 2012, and now there are many states that have followed suit—and there were four states that put marijuana on the ballot this year. As discussions about consumer privacy and data security become increasingly commonplace and federal and state legislatures continue to lag on enacting meaningful laws, more states could adopt ballot measures to protect individuals.

Of the three ballot measures, California's Proposition 24, may be the one heralding the future of privacy legislation.

California is often a harbinger of social change in America," said Raju Vegesna, chief evangelist at Zoho. "Overall, the persisting absence of a national data privacy law in the U.S. means more states will take matters into their own hands, following in California’s footsteps.