California's Proposition 24
In 2018, the State of California enacted the California Consumer Privacy Act of 2018 ("CCPA"), the first comprehensive consumer privacy law enacted in the United States. The CCPA established the right of residents of California to know what personal information about them is being collected; to know whether their information is sold or disclosed and to whom; to limit the sale of personal information to others; and to access their information held by others. The CCPA gives individuals a right to delete their data and prohibits businesses from selling the personal information of CA residents under the age of 16 without their opt-in consent. The CCPA is currently enforced by the California Attorney General. The CCPA was enacted in 2018 after a proposed California ballot initiative, which had gathered over 600,000 signatures, was withdrawn.
EPIC has advocated for more than two decades for the enactment of comprehensive legal protections for the privacy of internet users. The key elements for privacy legislation identified in EPIC's recent report—Grading on a Curve—follow from commonly recognized national and international standards for data protection. For example, the OECD Privacy Guidelines of 1980 first established the international baseline standards for privacy rights and responsibilities and have been adopted in U.S. law and international agreements. More recently, the General Data Protection Regulation of the European Union has emerged as one of the most comprehensive regulatory regimes for privacy protection in the modern age. The Council of Europe Privacy Convention has also shaped the modern day understanding of the right to privacy.
This year, Californians will once again play a role in determining the direction of privacy law in the United States. A new ballot initiative, California Proposition 24: The California Private Rights Act of 2020, which will be on the November election ballot, would significantly change the CCPA. Below we analyze Prop 24 under the rubric that EPIC laid out in Grading on a Curve. We hope that this analysis can inform readers who are considering the implication of Prop 24 and whether to vote yes or no.
EPIC is not taking a position for or against Proposition 24, but provides this resource to help voters understand the initiative. Proposition 24 is not perfect, but would make some important improvements to privacy protections for California residents, particularly through the establishment of a California Privacy Protection Agency.
Highlights of EPIC's review of Proposition 24 include:
- Creates a dedicated, independent California Privacy Protection Agency, which would be a major step forward in protecting the privacy of California residents.
- Closes the loophole created in the CCPA that allowed businesses to avoid complying with the law if they don't technically "sell" your data but enable third parties to target you based on your data(as Facebook does);
- Adds some protections for "sensitive data," but weakens protections for biometric data;
- Takes steps towards ensuring algorithmic transparency and fairness;
- Provides some data minimization requirements;
- Permits "pay for privacy" schemes - it allows companies to offer discounts in exchange for permission to collect and use personal data. This undermines privacy rights and discriminates against individuals who are economically disadvantaged;
- Fails to expand the limited private right of action currently available under the CCPA, which would have allowed California residents to enforce their rights in court. A private right of action is a critical piece of any strong privacy legislation and it should have been included in Proposition 24.
Lastly, because the CCPA was passed by the California Legislature, not by the ballot initiative process, it can be repealed or watered down by the Legislature at any time. And Big Tech and their lobbyists spent a considerable amount of time and resources in 2019 attempting to do just that. Privacy groups had to expend considerable time and resources to fight back against those efforts, and will have to continue to do so in every legislative session if Proposition 24 does not pass.
In contrast, Proposition 24 would set a floor for privacy protections in California. If Proposition 24 is passed, the state legislature could only pass amendments that *strengthen consumer privacy.* This is an important change that could help guarantee California residents baseline protections; EPIC and many other privacy groups will continue to work to strengthen privacy regulations in the years ahead.
Establishes a California Privacy Protection Agency
Almost every democratic country in the world has an independent federal data protection agency, with the competence, authority, and resources to help ensure the protection of personal data. These agencies act as an ombudsman for the public. The United States has tried for many years to create agencies that mimic a privacy agency, such as the Privacy and Civil Liberties Oversight Board, or to place responsibilities at the Federal Trade Commission. Many now believe that the failure to establish a data protection agency in the United States has contributed to the growing incidents of data breach and identity theft. EPIC has long advocated for the creation of a U.S. Data Protection Agency. One of the biggest benefits of Proposition 24 is that it would create a dedicated data protection agency in California.
An effective Data Protection Agency should be independent, be allocated the resources to be effective, have rulemaking authority, and have strong enforcement powers.
