California’s Ballot Measure Could Affect Your Privacy — Even if You’re Not in California
On January 1, privacy in the United States changed forever. On that day, the California Consumer Privacy Act (CCPA) — the most comprehensive privacy law in the United States — went into effect in the Golden State. The law provides a broad range of privacy rights and protections to citizens of the state, and California’s attorney general began enforcing it on July 1.
The CCPA has already had a profound impact, both in California and beyond. As a Californian, I’ve used CCPA requests to access my file from facial recognition company Clearview AI, helping to shed light on their controversial activities. I’m also using the law to explore the data which large, often shadowy “data brokers” gather about me and other citizens.
Even if you’re not a Californian, the CCPA has already affected your privacy. Several sources report that the law caused Facebook to begin quietly providing consumers with information on their “Off Facebook Activity” in January, revealing that thousands of companies are sending data to Facebook about what apps you use, which websites you visit, and even the specific products you buy online.
The CCPA is also likely a factor in the decision by Apple, Mozilla, and Google to phase out tracking cookies from the Safari, Firefox, and Chrome browsers. Companies like Microsoft have already extended the rights granted by CCPA to all U.S. citizens, and many more companies will likely follow.
As new as the CCPA is, though, the law is already evolving. If passed in November, a new California ballot measure, Proposition 24, or the California Privacy Rights Act, would make sweeping changes to the CCPA, clarifying some elements and increasing the law’s scope.
It may come as a surprise that not all privacy-centered organizations support the CPRA. The American Civil Liberties Union of Northern California (ACLU) opposes Proposition 24, while the Electronic Frontier Foundation takes a neutral stance. According to a Los Angeles Times report, most organizations that oppose Proposition 24 do so because they feel the law doesn’t go far enough and is missing key provisions like opt-in consent for data gathering.
Many in the tech world have been quiet about the CPRA, even though they might be privately in favor of it. They’ve read the writing on the wall, and believe that a federal privacy law is inevitable. According to a report in the Financial Times, those in the industry largely support a federal law mirroring the CCPA, believing that such a law would be preferable to a patchwork of laws enacted by different states. The CPRA and CCPA could well form the framework for an eventual federal law.
If you’re a Californian, it’s imperative that you educate yourself about the CPRA before Election Day. And even if you’re not a citizen of California, keep an eye on the Golden State come November. Initiatives like the CPRA may change your ability to access and control your data in the short term, as CCPA has already done. In the longer term, they may set the tone of federal legislation that ultimately affects the privacy rights of all Americans.
I spoke to Dan Clarke, president of technology services company IntraEdge, about the CCPA, Proposition 24, and the future of privacy legislation in the United States. Clarke has 30 years of experience in the technology industry, and his company has worked with Intel and others to create compliance platforms for the General Data Protection Regulation (GDPR), Europe’s equivalent to the CCPA. Clarke speaks and consults frequently on the CCPA, CPRA, and other privacy laws.
This interview has been edited and condensed for clarity and length — citations are mine.
Thomas Smith: Firstly, can you give a brief overview of CCPA and why it’s important?
Dan Clarke: The CCPA is one of the most comprehensive privacy laws in the U.S. This privacy law grants California’s consumers certain rights to their privacy, such as the right to know if companies are selling their data and to opt-out of the sale of their data. It also gives consumers the right to delete and/or correct their data.
As data breaches and technology are changing more rapidly than ever, privacy laws and regulations such as the CCPA are paramount in protecting consumer rights and provides them a right of action if their data is involved in a data breach. Since California is the fifth-largest global economy, the CCPA forces many companies to address privacy compliance.
Companies fall within the scope of the CCPA if they meet one of the following criteria:
- Make an annual revenue of more than $25 million in total
- Receive personal data from at least 50,000 California residents, devices, or households per year
- Obtain 50% or more of their annual revenue from the personal information of California residents.
What is Proposition 24 and the California Privacy Rights Act (CPRA)? How did it come to be?
The CPRA is a proposition on the November 2020 ballot in California, which aims to amend the CCPA entirely. The new measure would take the CCPA to another level, and introduce a new privacy enforcement agency that solely focuses on enforcing privacy violations. CPRA would also extend the current exemption for employment data to 2023.
In addition, the CPRA changes the threshold for small businesses and is more in line with the GDPR. For example, the CPRA allows consumers the right to correct their data, potential exemptions for unstructured data in “right to know” requests, the creation of a category for sensitive information, and stricter rules for protecting minors’ data.
How does CPRA differ from or change the laws created by CCPA?
The most significant factor to note is the creation of a new enforcement agency. This agency will focus solely on enforcing privacy rights, whereas the California attorney general is not employed to concentrate only on privacy compliance.
A fully funded enforcement agency would significantly change the privacy landscape. Instead of sending 40 privacy compliance notices per month, a dedicated agency would have the capacity to send the same volume of notices with a stricter review process in a day.
In addition, the CPRA triples the fines associated with the collecting and selling of a child’s private data.
What is the impact on consumers and on businesses?
The CPRA will change the threshold for small businesses by updating the criteria. In order for companies to fall in scope for CPRA, they must meet one of the following new proposed criteria:
- Receive personal data from at least 100,000 California consumers [Under CCPA, companies needed to possess the personal data of 50,000 Californian consumers]
- $25 million in revenue or make 50% of their revenue from selling data
The proposed requirements exclude devices from that count if not linked to a consumer and adds “sharing” as the third criterion for applicability if a business derives more than 50% of its revenue from selling or sharing data.
What should voters know as they consider voting on this initiative? What are the benefits and costs to consumers?
As consumers weigh their options in voting for Proposition 24, they should think about the additional benefits they get, including more control over their data than ever before.
Some consumer groups do not think the CPRA goes far enough, while others argue it is too soon for an early amendment to the existing privacy legislation, which raises overhead costs associated with complying with the CPRA.
How could CPRA create a ripple effect of new laws nationwide? What does this mean for people outside California?
The CPRA is setting the bar even higher for other states to start thinking about consumer privacy — especially amid the pandemic, as the majority of the workforce is still working from home.
If the CPRA amends the CCPA in November, this sets a strong foundation for other states to mirror in protecting consumer privacy. For example, the Massachusetts attorney general recently announced the creation of a data privacy and security division led by Sara Cable, the state’s director of data privacy and security.
At the same time, New York recently enacted two laws expanding its breach notification and security safeguards requirements. Other states are trying to move forward with privacy regulations, even amid the pandemic.
How can people get involved?
Individuals can get involved by educating themselves about privacy laws, including the rights that the CPRA and CCPA grant consumers. Other states could have these laws, too; they need more local support from consumer advocates and local lawmakers.
As more influencers such as Andrew Yang, the former presidential candidate, support initiatives like the CPRA, the more visibility and impact these campaigns will have on future legislation.