Supporters of Proposition 24 say Californians need a tougher data protection law than the Legislature passed — and lobbyists and businesses have sought to chip away at — two years ago. But privacy watchdogs say the initiative still doesn’t go far enough.
SAN FRANCISCO (CN) — Two years ago, the California Legislature enacted the California Consumer Privacy Act, a tough and expansive piece of legislation meant to mimic Europe’s broad data protections.
The fanfare was short-lived for data-privacy advocates, as lobbyists for various business interests rushed in to water down its protections. Hostile amendments that sought to carve out exemptions to the law were largely defeated after a grueling legislative session in 2019.
Alastair Mactaggart, the San Francisco real estate developer behind the act, said he realized that the industry onslaught would probably continue.
“I came to realize early on in 2019 that business and industry looked at this just as a speed bump,” he said. “That led me to think there’s going to need to be some kind of backstop.”
And so the California Privacy Rights Act, appearing on the Nov. 3 ballot as Proposition 24, was born.
California’s current privacy law started out on a similar track. Mactaggart spent millions to qualify it as an initiative for the November 2018, ballot, but he withdrew it after a cutting deal with lawmakers to get it passed as a bill.
In an interview, Mactaggart said he believes the timing is right for a renewed privacy initiative. People are more concerned than ever with protecting their privacy, and tech giants like Google and Apple — currently fending off a spate of antitrust lawsuits — cannot afford to tarnish their reputations by opposing it.
“It’s a perfect time to go on the ballot,” he said. “It was going to be impossible for these big tech companies to spend money against privacy. The climate now is so much more on the defensive. Antitrust is a huge deal and if they’re spending a lot of money against privacy that’s not good for their image in the antitrust war.”
If passed, the initiative would become law on Jan. 1, 2023.
Supporters bill Proposition 24 as a bulwark against future industry-backed efforts to pare down privacy, establishing what Mactaggart calls a “privacy floor.”
Californians would be able to block businesses from sharing “sensitive personal information” about their race, religion, sexual orientation, precise location (within 1,850 feet), union membership, education level, health or work status.
Businesses would still be able to collect that information, but consumers can choose to limit it only to what’s necessary to provide the requested service. Mactaggart said Uber, for example, doesn’t need to know your race if you are hailing a ride. Weather apps don’t need to know your exact location to give you the weather.
It also changes a “Do not sell” provision in the current legislation to “Do not sell or share” — eliminating an insidious loophole businesses can currently exploit.
Businesses would also have to inform consumers about what information they are collecting and why. They would also be required to delete or correct the information on request, and notify all third parties to delete such personal information “unless this proves impossible or involves disproportionate effort.”
But not everyone is thrilled with the measure, and it faces resistance from civil rights groups and privacy advocates who believe it puts the burden on consumers to be vigilant about protecting their information and creates a “pay-for-privacy” scheme by permitting businesses to offer loyalty clubs, discounts, and rewards programs that incentivize consumers to give up their privacy.
“There are some pieces of this that just make it impossible for us to support. I think it’s a very complicated thing to put on the ballot as just a yes or no,” said Hayley Tsukayama, a legislative activist for the Electronic Frontier Foundation, which is neutral on the initiative.
“There is some value in designating that some information is more sensitive, but if you are going to do that you should make it an opt-in rather than opt-out,” she said. “Rather than having me say ‘Can you stop using that information,’ I’d like to see them come to me and say ‘Can I use this data and here’s how we’re going to use it and how we’ll protect it.’ I should just have that right.”
Media Alliance executive director Tracy Rosenberg, who opposes Proposition 24, agrees.
“Opt-in would be a different and much better privacy law,” Rosenberg said. “Most privacy advocates would say opt-in is the way you want to go and Prop. 24 isn’t touching that.”
Mactaggart says there’s a reason why: the U.S. Supreme Court’s holding in Sorrell v. IMS Health Inc., finding the state of Vermont had violated data mining and pharmaceutical companies’ First Amendment rights with a law restricting the sale of records containing doctors’ prescribing practices.
Sorrell appeared to signal the death of privacy law, Mactaggart said. He sought the advice of UC Berkeley Law professor Chris Hoofnagle, who teaches courses on privacy and tech regulation. To stave off potential legal challenges, Hoofnagle suggested structuring the initiative as an opt-out. That way, Mactaggart said, “you’re giving the consumer the right to do something instead of forcing a corporation to do something.”
Tsukayama and Rosenberg are also disturbed by the idea of data monetization, where businesses treat personal information as property. It’s a concept that entrepreneur, onetime Democratic presidential candidate and Proposition 24 proponent Andrew Yang calls a data dividend — it’s your data so why not get paid for it?
“Who gets harmed by that? People who need money. You’re going to be encouraging them to pour more information into this system and it takes advantage of them,” Tsukayama said.
For starters, she said, companies will probably get to determine how much that data is worth. “I certainly see why that is an appealing idea, but if you pay people for their data you have to think about who gets to determine the value of that data.”