At the state level, state Attorneys General are generally tasked with enforcing state privacy laws. The CCPA placed enforcement authority with the California Attorney General, and that office has released final regulations under the Act.
The California Privacy Protection Agency is granted rulemaking powers (transferred from the California Attorney General) — meaning the Agency will issue regulations interpreting the new law. The Agency is tasked with promoting public awareness and rights related to the collection, use, sale and disclosure of personal information. The Agency is required to issue public reports summarizing the risk assessments filed by businesses whose processing of consumers' personal information presents "significant risk" to consumers' privacy or security.
The California Privacy Protection Agency is granted authority to investigate possible violations of the law. If a violation is found, the Agency may issue an order that requires the violator to cease and desist the violation and to pay fines of up to $2,500 for each violation (or up to $7,500 for each intentional violation or violation involving personal data of minors).
Proposition 24 also removes "right to cure" loophole in the CCPA, which allowed companies to avoid punishment if they "cured" a violation that was discovered. Proposition 24 would allow for penalties after the first violation.
Proposition 24 appropriates $10 million dollars annually for the operations of the California Privacy Protection Agency. The California Attorney General's budget for enforcing the CCPA is approximately $4.5 million annually.
Proposition 24 also creates the position of "Chief Privacy Auditor" within the new California Privacy Protection Agency, who would be authorized to conduct audits of businesses to ensure compliance with the law.
Importantly, because the CCPA's exclusive enforcement by the Attorney General is removed in Proposition 24, violations of the law can be enforced by the 58 county District Attorneys and the four City Attorneys. The end result is that enforcement under Proposition 24 should be much stronger than enforcement under the current CCPA.
The creation of a dedicated, independent California Privacy Protection Agency would be a major step forward in protecting the privacy of California residents.
Narrows the Scope of Privacy Protections in Key Definitions
Personal information should include all information about an individual, including some information that the individual makes available in certain public or quasi-public contexts—such as their age, gender, race, and address or zip code. All of these data elements could be included in profiles that companies create and might form the basis for decisions made about individuals. So a bill that excludes publicly available information entirely from its scope does not fulfill one of the key purposes of a privacy law. One of the drawbacks of Proposition 24 is that it would somewhat expand the carve out for "publicly available information," which is not subject to protection under the law.
The CCPA and Proposition 24 both have a good baseline definition of personal information, defining it as information that "identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." It also includes a non-exclusive list of examples, including IP addresses and inferences draw from personal information.
However, the CCPA does exempt publicly available information, and Proposition 24 expands that exemption to include:
information that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media, or by the consumer; or information made available by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience.This means that under Proposition 24, any information that was previously made available by a consumer to the "general public," or was widely distributed, is not covered. This exemption was added to address First Amendment challenge concerns, but is unnecessarily broad and could allow companies to build expansive profiles on individuals by scanning the web for publicly available information and compiling it, as Clearview AI is reported to have done.
Another set of key provisions in the California privacy law concerns the protection of biometric information. Proposition 24 would unfortunately further narrow the scope of biometric data protections. The Proposition would change the current definition in CCPA as follows (changes in bold):
"Biometric information" means an individual's physiological, biological or behavioral characteristics, including information pertaining to an individual's deoxyribonucleic acid (DNA), that
can beis used or intended to be used, singly or in combination with each other or with other identifying data, to establish individual identity. Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.
Proposition 24 also creates a new category of "sensitive personal information," which includes financial account information, racial or ethnic origin, religious beliefs, union membership, sexual orientation, genetic data, and precise geolocation data. Unfortunately, individuals must still opt-out of the use of this category of personal information, but Proposition 24 does give individuals the right to direct a business to limit the use of their sensitive personal information to only that use which is necessary.
Grants Right to Correct Data and Closes Loophole That Allowed Cross-Context Behavioral Advertising
A significant benefit of Proposition 24 is that the law would close the "shared data" loophole with regard to cross-context behavioral advertising in the CCPA and give an additional right to correct.
The CCPA granted California residents the right to access the personal information certain businesses* had collected about them upon request, as well as the right to request the deletion of that data. California residents also have the right to opt-out of the sale of their personal information under the CCPA. Proposition 24 would also give Californians an additional right to correct inaccurate personal information a business has collected about them.
