On November 3rd, long before U.S. voters learned the results of the 2020 presidential election, some digital privacy advocates scored an electoral victory in California. Voters in the Golden State voted to pass California Proposition 24: California Privacy Rights Act (CPRA). CPRA serves as an addendum to the California Consumer Privacy Act (CCPA), which went into effect at the start of this year.
The CCPA, considered the strongest data privacy regulation in the U.S., was criticized by some advocates for containing too many loopholes for businesses to avoid privacy requirements. Alastair Mactaggart, founder of the advocacy group Californians for Consumer Privacy, advanced the CPRA this year as a measure to strengthen the CCPA and enhance consumer protection.
The CPRA provides California consumers more control over what sensitive information (e.g. location) is used by and sold between businesses. Prop. 24 also triples fines for privacy violators and establishes and funds a Privacy Protection Agency, charged with enforcing privacy laws. The measure makes it difficult to weaken the CCPA and CPRA through additional amendments, cited as protection against special interests, but allows the state legislature to strengthen protections with a simple majority vote.
Reviews on the new measure are mixed, with some civil rights groups and privacy activists including the NAACP of California and former 2020 presidential-hopeful Andrew Yang coming out in support, and others, including the ACLU of California, against. The Electronic Frontier Foundation (EFF) called the proposition “a mixed bag of partial steps backwards and forwards,” and came out neither in support or opposition.
While advocates say the measure furthers California’s lead on digital privacy, opponents say the law places the burden of privacy protection on the consumer and incentivizes businesses to charge users for data protection. Unlike the European Union’s General Data Protection Regulation (GDPR), California’s privacy laws require consumers to “opt-out” of data collection instead of forcing businesses to ask customers for permission to sell their data. The CCPA and CPRA also allow businesses to charge consumers higher rates for services when consumers opt-out of data sales.
While the impact of the CPRA remains to be seen–the measure does not go into effect until January 1, 2023–it is encouraging to see debates about digital privacy making their way into the public domain, and onto ballots across the country.