California Passes Nation's Most Stringent Consumer Data Privacy Law

Tami Abdollah

Tami Abdollah was dot.LA's senior technology reporter. She was previously a national security and cybersecurity reporter for The Associated Press in Washington, D.C. She's been a reporter for the AP in Los Angeles, the Los Angeles Times and for L.A.'s NPR affiliate KPCC. Abdollah spent nearly a year in Iraq as a U.S. government contractor. A native Angeleno, she's traveled the world on $5 a day, taught trad climbing safety classes and is an avid mountaineer. Follow her on Twitter.

California Passes Nation's Most Stringent Consumer Data Privacy Law

California voters overwhelmingly approved a ballot measure that expands consumer data privacy by limiting what businesses can do with their personal information. The new law puts a stringent baseline privacy standard in place for the nation's largest economy — creating a new enforcement agency and closing an earlier law's loopholes.

The ballot initiative, Proposition 24, won more than 56% of the vote as of Wednesday morning. The new law is the most robust consumer data privacy law in the U.S. Some privacy experts compare it to Europe's data protection rules, which have had a major impact on what U.S. companies can do with data on citizens across the Atlantic.


Among its impacts, the new law —known as the California Privacy Rights and Enforcement Act (CPRA) — requires businesses to provide consumers with the ability to opt-out of having sensitive personal information — such as geolocation, race, ethnicity, religion, genetic data, private communications, specific health information and sexual orientation — collected and requires businesses to refrain from sharing users' personal information if they request it.

CPRA expands and amends an existing law passed just two years ago, known as the California Consumer Privacy Act (CCPA). That law only began to be enforced this July after a slew of amendments were passed by the Legislature.

Proposition 24 was put forward by San Francisco real-estate developer Alastair Mactaggart, who had previously put forward a ballot initiative for consumer data privacy in 2018. He withdrew that measure to work with the state Legislature to create CCPA. Mactaggart said the new amendments weakened consumer data privacy rights, prompting him to put forward a new initiative that can't be amended without voter approval.

Mactaggart called the new law historic and said it "will profoundly shape the fabric of our society by redefining who is in control of our most personal information and putting consumers back in charge of their own data."

The ballot initiative was backed by former presidential candidate Andrew Yang, but was notably opposed by the American Civil Liberties Union, League of Women Voters of California and the Consumer Federation of California.

The ACLU of Southern California called the initiative "a fake privacy law" that requires people to "jump through more hoops" and includes carve outs that, for example, let law enforcement direct a business to retain consumer information for 90 days to pursue a court-issued subpoena, order or warrant.

Those in opposition to the new law say an "opt-in" button that makes data privacy a default option — and prevents companies from potentially penalizing consumers for opting-out — would be more effective.

The law establishes a new "California Privacy Protection Agency" to implement and enforce the law as well as impose fines.

Businesses will be required to get permission to collect data from consumers younger than 16, receive parent or guardian approval to collect data from consumers younger than 13 and correct inaccurate personal information, if asked. It requires notice to consumers whether information is shared or sold and details on how long that information is kept. It also allows people to request information be deleted.It is up to businesses to ensure the third parties they provide information to — such as a contractor, partner or vendor — do the same. Lastly, businesses are required to provide "reasonable security" for sensitive data and puts in place penalties for breaches including for emails and passwords.

The Electronic Frontier Foundation, a nonprofit digital rights advocacy group, did not take a position on the measure.

READ MORE: On what this law means moving forward, and the winners and losers.


How does Prop. 24 impact your business? Are you worried? Excited? Hit me up. My DMs are open on Twitter @latams. You can also email me at tami(at), or ask for my contact on Signal, for more secure and private communications.

Subscribe to our newsletter to catch every headline.


Snap Mandates Employees Work From the Office Four Days a Week

Nat Rubio-Licht
Nat Rubio-Licht is a freelance reporter with dot.LA. They previously worked at Protocol writing the Source Code newsletter and at the L.A. Business Journal covering tech and aerospace. They can be reached at
Snap logo and hq
Photo by rblfmr/ Shutterstock

Snap is the latest major tech company to bring the hammer down on remote work: CEO Evan Spiegel told employees this week that they will be expected to work from the office 80% of the time starting in February.

Per the announcement, the Santa Monica-based company’s full-time workers will be required to work from the office four or more days per week, though off-site client meetings would count towards their in-office time. This policy, which Spiegel dubbed “default together,” applies to employees in all 30 of the company's global offices, and the company is working on an exceptions process for those that wish to continue working remotely. Snap’s abrupt change follows other major tech firms, including Apple, which began its hybrid policy requiring employees to be in the office at least three days per week in September, and Twitter, which axed remote work completely after Elon Musk’s takeover (though he did temporarily close offices amid a slew of resignations in mid-November).

Read moreShow less