* Businesses covered under the CCPA are entities that: 1) have annual gross revenue in excess of $25M; or, (2) collect the personal information of 50,000 consumers (note: this is changed to 100,000 consumers in Proposition 24); or, (3) derive 50% or more of its revenue from selling consumers' personal information.
Proposition 24 closes a loophole in the CCPA "right to know" provisions. The current loophole allowed companies to hide information about the personal data that they collect if they claim that they do not "sell" the data (even when they sell use of that data to target users, as Facebook does). Proposition 24 closes that loophole by adding the term "sharing" throughout the law. This change also means that Californians can opt-out of the "sharing" of their personal data for the purposes of cross-context behavioral advertising.
Strengthens Obligations on Large Businesses That Collect Data
- Transparency about business practices
- Data collection limitations
- Use/Disclosure limitations
- Data minimization and deletion
- Purpose specification
- Data accuracy
Overall, Proposition 24 adds some important obligations on businesses that collect data, including improved accountability through the creation of the California Privacy Protection Agency, closing the loophole on "data sharing," improved security requirements, and purpose specification requirements. Proposition 24 unfortunately does not limit businesses from collecting your data.
No Data Collection Limitations
There are limited data collection limitations in the CCPA and Proposition 24. Though both measures allow California residents to stop the sale or sharing of their personal information, it does not allow them the right to deny a business the right to collect and process their personal information.
Adds Use/Disclosure Limitations
Proposition 24 adds a new category of "sensitive personal information," which includes social security numbers, financial account information, precise geolocation, race, ethnicity, religion, union membership, genetic data, biometric and health data, and sexual orientation. California residents can direct businesses to limit the use of their sensitive personal information on an opt-out basis.
Proposition 24 also includes general use limitations:
A business shall not collect additional categories of personal information or use personal information collected for additional purposes that are incompatible with the disclosed purpose for which the personal information was collected, without providing the consumer with notice consistent with this section.
The CCPA gave California residents the opportunity to opt-out of the sale of their personal information. Under the CCPA, businesses are required to provide a clear and conspicuous link labeled "Do Not Sell My Personal Information" on their website and implement methods for customers to opt-out of the sale of their personal information. Covered businesses must also comply with global opt-out settings - a setting individuals could install on each of their devices once that would send websites a signal that they opt-out of their information being sold.
Proposition 24 makes changes to these provisions by creating a new option for businesses. Covered businesses must still respect opt-out requests but may choose not to show a "Do Not Sell" link if the website does not discriminate against users that use a global opt-out setting by way of fees, a degradation of functionality of the website, displaying a pop-up or any notification in response to the setting, or other means (in other words, it may not require users to "pay for privacy," which is otherwise allowed under the CCPA and Proposition 24 (see below) if the user uses a global setting to opt-out of the sale or sharing of their personal information.)
This change has some advantages, and some disadvantages. On one hand, until global opt-out settings become more prominent, this change allows companies to avoid displaying a "Do Not Sell" link by honoring a setting that most internet users are unaware exists. On the other hand, the promotion of a global opt-out setting is good for privacy because it is unrealistic to expect that internet users are going to take the necessary steps to opt-out of data disclosure on every website they visit (much like the cookie consent fatigue we have seen under the GDPR), and many opt-out procedures are intentionally designed to be difficult to follow or setup as a dark pattern.
Requires Purpose Specification
Purpose specification requires that data collectors give notice of the purpose for which personal information is collected, and requires that data is only used for those specified purposes. Proposition 24 does add a purpose specification requirement. It reads:
"A business's collection, use, retention, and sharing of a consumer's personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes." § 1798.100(c)
Proposition 24 would improve accountability through the creation of a California Privacy Protection Agency, but the drafters missed an opportunity to provide for an expanded private right of action.
Proposition 24 also removes "right to cure" loophole in the CCPA, which allowed companies to avoid enforcement actions if they "cured" a violation after it was discovered - a loophole companies could exploit once for every different type of violation. Proposition 24 would remove this loophole and allow for enforcement after the first violation.
Consumers Left To Enforce Data Accuracy
As noted above, Proposition 24 grants California residents the right to correct inaccurate personal information a business has collected about them, a right that does not currently exist in the CCPA. Beyond those correction rights, there are no obligations on covered businesses to ensure that the data they collect and store is accurate.
