California Proposition 24: Our Analysis

Posted: Oct 08 2020
California Proposition 24: Our Analysis

Proposition 24 (Prop 24), also known as the California Privacy Rights Act of 2020, is on the California ballot this November. If passed, it will change what businesses can do with personal information and Californians’ rights associated with their information. It also has potential significance on the national level.

Prop 24 is nuanced and does not exist in a political vacuum. In some ways, it expands and helps safeguard hard-fought privacy protections Californians gained in recent years. There are also loopholes and missed opportunities we worry will be difficult to revisit in the legislature if Prop 24 passes.

Here is our take on some of the key issues surrounding Prop 24.

The Proposition

Data Minimization

At present, there is little to discourage a business from collecting as much information as possible about a person and sharing that information to the extent that it is profitable. Though a business may face increased data breach risk, there little to indicate it is a significant deterrent. 

The Proposition

Prop 24 requires businesses to minimize use, retention and sharing of personal information to what is “reasonably necessary and proportionate to achieve the purposes” for which the information was collected.

Our Analysis: A Partial Step Forward

We strongly support the concept of data minimization—collecting, keeping, using and sharing the smallest possible amount of personal information. However, Prop 24 undercuts its data minimization requirement by allowing further data processing “for another disclosed purpose that is compatible with the context of” the original purpose. This language is problematic since a business might simply disclose additional purposes in a privacy policy. In addition, it does not take the person’s reasonable expectations into account, but instead centers on what the business considers contextually compatible.

Biometric Information Protection

Current California law provides a broad definition of biometric information, defining it as characteristics that “can be used . . . to establish individual identity.”

The Proposition

Prop 24 would narrow the existing definition considerably to information that “is used or intended to be used” to establish individual identity.

Our Analysis: A Step Backward

Protecting biometric information (such as a person’s fingerprint, face geometry, DNA, iris, gait, voice or other attributes) is critical. If Prop 24 passes, a business could collect information that could be used to identify a person based on biometric characteristics, but that information wouldn’t be protected as such unless the business intended to or later decided to use it to establish the person’s identity.

Right to Delete Information

When the California Consumer Privacy Act was passed in 2018, Californians gained the right to request that a business delete their data.

The Proposition

Prop 24 would allow a business to deny a person’s request to delete data when maintaining that information is “reasonably necessary to help ensure security and integrity to the extent the use of the consumer’s personal information is reasonably necessary and proportionate for those purposes.”

Our Analysis: A Step Backward

Prop 24 weakens the right to delete by expanding the exceptions a business can use to deny a person’s request. This language is overly broad and vague, and risks allowing businesses to refuse legitimate requests. It is easy to argue that any information could be helpful to ensure security and integrity. Existing law already contains many exceptions to the right to delete.

Enforcement

Under current law, Californians have a limited ability to directly sue businesses for violating their privacy rights (private right of action) when there is a data breach. However, in most situations where a business violates a person’s privacy rights, that person’s only hope is that the Attorney General’s office acts to enforce.

The Proposition

Prop 24 establishes the California Privacy Protection Agency, a new agency tasked with enforcing California privacy laws. The agency would start with a budget of $10 million to dedicate to privacy enforcement (more than twice what the California Attorney General’s office has for enforcing privacy laws).

Prop 24 also slightly expands an existing private right of action for data breaches.

Our Analysis: A Missed Opportunity

The strongest consumer protection laws allow people to directly sue businesses when they violate the law. Prop 24 could have been drafted to significantly enhance individuals’ ability to enforce their privacy rights through a private right of action. If it passes, people will continue to rely primarily on an enforcement agency to protect their rights, and it is difficult to predict the effectiveness of a new agency.

Default Privacy Protections

Currently, the burden is on individuals to proactively exercise their privacy rights under the California Consumer Privacy Act. The exception is that a business must get permission to sell information of children under 16.

The Proposition

Prop 24 does not change this except that it now requires a business to get permission to sell or share the information of children under 16.

Our Analysis: A Missed Opportunity

We support an opt-in model where a business must get a person’s permission before it can collect, use or share information. Prop 24 misses the opportunity to protect privacy by default. Absent a tool to handle and manage individual opt outs in bulk (we aren’t aware of one that exists yet), individuals must be aware of their rights and also have the time and ability to exercise them for each business with which they interact—an onerous task favoring people with time and money to take it on. Even when people decide to take action to exercise their rights, it is difficult to know whether a business has complied with a request.

While some legal scholars believe an opt-in standard would face serious challenges in court, we are concerned Prop 24 could further cement the existing opt-out framework.

Further-Reaching Effects

Once an initiative passes into law, amending the law is typically much more challenging than if it was enacted through the legislature.

A Floor for Privacy Law in California

Prop 24 would likely make it very difficult to weaken privacy protections in California in the future. Since the California Consumer Privacy Act was enacted in 2018, numerous bills have been introduced to chip away at its protections. If passed, Prop 24 would reduce the constant attacks to weaken existing law and protections.

A Potential Obstacle to Strengthening California Privacy Protections in the Future

If Prop 24 passes, many advocates have expressed serious concerns that subsequent new privacy law could be open to legal challenges as it states that amendments can be passed through the legislature “provided that such amendments are consistent with and further the purpose and intent of this Act as set forth in Section 3.”

Section 3 states, among other things that “[t]he law should be amended, if necessary, to improve its operation, provided that the amendments do not compromise or weaken privacy, while giving attention to the impact on business and innovation.” There is vast disagreement as to whether this language will present a major barrier to passing stronger privacy protections.

Absent legal challenges, it is not difficult to envision a situation where uncertainty could stymie legislative interest in authoring and passing new laws. Conversely, proponents of Prop 24 have suggested that legislators would be emboldened to further weaken existing law should it fail.

Conclusion

In some ways, Prop 24 strengthens and protects existing rights, and in others, it weakens them and misses major opportunities.