In case this election wasn’t stressful enough, a confusing, controversial ballot measure in California is creating a rift among civil liberties advocates over whether the legislation is truly good for people’s privacy—or a half-step in the wrong direction.
The California Privacy Rights and Enforcement Act, also known as Prop 24, or CPRA, is an update to the lackluster privacy law that California first put into place in 2018. Supporters say this measure ties up the many, many (many) loose ends that let data-mining companies run rampant under that first legislation, the California Consumer Privacy Act. But you’ll also find just as many people who argue Prop 24's sanded edges discount the people who arguably need privacy the most.
On one hand, you have parties like the American Civil Liberties Union arguing that CPRA’s current iteration would cripple the basic data privacy rights for communities of color. On the other hand, you have the NAACP’s California branch shouting back saying that, actually, the measure is specifically built to protect the data of people of color.
You also have a New York Times op-ed, published last week, suggesting that Prop 24 in its current state is too flawed to actually be worth voting for. Then again, this piece was also immediately subtweeted by one of the Times’s own engineers, who pointed out that some of the flaws the writer pointed to didn’t actually exist. Even the people who worked together on the original 2018 law have spent months getting into a public, messy brawl over the update.
At the center of this divide is the ballot measure itself (you can read it here). Warning: It’s dozens of pages of murky legalese discussing the specifics of the digital data mining industry—a field that’s boring and arcane to the point that explaining how it works often takes stacks of diagrams.
We have no diagrams here, but there sure is a lot of jargon being taken out of context—or flat out misunderstood—by folks on both sides of Prop 24, which partially explains how a single document could pit people against each other, even though they’re ostensibly fighting for the same thing. Making everything worse is the fact that tech companies in the data space have offered half-assed explanations of how their software actually earns them obscene amounts of money—and far too many people have learned to accept these bullshit talking points as fact.
Prop 24 isn’t just a badly written privacy law, but a badly written privacy law about a subject few people truly understand. And that’s one of the big reasons we ended up with it at all.
In short, California shit the bed with their first attempt at passing a major privacy law. In the mad dash to get this bill signed into law two years ago, The California Consumer Privacy Act was filed—typos and all—to lawmakers who were incentivized to get this thing out the door and into the hands of Governor Jerry Brown as fast as humanely possible, in an attempt to pre-empt the then-impending November ballot. By the time Brown gave his stamp of approval on the CCPA back at the end of June 2018, it was after barely a week of debate from the legislators and proponents involved.
And all things considered, the law is... okay. The General Data Protection Regulation (GDPR) had been enacted in the EU not long before the CCPA was ready to make its debut in California, so it was easy to make comparisons at the time, with some folks dubbing the CCPA the diet version of GDPR. Like its European counterpart, the CCPA was put into place to give citizens (Californians, specifically) a better sense of the players hiding in plain sight. It was pitched as giving Californians the chance to pry their data back from these companies and, in some cases, have those companies legally required to erase that person’s data entirely. Aside from that, it promised to make maintaining our privacy less of an inconvenient nightmare by creating a “global-opt-out” system that would allow Californians to purge the trackers from every site they visit in one fell swoop, rather than being forced to opt-out on every page they visit.
That’s how it was supposed to work, but there’s only so much good intentions can do when you end up passing a law like CCPA that both promises to protect all of California’s personal data while barely bothering to define what “personal data” actually means. Other notable bungles include telling Californians that they could opt-out of companies like Google “selling” their data under CCPA, while ignoring that the tech giant doesn’t “sell” your data as much as “share” it with interested third parties. Tech players are given ample excuses to outright ignore any data deletion request they get. And because Facebook, Google, and Amazon lobbied like hell to keep CCPA-based suits to a minimum, state Attorney General Xavier Becerra is the only person who’s authorized to actually launch any CCPA-suits right now, even though he’s the first to admit he has no time to really pursue that.
