Prop 24 Poised to Pass, Bringing Another Data Privacy Law Into Existence
As expected, California voters came out decisively in favor of Proposition 24. While the final tally has not yet been released, it appears that the Golden State is well on its way to passing the stringent new data privacy law called the California Privacy Rights Act, or CPRA.
With 72% of California precincts reporting Wednesday afternoon, voters were 56.1% in favor of Prop 24 and 43.9% against, putting the measure on a track that almost certainly means it will pass.
CPRA ostensibly would replace the California Consumer Privacy Act (CCPA), which was passed by the state’s legislature in 2018 and went into effect this year. The CPRA was written by data privacy rights advocates as a way to strengthen data privacy enforcement, as we told you in September, and also to close loopholes in CCPA that, advocates say, were inserted into the law at the behest of big tech firms.
CPRA would strengthen data privacy by creating a new category of “sensitive personal information,” including race, sexual orientation, union membership, and location. It would also require companies to become good custodians of that sensitive data. Fines for violating the data rights of children would triple under CPRA, and it would require opt-in consent to sell data from consumers under the age of 16. It would also give residents more power to force companies to correct erroneous information about them.
But the biggest change that that CPRA would bring is the creation of a brand new state agency called the California Privacy Protection Agency (CPPA) that would be responsible for enforcing privacy law. The specific provisions of CPRA would not go into effect until 2023, but CPPA would immediately take over enforcement of the CCPA from the California Attorney General Xavier Becerra.
Heather Federman, the vice president of privacy and policy at BigID, says the passage of the CPRA is a big step forward for advocates of data privacy.
“CPRA will create the first agency in the US dedicated solely to privacy, similar to how EU member states have their own Data Protection Authorities, which could definitely up the ante for enterprises who had previously buried their head in the sand,” she tells Datanami via email. “The amendment also helps to clarify some of the discrepancies and clarifications from CCPA and puts in some interesting operationalization requirements for companies, like retention limits, minimization, audits and risk assessments for high risk processing, and more.”
One of the main practical challenges for enterprises moving forward, she says, will be ensuring that they have full awareness of their consumer’s data. This is particularly true when it comes to “sensitive personal information,” which is a newly defined term under CPRA.
“Traditional approaches to data discovery like surveys and manual inventories are not great at consistently identifying all of the data that’s in an organization’s scope,” Federman says. “For companies that have been taking a half-baked approach to CCPA compliance, this could make CPRA compliance tricky.”
Raju Vegesna, the chief evangelist at Zoho, hopes that CPRA could bring more accountability to big tech firms, which have been under the gun recently for how they use, and occasionally abuse, individual’s private data.
“California is often a harbinger of social change in America and voters have signaled they not only want control over their data, but want to see Silicon Valley tech giants – who can afford the extra due diligence required to comply with regulations and avoid fines – held more accountable,” Vegesna says via email.
Having a dedicated agency to enforce the privacy laws may provide companies with extra motivation to increase their compliance, he says. “For too long, consumers have believed the myth that companies need to collect, share, and sell user data to deliver more personalized products and better targeted ads,” Vegesna says. “Prop 24 is part of an overdue reckoning awaiting companies still relying on these ad revenue streams, profiting off selling data to third parties.”
Not everybody is a fan of CPRA, however. Opponents point out that enforcement of CCPA only began in July, and that the specific rules for CCPA were still being written in September, even as CPRA was headed to the voters. Changing the rules of the game so often is not conducive to getting widespread adoption, they say.
The American Civil Liberties Union came out against the CPRA because it would allow businesses to charge users who opt out of having their data sold or shared. That could make privacy rights less accessible to people with lower incomes, the group says.
There is also the matter of asking businesses to comply with a patchwork of data privacy laws, which amplifies their regulatory burden and increases their legal risk if they were to run afoul of one of them. Danny Allan, the CTO of data backup provider Veeam, questions the wisdom of layering more regulation atop businesses.
“If each state implements their own approach to data privacy, America will become a patchwork quilt of regulation, making it an extremely challenging place to do business,” Allan tells us via email. “This challenge grows still further as organizations increasingly share customer data across teams, partners, and third-party contractors. What will eventually be needed is a common set of rules, across all states, that would allow businesses to operate across state lines (and globally), similar to what U.S. organizations doing business in the EU are already following.”
It’s unclear what impact CPRA will have on the broader privacy landscape, Federman says. But it’s possible that it could spur a resurgence of privacy bills at the federal level, she says.
“I’ll be closely watching the Washington Privacy Act bill, which has now surfaced for the third time in the state legislature and borrows elements from both CCPA and GDPR,” she says. “If this version ends up passing, that would likely end up being the main model for a state data protection law – in terms of both process and content – across the country.”
“There is little doubt that the CCPA is going to have a massive impact on California businesses. However, what that impact will be and how far its rules will reach is not yet settled. For employees, there is still very much a question about what rights they will or will not have to their employee-collected data. For now, the CCPA is not including employee data in its definition of “personal data.” It is important to note that, in the event of a breach, an employee still has their rights to sue their employer.”