CA
Prop
24
Consumer Data Privacy
Amends consumer privacy laws
Establishes new consumer data privacy rights, amends current data privacy law and creates a new state enforcement agency.
Establishes new consumer data privacy rights, amends current data privacy law and creates a new state enforcement agency.
Proposition 24 would make a number of changes to the state’s current consumer data privacy law with the aim of creating new privacy rights and further protecting consumers.
Today, the California Consumer Privacy Act, passed in 2018, provides a number of data privacy rights, including requiring businesses to disclose if they sell a consumer’s personal data1 and allowing consumers the right to opt out of having their data sold. Prop. 24 would expand consumer data privacy rights to cover the sharing of personal data. The measure defines “sharing” as transferring personal information for the purposes of advertising to a user across multiple platforms or services.
This measure would also define certain personal data, such as Social Security numbers, union membership and sexual orientation, as “sensitive” and further restrict its use. For example, consumers could direct businesses to use sensitive personal data only to provide a requested service.
Under Prop. 24, businesses would have to:
The measure would also make some changes to which businesses must comply with the law. For example, businesses that buy, sell or share personal data of fewer than 100,000 people or households annually would no longer need to comply (the current limit is 50,000).
Prop. 24 would eliminate the 30-day grace period that currently exists for businesses to amend practices if they’re found to be in violation of data privacy law. And it would establish new penalties for violations of minors’ data privacy rights.
Finally, Prop. 24 would create the California Privacy Protection Agency, a new state agency to oversee and enforce consumer data privacy law. The agency would be charged with developing regulations, investigating violations and assessing penalties. The state Department of Justice currently enforces consumer data privacy law and would still be empowered to prosecute crimes and file lawsuits under this measure. Prop. 24 would allocate $5 million in fiscal year 2020–2021 and then $10 million annually from the state General Fund to support the agency.
Changes would go into effect in January 2023. Prop 24 would allow for amendments to the initiative by a simple majority of the state legislature but only if those changes furthered the measure’s intent to protect consumer privacy.
Major credit card breaches, Twitter account hacks and geo-located advertising have elevated concerns about consumers’ data privacy in recent years. The collection, sharing or sale of consumer information includes both these well-known examples and a variety of other practices. For example, some businesses that provide free services collect user information and sell it to other companies for targeted advertising. Some businesses promise not to sell personal data (such as name, address and recent purchases), but nonetheless they share it with a network of third parties, including financial product providers, marketers or legal entities. The legality of many business practices around collecting data online has been debated for years while government policy has struggled to keep up with expanding data collection and use.
In 2016, the European Union adopted General Data Protection Regulations (GDPR), considered to be the strongest set of regulations around the collection and sale of personal data. GDPR requires businesses to disclose what information they collect and allows consumers to access their personal data, control its use and have it deleted.
Emulating GDPR, the California Legislature passed the California Consumer Privacy Act (CCPA) in 2018 — the strongest data privacy law that exists in the United States today. It was negotiated in part by the author of Prop. 24, who had collected signatures for a more stringent ballot measure (the measure was ultimately withdrawn after the compromise legislation was passed). The CCPA establishes:
The California Department of Justice is charged with creating regulations to guide businesses and with enforcing those regulations, which officially began in July 2020, but proponents of Prop. 24 argue that the agency lacks sufficient capacity for enforcement. They are also concerned about legislative efforts to weaken the law, as businesses have attempted to do several times since the passage of the CCPA. Proponents developed this measure both to strengthen the current law and protect it from legislative attacks.
This measure was put on the ballot by signatures. As an initiative statute, it requires a simple majority (50% plus one vote) to pass.
California data privacy law and this measure are intended to protect all consumers. However, current law is written according to an opt-out framework, which requires the consumer to ask to see what personal data has been collected, elect to have data deleted and, in some cases, pay more to exercise their privacy rights. Prop. 24 does nothing to dismantle this framework, which some privacy advocates argue is inequitable and privileges educated, often white consumers over others. On the other hand, Prop. 24 establishes a new right to limit the use of consumers’ sensitive personal data, which includes racial and ethnic information.
SPUR objects to the use of ballot measures to circumvent the legislature’s deliberative and collaborative policy-making process, particularly when current law has only been in effect since January of this year and we don’t yet have a full sense of its impacts. Prop. 24 is a complex policy that should be negotiated among legislators, advocates and businesses. On the other hand, Prop. 24 proposes a number of changes that would further consumer data privacy for vulnerable groups and break further ground for Californians’ data privacy. SPUR’s board was divided on these points and has no recommendation on this measure.
1. In general, personal data is information that can be linked, directly or indirectly, to a living person. It can include names and location data, as well as less obvious identifiers like IP addresses and “cookie” information.