Well, it closes a few of the biggest. First, it expands the CCPA’s “do not sell” provision to something that’s closer to “do not share,” which makes it that much harder for the Facebooks and Googles of the world to ignore opt-out requests on the grounds that they don’t technically “sell” user data. Second, the legislation cuts targeted ads from the list of approved “business purpose[s]” used by data brokers and ad middlemen to ignore the average opt-out request on the other end. The CPRA also moves the burden of chasing the tech giants from the AG’s office a new California Privacy Protection Agency that will require $10 million in funding to be pinched from the state legislature annually in order to survive, unfortunately.
It also finally cements what kind of “personal data” is actually personal. “Sensitive Personal Information,” according to the new ballot, includes everything from a person’s precise location to their race, ethnicity, religious beliefs, and union memberships, along with much, much more. If CPRA comes to pass, apps and sites that collect the data under this umbrella are required to disclose exactly what they’re collecting, why they’re collecting it, and with whom—if anyone—they’ll be “sharing” or “selling” that data.
This in itself is huge. Data related to race and ethnicity has been abused by companies like Uber to shift its pricing algorithm, and data related to someone’s sexuality is regularly pawned off by the companies behind apps like Grindr and OKCupid. Meanwhile, the types of telemedicine services that many of us have come to rely on during the current pandemic have been caught exploiting legislative ambiguities surrounding our health data to share sensitive intel with their own third-party partners.
Ideally, CPRA would allow Californians to opt-out of this sort of data collection before it happens, or at the very least know what kind of sensitive data might be at stake before they hit “download” in the app store.
The last particularly interesting tidbit is that the CPRA explicitly clamps down on any efforts to weaken the law’s privacy protections moving forward, stating that any amendments need to actually bolster the state’s privacy chops. A stipulation like this would have come in handy back in 2018 since it’s exactly this type of scuttling that helped turn the CCPA into a sad, watered-down mess.
It’s far from perfect. Even if CPRA does end up winning the California vote this election, it wouldn’t be enacted until 2023. The measure also means less scrutiny for smaller companies since it excludes many businesses that made less than $25 million a year in revenue the year before and collect data on fewer than 100,000 Californians per year—twice the data-collection threshold of the CCPA. Given that the digital data industry is full of tiny players that are already barely regulated, the idea of targeting only the big fish doesn’t sit right with me here. Neither does the somewhat hands-off approach California plans to take regarding data companies collect about their employees, which is kind of icky for all sorts of reasons.
Also, both the Electronic Frontier Foundation and the ACLU say that CPRA would allow advertisers to run pay-for-privacy schemes through their loyalty programs, withholding discounts or potential perks unless a user coughs up some data. As the ACLU’s Northern California branch pointed out in a statement, this kind of pricing model encourages the people who need these sorts of perks most shouldn’t be goaded into giving up their data to do so. It’s not that these schemes are banned under CCPA—they’re not. It’s just that Prop 24 explicitly allows them, codifying a CCPA loophole privacy advocates find problematic.
Beyond the pay-for-privacy exemptions, there’s also the fact that the credit-reporting giants like Experian and Equifax fought hard—and succeeded—in keeping themselves exempt from the CCPA update. That means that as long as they oblige with the Fair Credit Reporting Act, these agencies are free to share data gleaned from your report with anyone who’s willing to pay for it, including advertisers and data brokers. These same brokers are also allowed to keep scraping any personal intel they’re able to find on public records and social media profiles under the new mandate—that is, if Facebook doesn’t sue them first.
Also exempt are companies that collect biometric information, as long as that information can’t be used to narrow down someone’s “individual identity.” But the term “individual identity,” like “personal data” under the CCPA, is hand-wavey enough that companies could undoubtedly exploit it to continue collecting people’s fingerprints and face-pictures with minimum scrutiny. While these sorts of biometrics is explicitly listed under the CRPA’s definition of “sensitive” data—which should imbue it with extra protections—this little carveout arguably negates it.
I truly don’t know, dude!!! CPRA closes some big loopholes and adds clarity to the opaque space of data collection. But that clarity comes at the cost of codifying some problematic practices, and it carves out space for bad actors to continue to operate with impunity. It’s an imperfect piece of legislation, to say the least. And passing it may eliminate the incentives to pass something better in the future—or, possibly, give California lawmakers a better starting point to improve the law going forward. Like the data industry itself, the CPRA gives us no clear answers.