Californians Expected to Say Yes to Retooled Privacy Law
Election watchers expect California to revamp its state privacy law through a Nov. 3 ballot vote. The replacement for the California Consumer Privacy Act (CCPA) could have national ramifications, experts told us. If voters agree, the proposed California Privacy Rights Act (CPRA), or Proposition 24, would take effect Jan. 1, 2023. “The one-two punch here for the biggest platforms would be CPRA passing and Democrats sweeping the elections,” said Cowen analyst Paul Gallant.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
CPRA would permit consumers to “prevent businesses from sharing personal information, correct inaccurate personal information, and limit businesses’ use of ‘sensitive personal information,’ including precise geolocation, race, ethnicity, and health information,” says a state summary of Prop 24. Big changes include establishing a state agency to enforce the law and creating a new category for sensitive personal information. Unlike CCPA, which became law from legislation, CPRA if passed as a ballot initiative would limit the legislature’s ability to make changes later.
Prop 24 received some high-profile endorsements, including from Lt. Gov. Eleni Kounalakis (D), Rep. Ro Khanna (D), former presidential candidate Andrew Yang (D), California Senate Majority Leader Robert Hertzberg (D) and Oakland Mayor Libby Schaaf (D). About 77% of likely California voters support CPRA, according to Goodwin Simon Strategic Research polling paid for by the Yes on Prop 24 campaign. The researcher surveyed 600 likely voters Sept. 29-Oct. 5.
“A new California privacy law could easily become the de facto U.S. privacy law” until Congress acts, Gallant said. Or it could create “momentum for Congress to do something similar both in terms of tight regulation and also setting up a new regulatory body.” It will probably pass because “there’s really only one answer when you ask people, ‘Do you want more privacy protection from the government?’” Internet companies should be concerned because CPRA ballot proponents learned from their CCPA missteps, said Gallant: Industry “softened CCPA through legislation ... but that won’t happen here.”
CPRA may inspire more states to make privacy laws, said Wiley Rein's Joan Stewart. “Other states are going to look at this,” either as a model for legislation or a ballot measure, she said. Stewart isn’t sold on CPRA driving a national law: If compliance “complicates things enough for businesses, there might be an increased push,” but impact might hinge on what happens in the national election and “what balance we end up seeing in Congress.” She noted “breakdowns on both sides of the aisle during the last few rounds of discussions of a national law.”
A national law has proved elusive, Dorsey's Jamie Nafziger emailed. “Years and years of efforts at an overarching national privacy law have failed. We have seen some movement in negotiating stances on a federal law since CCPA took effect.” Nafziger hopes federal lawmakers take one lesson CPRA proponents learned from CCPA, which is to reduce impact on small businesses. The new version would apply to businesses with data of at least 100,000 consumers or households, which is double CCPA and doesn’t count individual devices like CCPA does.
“If CPRA passes by a wide margin, Congress will feel compelled to treat the CPRA as its template,” warned Santa Clara University law professor Eric Goldman Sept. 17, opposing the initiative. “This is how a deeply flawed privacy law, drafted behind closed doors by people we never elected, could become the national standard.”
Likely Yes
“It is a terrible ballot initiative and unnecessary in light of CCPA but it is very likely to pass,” emailed Frankfurt Kurnit's Tanya Forsheit, representing businesses. Support from California voters seems likely, with businesses not strongly pushing back against largely positive messaging on CPRA, said Stewart. “How much research is the average voter going to do?” Still, the privacy lawyer advises clients to wait before launching CPRA compliance efforts, since the law, if passed, wouldn’t take effect for two years: “Unlike the CCPA, we’re not going to be scrambling.”
Most voters will probably say yes to CPRA, agreed Nafziger, but companies “have about a year to comply with most sections so haven’t begun too much compliance work yet,” she said. “I have not seen any slowing of CCPA compliance efforts and would not recommend that companies slow their efforts because the CCPA is in effect and is currently being enforced.”
“Polling shows strong support for this initiative,” Coblentz Patch attorneys blogged Oct. 14. “Businesses can expect much more rigorous enforcement of privacy laws in California” with an independent agency enforcing violations. Some privacy fans oppose CPRA. The American Civil Liberties Union opposes companies discounting service to those willing to give up their data. “By forcing Californians to pay for their privacy and opt-out, it places the burden of privacy on the individual, a load those in working families and marginalized communities cannot bear,” ACLU’s Jacob Snow and Chris Conley blogged Oct. 16.
Other consumer groups support the ballot initiative. “Californians won’t have to worry about the legislature repealing key privacy rights, will have stronger rights to personally enforce privacy laws and will have the protection of a well-staffed and funded European-style privacy commission,” Consumer Watchdog Executive Director Carmen Balber said Aug. 13.
Consumer Reports urges a yes vote on Prop 24 despite opposition from some of its "closest allies," Policy Analyst Maureen Mahoney blogged Friday. CPRA isn’t perfect, and additional steps are needed, but the proposed law would close some of CCPA’s “worst loopholes that companies have exploited to deny consumers’ opt-out requests,” she said. It’s not worse than CCPA on pay-for-privacy schemes, she added. “On the whole, consumers will have significantly stronger protections under Prop. 24 than under CCPA.”
Elsewhere
Other states have communications policy-related votes coming up.
Michigan voters will decide Nov. 3 on a proposed constitutional amendment to require search warrants to access electronic data and communications. The proposal would apply the same conditions required for the government to get a warrant to search a house or seize a person’s things.
Residents of Denver and two other municipalities will vote on opting out of Colorado’s municipal broadband ban (SB-152). The city and county would join 42 of 64 other counties and 112 of 270 municipalities that previously voted to opt out (see 2004080015). Most urban counties haven’t asked the question, probably because they already have broadband, emailed Colorado Counties Inc. Policy Director Eric Bergman. New Mexicans will vote on switching from an elected to governor-appointed Public Regulation Commission (see 2010060051).