SAN FRANCISCO (CN) — Two years ago, the California Legislature enacted the California Consumer Privacy Act, a tough and expansive piece of legislation meant to mimic Europe’s broad data protections.
The fanfare was short-lived for data-privacy advocates, as lobbyists for various business interests rushed in to water down its protections. Hostile amendments that sought to carve out exemptions to the law were largely defeated after a grueling legislative session in 2019.
Alastair Mactaggart, the San Francisco real estate developer behind the act, said he realized that the industry onslaught would probably continue.
“I came to realize early on in 2019 that business and industry looked at this just as a speed bump,” he said. “That led me to think there's going to need to be some kind of backstop.”
And so the California Privacy Rights Act, appearing on the Nov. 3 ballot as Proposition 24, was born.
California’s current privacy law started out on a similar track. Mactaggart spent millions to qualify it as an initiative for the November 2018, ballot, but he withdrew it after a cutting deal with lawmakers to get it passed as a bill.
In an interview, Mactaggart said he believes the timing is right for a renewed privacy initiative. People are more concerned than ever with protecting their privacy, and tech giants like Google and Apple — currently fending off a spate of antitrust lawsuits — cannot afford to tarnish their reputations by opposing it.
“It's a perfect time to go on the ballot,” he said. “It was going to be impossible for these big tech companies to spend money against privacy. The climate now is so much more on the defensive. Antitrust is a huge deal and if they're spending a lot of money against privacy that's not good for their image in the antitrust war.”
If passed, the initiative would become law on Jan. 1, 2023.
Supporters bill Proposition 24 as a bulwark against future industry-backed efforts to pare down privacy, establishing what Mactaggart calls a “privacy floor.”
Californians would be able to block businesses from sharing “sensitive personal information” about their race, religion, sexual orientation, precise location (within 1,850 feet), union membership, education level, health or work status.
Businesses would still be able to collect that information, but consumers can choose to limit it only to what’s necessary to provide the requested service. Mactaggart said Uber, for example, doesn’t need to know your race if you are hailing a ride. Weather apps don’t need to know your exact location to give you the weather.
It also changes a “Do not sell” provision in the current legislation to “Do not sell or share” — eliminating an insidious loophole businesses can currently exploit.
Businesses would also have to inform consumers about what information they are collecting and why. They would also be required to delete or correct the information on request, and notify all third parties to delete such personal information “unless this proves impossible or involves disproportionate effort.”
But not everyone is thrilled with the measure, and it faces resistance from civil rights groups and privacy advocates who believe it puts the burden on consumers to be vigilant about protecting their information and creates a “pay-for-privacy” scheme by permitting businesses to offer loyalty clubs, discounts, and rewards programs that incentivize consumers to give up their privacy.
“There are some pieces of this that just make it impossible for us to support. I think it's a very complicated thing to put on the ballot as just a yes or no,” said Hayley Tsukayama, a legislative activist for the Electronic Frontier Foundation, which is neutral on the initiative.