EFF works across the country to enact and defend laws that empower technology users to control how businesses process their personal information. The best consumer data privacy laws require businesses to get consumers’ opt-in consent before processing their data; bar data processing except as necessary to give consumers what they asked for (often called “data minimization”); forbid “pay for privacy” schemes that pressure all consumers, and especially those with lower incomes, to surrender their privacy rights; and let consumers sue businesses that break these rules. In California, we’ve worked with other privacy advocates to try to pass these kinds of strengthening amendments to our existing California Consumer Privacy Act (CCPA).
Prop 24 does not do enough to advance the data privacy of California consumers. It is a mixed bag of partial steps backwards and forwards. It includes some but not most of the strengthening amendments urged by privacy advocates. This post addresses some of the provisions in this 52-page ballot initiative, and some missed opportunities.
More compulsion to pay for our privacy
Prop 24 would expand “pay for privacy” schemes. Specifically, the initiative would exempt “loyalty clubs” from the CCPA’s existing limit on businesses charging different prices to consumers who exercise their privacy rights. See Sec. 125(a)(3). This change would allow a business to withhold a discount from a consumer, unless the consumer lets the business harvest granular data about their shopping habits, and then profit on disclosure of that data to other businesses. The initiative also would expand an existing CCPA loophole (allowing “financial incentives” for certain data processing) from just “sale” of such data, to also “sharing” of it.
Unfortunately, pay-for-privacy schemes pressure all Californians to surrender their privacy rights. Worse, because of our society’s glaring economic inequalities, these schemes will unjustly lead to a society of privacy “haves” and “have-nots.”
A missed opportunity on privacy-preserving defaults
EFF advocates for an opt-in model of data processing, where businesses cannot collect, use, share, or store our information without first getting our explicit consent. This makes privacy the default option. Studies show that defaults matter, because most people don’t change the settings of their devices and apps. Privacy should be the default, particularly when it comes to ensuring consumers have control over how their information flows into a complicated data ecosystem.
The CCPA, while an important law, places the burden on consumers to opt-out of the retention and sale of their information. But most people will never do this. This allows businesses to continue to retain and sell their data, though many of these people do not want this.
Now is the time to flip the default, and thus ensure strong privacy protection. Prop 24 misses an opportunity to do so.
A half-step on data minimization
Prop 24’s data minimization rule is only a partial step forward. Businesses must be prohibited from collecting a consumer’s personal information beyond what is necessary to provide the consumer the good or service they requested. That was the approach in this year’s California A.B. 3119 (Asm. Wicks), which the privacy coalition supported.
Because the initiative’s minimization rule uses the standard of what a business expects rather than what consumers expect, Californians will be surprised by how companies continue to process their information—running counter to the goals of true data minimization.
Erosion of the right to delete
Prop 24 would expand the power of a business to refuse a consumer’s request to delete their data. Specifically, a business could refuse when it believes retention would “help to ensure security and integrity,” see Sec. 125(d)(2), broadly defined to include the ability of an information system to detect security incidents that compromise data, see Sec. 140(ac). Businesses may argue this allows retention of great volumes of consumer data, despite deletion requests, in the name of detecting adtech fraud.
Moreover, the initiative would diminish a business’ duty to transmit a consumer’s deletion request to downstream entities who got that consumer’s data from that business. Specifically, a business could refuse if doing so required “disproportionate effort.” See Sec. 105(c)(1). Yet it would be highly burdensome for a consumer to identify these downstream entities and then send them additional deletion requests.
Weaker biometric privacy
Prop 24 would end CCPA protection of biometric information (such as DNA or faceprints), when the business processing such information does not use it to establish an individual’s identity or intend to do so. See Sec. 140(c). A business might later change course and use that same biometric information to establish an individual’s identity, at which point CCPA would apply, but the unregulated processing would already have occurred.
More mixing of data
Prop 24 would expand the power of service providers (which process data for businesses) to combine sets of consumer data that they obtain from different businesses or directly from consumers. Specifically, a service provider could do so for “any business purpose” that is later defined by regulations. See Secs. 140(ag)(1) & 185(e)(10). While this power-to-combine cannot extend to advertising to consumers who opt-out, see Sec. 140(e)(6), many consumers will not opt-out, and even as to them, combined data sets can be used for many other purposes.
No enforcement by consumers
Prop 24 does not empower consumers to sue businesses that violate their privacy rights. Without effective enforcement, a law is just a piece of paper. It is not enough to authorize a government agency to enforce the law, whether it is a unit of the California Attorney General’s Office (as currently under CCPA), or a new freestanding data protection agency (as proposed by Prop 24). No agency will have sufficient resources to enforce all violations of a law, and every agency is at risk of excessive influence by businesses over enforcement decisions.
Some provisions of Prop 24 are partial steps forward, so we don’t oppose the initiative outright, but we don’t support it either, because the forward steps are only partial, and must be weighed against the backward steps and missed opportunities. For example:
- There is a new right to opt-out of certain uses of what Prop 24 calls “sensitive” personal information, see 121, but lots of unprotected data is also highly sensitive (such as immigration status and familial relationships), and the privacy-protection default should be opt-in and not opt-out.
- There is a new right to opt-out of what Prop 24 calls data “sharing,” see 120(a), and a new limit on data “sharing” by third parties, see Sec. 115(d), but Prop 24 restrains these new “sharing” rules to just data for cross-context behavioral ads, see Sec. 140(ah).
- While EFF supports laws requiring businesses to comply with “Do Not Track” and similar browser signals displayed by consumers, Prop 24 gives each business the unilateral choice whether to comply with what the initiative calls “opt-out preference or signals,” or instead to comply with CCPA’s existing mandate to post a “Do Not Sell” link on its website. See 135(b). Strong privacy protection would require all businesses to both comply with user opt-out signals and post a “do not sell” link on their websites.
- There is a small expansion of CCPA’s private right of action for data breaches, see 150(a)(1), and removal of the notice-and-cure obstacle to Attorney General enforcement, see Sec. 155(b), but Prop 24 leaves consumers powerless to enforce almost all its safeguards. Again, all privacy safeguards need enforcement with a robust private right of action. Notably, the original data privacy ballot initiative in 2018 had a private right of action, but this enforcement measure was excised as part of the compromise that led to legislative enactment of the CCPA.
EFF will continue to work with other privacy advocates to pass new consumer data protections in California and across the country. But we won’t be supporting Prop 24.
Wednesday 29th July 2020 8:07 pm