California voters overwhelmingly approved a ballot measure that expands consumer data privacy by limiting what businesses can do with their personal information. The new law puts a stringent baseline privacy standard in place for the nation's largest economy — creating a new enforcement agency and closing an earlier law's loopholes.

The ballot initiative, Proposition 24, won more than 56% of the vote as of Wednesday morning. The new law is the most robust consumer data privacy law in the U.S. Some privacy experts compare it to Europe's data protection rules, which have had a major impact on what U.S. companies can do with data on citizens across the Atlantic.

Proposition 24 was put forward by San Francisco real-estate developer Alastair Mactaggart, who had previously put forward a ballot initiative for consumer data privacy in 2018. He withdrew that measure to work with the state Legislature to create CCPA. Mactaggart said the new amendments weakened consumer data privacy rights, prompting him to put forward a new initiative that can't be amended without voter approval.

Mactaggart called the new law historic and said it "will profoundly shape the fabric of our society by redefining who is in control of our most personal information and putting consumers back in charge of their own data."

The ballot initiative was backed by former presidential candidate Andrew Yang, but was notably opposed by the American Civil Liberties Union, League of Women Voters of California and the Consumer Federation of California.

The ACLU of Southern California called the initiative "a fake privacy law" that requires people to "jump through more hoops" and includes carve outs that, for example, let law enforcement direct a business to retain consumer information for 90 days to pursue a court-issued subpoena, order or warrant.

Those in opposition to the new law say an "opt-in" button that makes data privacy a default option — and prevents companies from potentially penalizing consumers for opting-out — would be more effective.

The law establishes a new "California Privacy Protection Agency" to implement and enforce the law as well as impose fines.

Businesses will be required to get permission to collect data from consumers younger than 16, receive parent or guardian approval to collect data from consumers younger than 13 and correct inaccurate personal information, if asked. It requires notice to consumers whether information is shared or sold and details on how long that information is kept. It also allows people to request information be deleted.It is up to businesses to ensure the third parties they provide information to — such as a contractor, partner or vendor — do the same. Lastly, businesses are required to provide "reasonable security" for sensitive data and puts in place penalties for breaches including for emails and passwords.

The Electronic Frontier Foundation, a nonprofit digital rights advocacy group, did not take a position on the measure.

READ MORE: On what this law means moving forward, and the winners and losers.

___

How does Prop. 24 impact your business? Are you worried? Excited? Hit me up. My DMs are open on Twitter @latams. You can also email me at tami(at)dot.la, or ask for my contact on Signal, for more secure and private communications.