Proposition 24 places new requirements on covered businesses to implement security procedures and practices. Section 1798.100(e) requires:
A business that collects a consumer's personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Section 1798.81.5.
Proposition 24 also requires that any businesses (including service providers) receiving personal data (via sale or disclosure) from a covered business provide the same level of protection as the original business was obligated to provide under the law. This is referred to as a "chain of custody" requirement and will provide additional protections to Californians' personal data when their data is passed to third parties.
Takes Steps Towards Algorithmic Transparency and Fairness Requirements
As automated decision-making has become more widespread, there is growing concern about the fairness, accountability, and transparency of these systems. All individuals should have the right to know the basis of automated decisions made about them. Concerns about the fairness of automated decision-making are mounting as artificial intelligence is used to determine eligibility for jobs, housing, credit, insurance, and other life necessities. Bias and discrimination are often embedded in these systems yet there is no accountability for their impact.
Proposition 24 takes the first steps towards providing for accountability of algorithmic decision-making - Proposition 24 authorizes the California Attorney General (and, once established, the California Privacy Protection Agency) to issue regulations regarding access and opt-out rights with respect to business' use of automated decision-making systems, including systems used to profile individuals. The regulations would also require a businesses' response to access requests to include meaningful information about the logic involved in such decision-making processes, as well as a description of the likely outcome of the process with respect to the consumer. This would be first time a right to opt-out of automated decision-making is made available to individuals in the United States. Though the burden should arguably be on businesses to be transparent, not on the consumer to demand it, this is still a significant step towards algorithmic transparency and fairness compared to current U.S. law.
Proposition 24 also requires some independent accountability for automated decisions - businesses whose processing of personal information the California Privacy Protection Agency deems "presents significant risk to consumers' privacy or security" must submit, on a regular basis, risk assessments with respect to their processing of personal information.
Unfortunately, Proposition 24 does include a problematic exemption to these requirements. Section 1798.185(a)(3) of Proposition 24 makes clear that companies can withhold trade secrets when they respond to a consumer's access request. This exemption would make these systems less transparent and accountable, even though the systems can significantly impact an individual's life. There are too many examples of companies claiming a trade secret protection defense to conceal biased algorithms.
The original CCPA instructed the Attorney General to adopt regulations regarding trade secrets and intellectual property rights. Proposition 24 adds language to that provision (addition in bold):
Establishing any exceptions necessary to comply with state or federal law, including, but not limited to, those relating to trade secrets and intellectual property rights, within one year of passage of this title and as needed thereafter, with the intention that trade secrets should not be disclosed in response to a verifiable consumer request." § 1798.185(a)(3)
In the regulations issued under the original CCPA, the Attorney General declined to create an exemption for trade secrets, noting:
the [Office of the Attorney General] has determined that a blanket exemption from disclosure for any information a business deems could be a trade secret would be overbroad and defeat the Legislature's purpose of protecting consumers' privacy and prevent discrimination against consumers who exercise their privacy rights. Final Statement of Reasons, Appendix A, Response No. 247
The provision added by Proposition 24 makes clear that businesses cannot claim a trade secret defense in an investigation by the California Privacy Protection Agency, which is a good addition. However, there must be a mechanism to prevent companies from broadly claiming trade secret defenses in response to legitimate access requests from consumers - and in situations where automated decision-making is used for high-risk purposes that often foster discrimination, such as hiring, housing, credit, insurance, and other life necessities, a trade secret defense should not be an option. The Chief Privacy Auditor within the new California Privacy Protection Agency will be able to use their audit authority to uncover some discriminatory processing, but that will likely only be used in large scale cases.
As Professor Frank Pasquale wrote in The Black Box Society: The Secret Algorithms That Control Money and Information:
Few of us understand how our car engines work, but we can judge well enough whether they get us to our destinations safely and comfortably. We cannot so easily assess how well the engines of reputation, search, and finance do their jobs. Trade secrecy, where it prevails, makes it practically impossible to test whether their judgments are valid, honest, or fair. The designation of a person as a bad employment prospect, or a website as irrelevant, or a loan as a bad risk may be motivated by illicit aims, but in most cases we'll never be privy to the information needed to prove that. What we do know is that those at the top of the heap will succeed further, thanks in large part to the reputation incurred by past success; those at the bottom are likely to endure cascading disadvantages.
