Prop 24: Changes to Consumer Privacy Laws

Share:

The Question: 

Shall an existing law from 2018, the California Consumer Privacy Act, be amended to increase penalties on companies that fail to follow regulations; to allow consumers more easily to opt in and out of sharing their data; changes criteria for which businesses need to comply; and to create a new enforcement arm that would cost about $10 million annually?

The Situation: 

With increased technology, there is concern that powerful interests know too much about users, and we don’t know what they are doing with that data.. The Consumer Privacy Act of 2018 brought consumers protections, especially in helping them identify what kind of data were being collected on them. The current act affects businesses which (a) earn more than $25 million in annual revenue; (b) buy, sell or share data from 50,000 individuals, devices, or households; or (c) earn 50 percent or more of their annual revenues from selling personal data. These businesses must notify customers of data collection, comply with personal data privacy rights and not treat customers differently for not selling their data. They can be fined for each violation of these requirements.

The Proposal: 

Prop 24 would change the following:

  • Categories of businesses affected. Prop 24 would remove the “device count” in the current act and raise the threshold so that only businesses that buy, sell, or share data from 100,000 individuals or households are subject to the rules.
  • Consumer privacy rights.Consumers could direct businesses not to use their personal data for purposes other than the delivery of the actual services those consumers were buying. They could also ask for corrections in that data.
  • Higher penalties and less room to cure. Violation of a minor’s privacy rights could mean a fine of $7,500 (triple the current one). Where the current law gives a grace period of 30 days to fix privacy violations or instate the security measures whose absence enabled a data breach, Prop 24 would mandate immediate penalties.
  • Create a new agency. Prop 24 would create a new California Privacy Protection Agency, which would take over some enforcement functions from the Department of Justice.
Fiscal Effect: 

Prop 24 would provide about $10 million annually from our state’s General Fund, adjusted over time, to finance the new California Privacy Protection Agency. Overall state costs to the DOJ and trial courts probably wouldn’t exceed the low millions annually. Fines from new violations might offset these costs. Impacts on business and tax revenues are hazier: regulation can depress tax revenues by cutting into profits in the first place; but data breaches are costly, and it’s hard to know how many breaches would be prevented if new regulations forced businesses to protect their customers’ data better.

Support & Opposition
Supporters Say: 
  • Prop 24 would prevent businesses from using or sharing sensitive data about your health, finances, race, ethnicity, and precise location.
  • It would strengthen existing protections by establishing a new California Privacy Protection Agency with $10 million a year.
  • By virtue of being a ballot initiative, it is less vulnerable to watering down through the pressure that lobbyists put on legislators.
Opponents Say: 
  • Prop 24 puts the burden on consumers to opt out of countless intrusive data-collection practices, one by one, that companies are currently barred from, by default.
  • Hidden economic discrimination persists: people without money to spend cannot pay for “loyalty programs” and can expect worse connections, slower downloads, and more pop-up ads.
  • Prop 24 would allow employers to keep gathering data about things like employees’ pregnancies, religion, or political activism.