The Pros, Cons and Neutral Cases for CPRA/Prop 24

The California Consumer Privacy Act (CCPA) – the country’s most ambitious state-level attempt at online consumer privacy protection – went into effect this year, and quickly disappointed many privacy advocates for its limited oversight and weak enforcement mechanisms.

Prop 24 – or, the California Privacy Rights Act (CPRA) – aims to plug many of the holes in the original legislation, and bring California regulations more in line with European GDPR standards, considered the strictest and most-sweeping worldwide.

However, the proposed CPRA “fixes” have caused a fragmenting between groups that in the past have been on the same sides of privacy issues.  Rather than the normal ‘business interests vs. consumer-advocates’ dynamic, even privacy-focused groups have split on whether to support or oppose the ballot initiative. Some believe it ‘makes things worse’, others believe ‘it doesn’t go far enough’, and others argue that, despite its mixed-bag nature, it is worth supporting simply to establish a baseline from which further improvements can be made.

We’ve rounded up arguments on all sides to help people make better sense of the issue before November.

The Pros of CPRA:

• Provides for independent enforcement of existing law.  Prop 24 creates a permanent privacy-law enforcement arm of the California government, which, while arguably still too small in scale, gives existing legislation the teeth it has been lacking so far, and could expand in the future with further political pressure.
• Aligns CCPA with EU GDPR. Prop 24 provides for a range of protections that allow companies already complying with EU regulations to simply extend those protections to Californians.
• Regulates ‘sharing’ (in addition to CCPA’s ‘selling’) of personal data. This area is complex, but it is an important step forward from a regulatory perspective. Despite some weaknesses, it may be enough to influence real changes in the way many businesses currently treat user-data.
• Allows greater individual controls over personal data. The legislation provides consumers the right to ‘correct’ misinformation about themselves being spread online.
• Perhaps most importantly: Provides a strong foundation for further improvements/amendments to law.  No one believes CPRA is a perfect fix, but it touches on many important areas, and provides a basis which future amendments can improve.

Supporters of Prop 24 include organizations like:

• Consumer Reports
• International Association of Privacy Professionals
• NAACP
• Consumer Watchdog
• Common Sense
• LA Times

The Cons of CPRA:

• The law ultimately requires consumers to ‘opt-out’. There’s no ‘privacy by default’.  Tech service providers can simply make opt-out processes complex or time-consuming and avoid compliance.
• “The law forces consumers to ‘Pay for Privacy’.” This is a popular argument that is a bit disingenuous. The proposal would allow service providers to offer discounts to users who permit data-sharing. More consumer choice is typically better than less, and if some users are willing to share data, then legislation shouldn’t bar that option
• ‘Who is covered by regulation’ is too narrow. The rules only apply to a few big players and only in certain ways; it doesn’t have the sweeping coverage of ‘all data processors’ that GDPR has.
• It takes away rights of individual action. While providing the appearance of oversight, the legislation bars individual or class-action lawsuits against violators. Enforcement of the law would be limited by the budget (and political interests) of the state regulators.
• Legal definitions of ‘sharing/selling data’ are increasingly complicated by the law. This creates new definitional loopholes, allowing for much of ‘business as usual’ to continue. 
• It actually weakens some restrictions in some important areas like data-portability, biometric data regulation, and requires consumers to inform every vendor of their opt-in/opt-out choices, rather than provide for a single, “do not share my data” option, which is the current CCPA regulation.

Opponents of Prop 24 includes organizations like:

• American Civil Liberties Union
• Public Citizen
• Consumer Federation of California
• San Francisco Chronicle
• Media Alliance

The Neutral Case:

• Electronic Freedom Foundation (EFF)

The EFF has long been one of the leading public advocacy groups focused on digital privacy issues.  Their current position — neither pro nor con — helps illustrate how divisive the CPRA has been among organizations with a stake in the outcome of this legislation.

Their position highlights many of the same issues raised by pro and con arguments, but takes a unique perspective on both:

• EFF prefers “opt-in” as the default starting point for meaningful privacy regulation; ‘defaults matter’, because most users are not sophisticated enough to navigate privacy settings for every service they use.
• ‘Data Minimization’ is not enough. Prop 24 doesn’t provide any meaningful restrictions on business data collection beyond the scope of what’s needed to provide specific consumer service.  It leaves the door open for services to operate as fronts for active collection efforts without full-transparency to users.
• Prop 24 doesn’t allow ‘full deletion’.  When consumers request their information not be sold or shared, it doesn’t require companies to fully purge data so long as they believe retention ‘helps ensure security’.  This leaves consumers perpetually vulnerable to data-breaches or exploitation even from ‘compliant’ companies.

EFF notes the law is still a net-net improvement on an otherwise toothless CCPA.  Their argument that the CPRA still amounts to “one step forward (in some areas), one step back (in others)” has merits, and is worth considering separate from cases made by other advocates.

Closing Perspective:

The CPRA represents one of the most ambitious and complicated pieces of privacy legislation yet proposed in the US, and will have a significant impact on regulatory attitudes/behaviors no matter which way it goes.  Many of the details currently being debated in California are mirrored in existing Federal privacy-law proposals; what we see from Congress in 2021 will depend greatly on the outcome of this vote in November.