As the most important outcome of the 2020 election remains in flux, voters in California and Michigan approved new privacy laws Tuesday: California’s Prop 24, which extends provisions of a 2018 privacy law, and Michigan’s Prop 2, which consolidates piecemeal orders into a requirement for police to seek search warrants before seizing electronic data.
Strengthening privacy is one of the few reliably bipartisan endeavors in modern politics, but the two measures scrambled traditional alliances on privacy: The ACLU opposed the California proposition, while police chiefs supported the Michigan measure. If those politics are any indication, privacy in the post-2020 landscape will be odd, iterative, surprisingly bipartisan, and very complicated.
California’s Prop 24 ratifies the California Privacy Rights Act, the successor to 2018’s California Consumer Privacy Act. Conceived as a parallel to Europe’s General Data Protection Regulation, the CCPA left many privacy advocates unhappy with loopholes that let Facebook, Google, and hordes of anonymous data brokers avoid regulation.
The CCPA exempted many forms of targeted advertising, essentially permitting the collection and sharing of personal user data without consent—precisely the activity the law was intended to eliminate. CCPA also left enforcement solely to the already overburdened state attorney general, a concession that caused an ongoing rift between two of its authors, Mary Stone Ross and Alastair Mactaggart. (Mactaggart coauthored the CPRA, which Ross opposed.)
Companies have many ways of profiting from collecting and accessing our data. Few involve money directly exchanging hands in a sale. The law approved Tuesday targets the companies once able to evade regulation by claiming they “share” but don’t “sell” data. CPRA combines the concepts of sharing, selling, and monetizing data. It requires companies to disclose what they’re collecting from users and with whom they’re selling or sharing the data, and it requires them to allow users to opt out of having their data collected, whether or not it’s “sold” in the literal sense.
CPRA creates a new category of Sensitive Personal Information (SPI), including race, sexuality, religion, and health data. Businesses must disclose to users if they plan to collect, share, or sell SPI. Once informed, users can prevent companies from sharing SPI. It also allocates $10 million to a new California Privacy Protection Agency that will enforce the law.
Finally, the language of the 2018 law left the door open for companies to require users to opt out of tracking from each site they visit rather than end tracking with one swoop. CPRA allows users to employ a global opt-out, such as a Do Not Track tool, but also to allow tracking selectively.
Privacy advocates who oppose CPRA see this as one of many examples of one step forward, two steps backward. Enforcement doesn’t begin until 2023, businesses with less than $25 million in revenue in are exempt, credit reporting giants like Experian and Equifax are exempt from most of its provisions, and companies can still withhold certain perks or discounts from consumers who choose not to share data.
This last concession is especially contentious. The Electronic Frontier Foundation and the ACLU of Northern California, staunch privacy defenders for generations, both cited this for why they opposed Prop 24. Both have concerns it could incentivize a “pay for privacy” structure that encourages people to hand over their data for cash and discounts. This could be especially harmful for communities of color, the ACLU argued in an October blog post, because vulnerable users will be compelled to exchange their data for lower prices, while more privileged users can afford to decline. This contradicts the protections brought on by the new SPI distinction.
CPRA’s biggest supporters, including Consumer Watchdog’s executive director, Carmen Balber, admit the legislation isn’t perfect but evinces a new model for stronger privacy protections.
“I would love to win the whole fight in one fell swoop, but that rarely, if ever, happens in the real world,” Balber says, instead noting that the legislation is written specifically to allow for future revisions. “I think that’s probably the model we’re going to see for [privacy] reform across the country.”