Consumer data privacy referendum: clear as mud

What can you say about a ballot measure, ostensibly designed to enhance online data privacy, that is being opposed not only by major technology companies but also by the ACLU, the Consumer Federation of California, Media Alliance and other consumer-leaning groups? It’s either poorly conceived or badly written — or both.

Proposition 24 is a 52-page maze that was drafted seemingly with the best of intentions but with problematic timing and strategy. It is either a critical safeguard for consumers, as argued in a Los Angeles Times opinion piece, or an undertaking that “doesn’t deserve support,” as the editorial board of the San Jose Mercury News would have you believe.

The California Privacy Rights and Enforcement Act of 2020 is the brainchild of Alastair Mactaggart, a backer of the landmark California Consumer Privacy Act of 2018. It aims to plug holes and provide more teeth for enforcement through a litany of amendments to the CCPA. At the same time, it could create new loopholes for businesses while continuing to make it difficult for consumers to prevent the collection and sharing of their data.

CPRA sponsor Californians for Consumer Privacy states that “Prop 24 safeguards our kids’ online privacy, reduces the threat of Identity theft and gives us the important privacy rights that we need to take back control over our personal data.” According to Prop. 24’s Findings and Declarations, “Even before the CCPA had gone into effect, the Legislature considered many bills In 2019 to amend the law, some of which would have significantly weakened It. Unless California voters take action, the hard-fought rights consumers have won could be undermined by future legislation.” What could possibly be objectionable about that?

To be fair, the measure includes a number of solid improvements to existing privacy laws. Among other things, it would create a new California Privacy Protection Agency with responsibility for policing compliance with the CCPA. Currently, the attorney general is tasked with overseeing CCPA compliance, along with everything else within his agency’s purview. A separate agency with its own budget and dedicated staff would be much better suited to the job. New Civil Code Section 1798.199.10 would establish a five-member board comprised of “Californians with expertise in the areas of privacy, technology, and consumer rights” with full authority to implement and enforce the CCPA. The measure would also make it harder for companies to flout the law by removing their ability to fix violations before being penalized for violations.

Of more questionable benefit to consumers is what has been labeled an enhanced “pay for privacy” scheme. Specifically, the initiative would exempt “loyalty clubs” from the CCPA’s existing limit on businesses charging different prices to consumers who exercise their privacy rights. This change would allow a business to withhold discounts from consumers who don’t agree to let the business harvest data about their shopping habits and profit from the disclosure of that data to other businesses. New Civil Code Section 1798.125 would include the following provisions:

(a) (3) This subdivision does not prohibit a business from offering loyalty, rewards, premium features, discounts, or club card programs consistent with this title.

(b) (1) A business may offer financial incentives, including payments to consumers as compensation, for the collection of personal information, the sale or sharing of personal information, or the retention of personal information. A business may also offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is reasonably related to the value provided to the business by the consumer’s data.

The initiative would also expand an existing CCPA loophole allowing “financial incentives” for certain data processing, from just the “sale” of such data to the “sharing” of it.

Notably, the CPRA continues the existing CCPA opt-out formula for consumer control of data. Privacy advocates have universally called for an opt-in model, similar to the EU’s General Data Protection Regulation, under which businesses would not be able to collect, use, share, or store information without first getting express consumer consent. The Electronic Frontier Foundation, which has neither endorsed nor opposed Prop. 24, considers this a potentially fatal flaw.

“Studies show that defaults matter, because most people don’t change the settings of their devices and apps. Privacy should be the default, particularly when it comes to ensuring consumers have control over how their information flows into a complicated data ecosystem,” says the EFF. “Now is the time to flip the default, and thus ensure strong privacy protection. Prop 24 misses an opportunity to do so.”

Of equal concern is a provision that would allow the Legislature to approve an amendment to the CCPA with a simple majority vote, with a caveat: “The law should be amended, if necessary, to improve its operation, provided that the amendments do not compromise or weaken consumer privacy, while giving attention to the impact on business and innovation.” Nowhere does the measure define the amount or degree of attention that must be given to the impact on business and innovation. Conceivably, anything that strengthens consumer privacy could be considered illegal because it has a negative impact on business.

The bottom line is that the CCPA is imperfect and will need improvement. However, it has only been in effect for a few months. Until we have a meaningful track record with the nation’s most comprehensive data privacy law, it may be premature to do a wholesale rewrite of that law. Proposition 24 identifies and addresses many of the CCPA’s gaps, but it leaves a lot out. Rather than asking voters to decide such a complicated and convoluted issue, allow the Legislature to do its job. As other states — and the federal government — look to California for direction, let’s make sure we steer them the right way. 

Gerald Sauer, founding partner at Sauer & Wagner LLP in Los Angeles, is a veteran civil trial attorney who specializes in business, employment and intellectual property law.