Provides Some Data Minimization and Privacy Innovation Requirements
Many U.S. privacy laws have provisions intended to minimize or eliminate the collection of personal data. Data minimization requirements reduce the risks to both consumers and businesses that could result from a data breach or cyber-attack.
Proposition 24 attempts to promote data minimization, but does not go far enough. Section 1798.100(c) says:
"A business's collection, use, retention, and sharing of a consumer's personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes."
A better way to approach this would be to include the expectations of the consumer or individual when determining what is "reasonably necessary."
Data minimization also requires that the data is deleted when it is no longer needed. Proposition 24 does require that businesses do not retain personal data for longer than necessary for the purpose for which it was originally collected:
a business shall not retain a consumer's personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose. § 1798.100(a)(3)
But this provision could have been made stronger by the addition of a maximum amount of time the business may retain a consumer's personal information, similar to provisions in S. 1214, the Privacy Bill of Rights Act filed by Senator Markey, which limits retention of personal to ninety days after a service is provided or a contract is satisfied.
Good privacy legislation also promotes privacy innovation, encouraging companies to develop new techniques that provide useful services and minimize the collection of personal data. These Privacy Enhancing Techniques ("PETs") are essential to promoting both innovation and privacy. The promotion of the "global opt-out" (discussed above) is an example of a privacy enhancing technique.
Allows pay-for-privacy terms that undermine privacy rights
While the CCPA purports to prohibit businesses from discriminating against a consumer because the consumer exercised their rights under the CCPA (including by charging different prices or rates for goods or services), it allows businesses to offer "financial incentives," including payments to consumers as compensation for the collection, sale, or retention of their personal information. It also allows businesses to offer a different price, rate, level, or quality of goods or services if the price is "directly related to the value provided to the business by the consumer's data." These provisions are unfair and discriminate against individuals who are economically disadvantaged.
Some may argue that banning pay-for-privacy will raise costs for everyone - that ad-supported models would no longer work. This is false. Contextual advertising—advertising that is placed based on the content that surrounds it—allows the advertiser to reach the customer without a deep intrusion into the customer's private life, and it is effective.
Proposition 24 should have prohibited these pay-for-privacy schemes. Instead, it gave businesses further leeway to put a cost on privacy by changing "directly related" to "reasonably related" in terms of the value provided to businesses by the consumer's data.
Does Not Expand Private Right of Action
The CCPA included a very limited private right of action - individuals could sue a business if it failed to implement reasonable security measures and the individual's nonencrypted or nonredacted personal information was compromised in a data breach. Proposition 24 adds liability for email and password combinations.
Unfortunately, Proposition 24 does not create any additional private right of action outside this narrow data breach action. Without this enforcement tool, many businesses might simply ignore the law, deciding that the small probability that the state would issue a fine against them for a violation is an acceptable risk. If Proposition 24 is passed by California voters, the California Legislature move quickly to enact a private right of action so that Californians have enforceable privacy rights.
Protects Against Weakening of CCPA
Because the CCPA was passed by the California Legislature, not by the ballot initiative process, it can be repealed or watered down by the Legislature at any time. And Big Tech and their lobbyists spent a considerable amount of time and resources in 2019 attempting to do just that. Privacy groups had to expend considerable time and resources to fight back against those efforts.
But Proposition 24 will set a floor for privacy protections in California. If Proposition 24 is passed, only amendments that *strengthen consumer privacy* will be allowed.
This is a crucial change, and one where there has been a lot of confusion. EPIC's reading of Proposition 24 is that the conditions placed on the Legislature by Section 3 are clear that only amendments that "do not compromise or weaken consumer privacy" will be permitted. This is an important change and guarantees California residents baseline protections that EPIC and other privacy groups will continue to work to strengthen in the years ahead.
- Text of Proposition 24
- California Consumer Protection Act of 2018
- Official California Voter Information Guide
- EPIC, California Consumer Privacy Act (CCPA)
- Californians for Consumer Privacy
- No on Prop 24
- San Francisco Chronicle Editorial, Chronicle recommends: Vote no on Prop. 24, a flawed privacy initiative (Sept. 25, 2020)
- Los Angeles Times Editorial, Endorsement: Yes on Prop. 24. It’s not perfect, but it would improve online privacy (Sept. 12, 2020)
Share this page:
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.