The League of Women Voters supports the protection of consumers’ private data. Prop 24 includes some beneficial elements, but we oppose due to the complexity of a 52-page initiative with impacts and nuances that are difficult for voters to discern and rollbacks to existing protections. Among the troubling aspects of Prop 24 is its expansion of “pay for privacy” through the addition of loyalty and rewards programs, allowing businesses to charge consumers more or provide worse service if they choose to exercise their privacy rights. The initiative also allows businesses to require consumers to direct each individual website and app not to sell information - weakening the current legal requirement that companies respect a global opt-out for all services. These burdens are fundamentally inequitable, placing the onus on the average consumer to protect their own privacy. Working people don't have the time to do the paperwork and they can't afford to pay companies to respect their wishes. Finally, the initiative comes less than a year after the 2018 California Consumer Privacy Rights Act went into effect, before we have had an opportunity to see how the new law works or the legislature has had a chance to address any defects.
Vote NO on Prop 24
In 2018 California passed the California Consumer Privacy Act (CCPA). The CCPA guarantees consumers certain rights and protections with respect to the collection and sale of their personal information. Consumers have the right to know about and access the personal data a business collects and if it’s sold or disclosed, opt-out of the sale of personal information to third parties, and request the deletion of personal information collected from them. Either consumer or parent/guardian permission is required to sell personal information of those under the age of 16, and parent/guardian permission is required to sell personal information of consumers under the age of 13. The CCPA also provides a right to equal service and price whereby businesses may not discriminate or provide inferior service if the consumer exercises their privacy rights. However, businesses may offer financial incentives for the collection or sale of personal information.
Prop 24, the California Privacy Rights Act of 2020 (CPRA), proposes to revise the CCPA. It would:
- Create the California Privacy Protection Agency to hold companies accountable and impose penalties for infractions.
- Allow consumers to request that businesses not share sensitive information about health, genetic data, finances, race or ethnicity, religion, sexual orientation, private communications, and precise geolocation.
- Triple the fines for violations involving children’s privacy.
- Make data breaches of email addresses along with information that would permit access to an account (such as a password) subject to penalties.
- Eliminate the ability of businesses to avoid penalties by addressing violations within 30 days of being told of the violation.
The League of Women Voters supports the protection of consumers' private data. We oppose Prop 24 because its beneficial elements are outweighed by its privacy rollbacks and numerous shortcomings. Furthermore, consumer data protection is enormously complex. Prop 24 attempts to address the issues in a densely worded 52-page initiative that will be difficult for most voters to understand. It is the role of the legislature to grapple with matters like this in an open and transparent manner through a process that offers an opportunity for hearings, debate, and public engagement. From a practical point of view, California’s businesses are now working to implement the 2018 CCPA legislation that went into effect in January 2020. It is too soon to ask businesses to respond to a new set of regulations that still do not meet privacy standards required to protect consumer data from misuse.
Our concerns, flagged by leading consumer and privacy organizations, include the following:
- Pay for Privacy. Prop 24 expands the ability, which already exists in the CCPA, for businesses to provide inferior service for consumers who don’t pay to protect their confidential information, and superior service for Californians who do pay. Under current law a charge is allowed if it’s reasonably related to the value provided to the business by the consumer’s data. Prop 24 expands current law by exempting loyalty clubs and rewards programs from existing limits and allows businesses to withhold discounts unless they can harvest data about shopping habits.
- Opt-out versus opt-In. Prop 24 misses an opportunity to enact a consumer-friendly opt-in system and keeps the burden on consumers to opt-out of the retention and sale of their information.
- Opting out is more difficult. Prop 24 allows businesses to post a Do Not Sell link on their website as an alternative to complying with global opt-out browser or phone settings chosen by the consumer. While global settings may not be available yet, they will be soon. Unfortunately, Prop 24 would throw us back into the world of placing an exhausting burden on consumers to notify every online business, website, and app to preserve their privacy.
- Inequitable. Prop 24 preserves and exacerbates the problem of inequitable access to privacy rights. From its pay for privacy components to a complicated opt-out structure, it places the burden on the average consumer to protect their own privacy. Working people don't have the time to do the paperwork and they can't afford to pay companies to respect their wishes. As a result, Prop 24 will disproportionately harm vulnerable communities, like the poor and elderly.
- Impedes minimization of data collection. Instead of limiting the collection of a consumer’s personal information to what is necessary to provide the service or good a consumer seeks, Prop 24 allows the business to collect consumer information according to the business’ view of what data is needed to accomplish its commercial purposes.
- Weakens biometric data protections. Prop 24 weakens consumer protections for businesses collecting biometric information, such as DNA or faceprints. Current law protects biometric data if it “can be used” to identify a consumer, but Prop 24 protects it only if it “is used or intended to be used” to identify a consumer.
- Exposes social media data to mining. Prop 24 expands the definition of publicly available information to include information collected from social media sources. This opens the door to the sort of problem we saw with Clearview where the company amalgamated images of people, created a facial recognition database, and then sold access to that database to law enforcement, including federal immigration authorities. Nota Bene: Clearview has since announced that they are no longer selling to private companies.
- Makes data deletion more difficult. Prop 24 reduces a business’s duty to send the consumer’s deletion request to downstream entities who also received that consumer’s data from the business. In this way, service providers are more able to combine sets of consumer data collected from different businesses or from consumers.
- Limits privacy rights to California. Under current California law, your privacy follows you wherever you go. Under Prop 24, while a user’s data would be protected within California, any stored data could be collected and used by a business when the user leaves California.
Paid for by League of Women Voters Supporting Schools and Communities First – Yes on Prop 15 (Nonprofit 501(c)(4))