Pointing to a Google settlement with consumers over a data breach that netted each class member a measly $12.00, Tsukayama said, “Companies are probably going to set the price for that data or it will be related to company revenue.”
She also worries about people giving up their privacy in exchange for discounts.
“AT&T proposed exactly this — ‘We will show you more ads, which is more data collection, and we’ll knock $15 off your bill.’ It’s really concerning and lot to ask people to give up their privacy for $5 or $15.”
Either way, people are paying for something, be it a “data dividend” or a data discount. “It makes privacy a luxury for people who can pay for it in both cases,” Tsukayama said.
Rosenberg said privacy is an inalienable right, not a luxury, but companies are allowed to charge more for services to people who opt out of data sharing, up to the value of their forfeited data. “As a privacy advocate, I don’t want to actually incentivize people to give up their privacy,” she said.
She pointed to a scheme by John Hancock Life Insurance to give people 25% reduction on their life insurance premiums if they agree to wear an Amazon Halo device that tracks their heart rate and sleep patterns.
“The incentives fall extremely on those with less money,” she said. “If you’re a single mom and that life insurance policy is something you struggle for, that 25% off is not pennies. Those pocketbook issues are important.”
Mactaggart defended the provision. “While it does allow businesses to charge you if you opt out, it also allows them to pay you for opting in,” he said. “I would say as long as it’s transparent and the consumer knows what they’re doing and there is no coercion, who are you to tell someone of limited means that they can’t get compensated for their data? That’s super arrogant. It’s the height of elitism.”
He added: “If you follow through the logical extreme of what they’re saying, companies would have to give away their products for free if they depend on the transfer of information. Lots of websites and news sites do rely on the transfer of personal information.”
Tsukayama said she would also like to see a stronger private right of action included in Proposition 24 that would allow individuals to sue businesses for violating their privacy rights. This was something included in the 2018 version when it was still a ballot initiative but got removed during the negotiations with lawmakers.
Proposition 24 incorporates the right to sue over security breaches, including ones that expose only email addresses and passwords. It also establishes a new California Privacy Protection Agency to prosecute privacy malefactors and audit companies for compliance with the law. Attorney General Xavier Becerra’s office is currently tasked with enforcing the 2019 legislation, but only has $4.6 million in funding and 23 employees.
Mactaggart said with $10 million in taxpayer money and a staff of 50, the new agency should have some teeth. But Rosenberg wondered how much power it will actually have.
“That agency is going to have to go up against Google, Facebook and the biggest and most powerful tech companies in the world. My sense is this agency will be overpowered. It’s going to be politically appointed, so there’s always the possibility for regulatory capture,” she said.
The initiative also excuses businesses from complying with requests to delete and correct sensitive personal information if doing so requires “disproportionate effort,” Rosenberg said, and exempts companies from notifying third-parties with whom it has sold or shared personal information to delete it for the same reason.
“It means they don’t have to do it,” she said. “I don’t know how you go after someone who says the effort is disproportionate.”
Mactaggart said that language was taken straight from the European Union’s General Data Protection Regulation, and that there needs to be some limits on how far businesses should have to go. “You do need some caveat on the right. I think frankly that gets sorted out over time,” Mactaggart said. “We were trying harmonize this with the EU as much as possible.”
Perhaps the initiative’s biggest selling point is that it prevents privacy from being weakened in the future, as the Legislature can only make changes to the law if those changes are aimed at enhancing the initiative’s goal of strengthening consumer privacy.
Normally propositions preclude future legislative action.
“This one specifies that the provisions around privacy in Prop 24 are the floor, not the ceiling,” said Assemblymember Nancy Skinner, a Democrat from Berkeley who supports the measure. She recalled last year’s industry efforts to pare back the 2019 legislation. “It protects that which we’ve done and ensures Californians have the privacy rights we’ve enacted, and I think that’s very important,” she said.
Rosenberg believes it concedes too much to business by including the caveat that any future laws also consider effects on business and innovation. “There’s little privacy strengthening legislation that doesn’t have an impact on business or innovation,” she said.
But Skinner said she doesn’t think this will be a problem.
“I personally did not find the language to be as problematic. I think the language was broad enough,” she said. “I would personally like us to have additional privacy protections but I didn’t see a conflict with Prop 24.”
According to the California Secretary of State’s records, Mactaggart has spent roughly $5.5 million of his own money bankrolling the measure. He strongly disputes the idea that Proposition 24 undermines the privacy protections he fought hard to see enacted two years ago. “I didn’t spend millions of my own dollars just to weaken my own law,” he said. “It’s preposterous.”
Instead, he said the proposition is designed to be flexible. “I’m not arrogant enough to say I know how it’s going to be forever. We’re saying, ‘Back to you Legislature,’” he said. “There are people who are so anti-business and suspicious of business. The notion you could put something in this law that says the impact on business should be examined means for sure you’re pro-business.”
“I am pro-business,” he clarified, “because that gave us the internet. But on the other hand, we need regulation.”