Establishes new consumer data privacy rights, amends current data privacy law and creates a new state enforcement agency.
What the Measure Would Do
Proposition 24 would make a number of changes to the state’s current consumer data privacy law with the aim of creating new privacy rights and further protecting consumers.
Today, the California Consumer Privacy Act, passed in 2018, provides a number of data privacy rights, including requiring businesses to disclose if they sell a consumer’s personal data1 and allowing consumers the right to opt out of having their data sold. Prop. 24 would expand consumer data privacy rights to cover the sharing of personal data. The measure defines “sharing” as transferring personal information for the purposes of advertising to a user across multiple platforms or services.
This measure would also define certain personal data, such as Social Security numbers, union membership and sexual orientation, as “sensitive” and further restrict its use. For example, consumers could direct businesses to use sensitive personal data only to provide a requested service.
Under Prop. 24, businesses would have to:
- Allow consumers to opt out of sharing their personal data
- Correct inaccurate personal data if requested
- Obtain permission from consumers aged 13 to 15 before collecting their personal data
- Obtain permission from a parent or guardian before collecting personal data from consumers who are younger than 13
The measure would also make some changes to which businesses must comply with the law. For example, businesses that buy, sell or share personal data of fewer than 100,000 people or households annually would no longer need to comply (the current limit is 50,000).
Prop. 24 would eliminate the 30-day grace period that currently exists for businesses to amend practices if they’re found to be in violation of data privacy law. And it would establish new penalties for violations of minors’ data privacy rights.
Finally, Prop. 24 would create the California Privacy Protection Agency, a new state agency to oversee and enforce consumer data privacy law. The agency would be charged with developing regulations, investigating violations and assessing penalties. The state Department of Justice currently enforces consumer data privacy law and would still be empowered to prosecute crimes and file lawsuits under this measure. Prop. 24 would allocate $5 million in fiscal year 2020–2021 and then $10 million annually from the state General Fund to support the agency.
Changes would go into effect in January 2023. Prop 24 would allow for amendments to the initiative by a simple majority of the state legislature but only if those changes furthered the measure’s intent to protect consumer privacy.
Major credit card breaches, Twitter account hacks and geo-located advertising have elevated concerns about consumers’ data privacy in recent years. The collection, sharing or sale of consumer information includes both these well-known examples and a variety of other practices. For example, some businesses that provide free services collect user information and sell it to other companies for targeted advertising. Some businesses promise not to sell personal data (such as name, address and recent purchases), but nonetheless they share it with a network of third parties, including financial product providers, marketers or legal entities. The legality of many business practices around collecting data online has been debated for years while government policy has struggled to keep up with expanding data collection and use.
In 2016, the European Union adopted General Data Protection Regulations (GDPR), considered to be the strongest set of regulations around the collection and sale of personal data. GDPR requires businesses to disclose what information they collect and allows consumers to access their personal data, control its use and have it deleted.
Emulating GDPR, the California Legislature passed the California Consumer Privacy Act (CCPA) in 2018 — the strongest data privacy law that exists in the United States today. It was negotiated in part by the author of Prop. 24, who had collected signatures for a more stringent ballot measure (the measure was ultimately withdrawn after the compromise legislation was passed). The CCPA establishes:
- Consumers’ right to know if their personal data is sold: Businesses must tell consumers what personal data is collected and how they will use it.
- Consumers’ right to opt out of having personal data sold or to tell businesses to delete their personal data.
- Consumers’ right to nondiscriminatory service if they exercise their privacy rights: In general, businesses cannot charge excessive prices or provide different service to those who ask for disclosures or for a deletion of their data or who otherwise exercise their privacy rights.
The California Department of Justice is charged with creating regulations to guide businesses and with enforcing those regulations, which officially began in July 2020, but proponents of Prop. 24 argue that the agency lacks sufficient capacity for enforcement. They are also concerned about legislative efforts to weaken the law, as businesses have attempted to do several times since the passage of the CCPA. Proponents developed this measure both to strengthen the current law and protect it from legislative attacks.
This measure was put on the ballot by signatures. As an initiative statute, it requires a simple majority (50% plus one vote) to pass.
California data privacy law and this measure are intended to protect all consumers. However, current law is written according to an opt-out framework, which requires the consumer to ask to see what personal data has been collected, elect to have data deleted and, in some cases, pay more to exercise their privacy rights. Prop. 24 does nothing to dismantle this framework, which some privacy advocates argue is inequitable and privileges educated, often white consumers over others. On the other hand, Prop. 24 establishes a new right to limit the use of consumers’ sensitive personal data, which includes racial and ethnic information.
- Consumer privacy can still be violated by the sharing of data, even if that data isn’t ultimately sold. This measure would establish further protection in that area.
- This measure includes additional penalties for violating the data privacy of children and youth, who can be a particular target of these questionable business practices.
- Creating an agency, budget and staff dedicated to data privacy would likely lead to better regulations and enforcement.
- Prop. 24 is intentionally written to create parity between California law and GDPR, which could simplify compliance for businesses that work globally.
- This measure does not need to be on the ballot. New laws and amendments could have been arbitrated through the normal legislative process, allowing open deliberation from businesses, privacy advocates, legislators and the public.
- Current data privacy law forces the consumer to opt out of the use or sale of their personal information in order to be protected, which can be confusing and onerous. This measure is a missed opportunity to expand consumer protection by requiring companies to request the information they wish to use.
SPUR objects to the use of ballot measures to circumvent the legislature’s deliberative and collaborative policy-making process, particularly when current law has only been in effect since January of this year and we don’t yet have a full sense of its impacts. Prop. 24 is a complex policy that should be negotiated among legislators, advocates and businesses. On the other hand, Prop. 24 proposes a number of changes that would further consumer data privacy for vulnerable groups and break further ground for Californians’ data privacy. SPUR’s board was divided on these points and has no recommendation on this measure.
1. In general, personal data is information that can be linked, directly or indirectly, to a living person. It can include names and location data, as well as less obvious identifiers like IP addresses and “cookie” information.