California currently leads the country in considering data privacy and the steps that should be taken to protect it. Two recent laws stand out – The California Consumer Privacy Act of 2018 and the California Privacy Rights Act of 2020. Here I’d like to make an effort to provide an explanation of how the two acts work together.
What is CCPA, and Why is Proposition 24 Necessary?
The California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over the personal information that businesses collect about them and secures new privacy rights.
The intention of the CCPA is to provide California residents with the right to:
- Know what personal data is being collected about them.
- Know whether their personal data is sold or disclosed and to whom.
- Say no to the sale of personal data.
- Access their personal data.
- Request a business to delete any personal information about a consumer collected from that consumer.
- Not be discriminated against for exercising their privacy rights. [source]
The intention of Prop 24 – otherwise known as the California Privacy Rights Act of 2020 (CPRA) — is to amend and expand the provisions laid out by the CCPA. In addition to strengthening protections, Prop 24 creates a California Privacy Protection Agency that would share consumer privacy oversight and enforcement duties with the California Department of Justice.
Critics of the CCPA believe that the act is vulnerable to attacks by corporate interests with unlimited wealth for lobbyists [source] and that it is riddled with loopholes that render it difficult to enforce [source]. The intention of Prop 24 is to give the CCPA teeth by enshrining it into state law.
Prop 24 was approved by California voters in the November 3, 2020 election.
So, What’s Wrong with CCPA?
The California Consumer Privacy Act of 2018 has been called some of the most robust privacy legislation in the United States. Still, problems emerged almost before the ink was dry.
Enforcement of this act is under the sole purview of the state Attorney General’s office – individuals are not allowed to sue companies directly (except in the case of data loss in a breach). Because the act does not designate resources for enforcement, very few cases can be addressed each year. The Attorney General’s office attempted to introduce a bill that would allow individuals to manage their own claims in 2019, but it failed [source].
There were almost two years between the time CCPA was enacted and it came into force. Still, some companies have not yet complied – either by neglecting to add language to their websites/privacy policies or by claiming the law doesn’t apply to them [source]. Because of the lack of enforcement, these cases of non-compliance have tended to fall through the cracks.
Prop 24 provides for better enforcement by creating a California Privacy Protection Agency that would share the burden of enforcement.
Some of the loopholes that have emerged are related to how parts of the act are defined. For instance, some companies (Facebook is one) have determined that they are exempt from changing their data privacy procedures based on how they define “sell” in “Do not sell my information.” Companies that don’t necessarily sell data to third parties – they share it – do not consider that they violate the law by not adding a “Do not sell my data” provision on their website. Others argue that the law intends that “sell” =” share” in this instance, and all companies that share data in any way are included in the law.
The second area of ambiguity is in the language that allows service providers to continue to collect data that they require to conduct business. Since this provision doesn’t clearly define “necessary,” it’s easy to claim that any data is vital if they’ve written marketing and advertising into a business plan. [source].
Prop 24 provides clarification on these points by amending the language of the act.
Discrimination based on opt-out:
Although CCPA says that companies can not penalize consumers for opting out of data collection, critics suggest that consumers who do not allow their data to be collected will receive degraded or different services than those who do not opt-out. We see this in the library world already – services that require some personal information to log in and/or data tracking sometimes offer more personalized services for those who choose to share their data.
Prop 24 doesn’t do anything to solve this. It repeats the claim that there will be no discrimination. Still, those against it (including the ACLU) say that the prop opens the door to higher charges for those who opt-out, allowing companies to recoup losses from not sharing the data [source]. Such charges would create an economic burden for those who wish to protect their privacy and could potentially make privacy a luxury many cannot afford.
Check out this fascinating article from Wired for a more in-depth discussion of all of this. It talks about the history of CCPA and Prop 24, and looks at both sides of the arguments against prop 24.
Arguments Against Proposition 24
Those against Prop 24 argue that, while legislation is needed to strengthen CCPA, the new Proposition has too many problems to be acceptable. The biggest one is economic discrimination, but there are others:
- Prop 24 puts the burden on consumers to opt-out of data collection practices, one by one – at least according to interpretation. I read arguments against this reading, but it will take a lawyer or two to decide.
- Prop 24 would allow employers to gather personal data about their employees until January 1, 2023 [source].
- The California State Legislature may not amend or repeal an approved measure without submitting the change to voters. This means that once passed, a ballot initiative is more difficult to change than an act like CCPA [source].
- The text of Prop 24 is more than 50 pages long and contains complex legal language that the average voter cannot be expected to read and/or understand. For that reason, critics of the initiative have argued that it would be more appropriate for the legislature to initiate and pass such a law. [source]
Prop 24 goes into effect on January 1, 2023, and will apply to data collected after January 1, 2022 [source]. All we can do is wait and see.
I learned a great deal from researching CCPA and Prop 24, but the lesson that stands out is that this is very complex and isn’t a problem that can be solved quickly or easily. I think that we’ll be wrangling these laws for decades to come.
Most libraries (public libraries, anyway) don’t have lobbyists and legal eagles to interpret these new laws and what they mean for us, our vendors, and our users. It’s essential for those of us who care about privacy to learn, read, and observe these laws as they develop.