- The passage of California's Prop 24 will hit the data-broker industry hard and create a new state regulatory agency.
- The new law adds stringent legal requirements to how businesses collect and share consumer data.
- The new law is similar to Europe's GDPR law, which could give California businesses a leg up in dealing with European citizen's data.
The implications of California's new consumer data privacy law will ripple through the Golden State and potentially the nation, striking a large blow to the estimated $200-billion data broker industry and heralding a new industry that tracks down shared data and enforces its deletion, experts say.
Proposition 24 was overwhelmingly approved by voters Tuesday, just four months after state businesses were legally required to follow new consumer data privacy standards passed by the Legislature in 2018. The new California law, now the nation's strictest consumer data privacy law, adds even more stringent legal requirements to how businesses collect and share consumer data, ups penalties and potential liability, and sets up a new $10-million-per-year state agency to implement and enforce it.
More Compliance, and a New Industry to Track Down Data
"The companies are fatigued," said Jim Koenig, partner and co-chair for Fenwick & West LLP's privacy and cybersecurity practice. "Now there's another ballot initiative they have to prepare for as well [and] it's costing more money, more time and more staff focus."
Koenig said the new changes, especially in the nation's largest economy, create a "de facto baseline" on privacy for businesses nationwide because they "can't easily segregate out California customers from the rest of the customers in your program."
That means some companies may have to pick and choose what to comply with, depending on how much risk they are willing to take on, Koenig said.
In an interview with dot.LA Wednesday, San Francisco real-estate developer Alastair Mactaggart, who sponsored the new law, said he felt compelled because the Legislature could always be swayed by businesses that had already tried to gut massive portions of the 2018 law.
"Had this not passed, CCPA [the 2018 law] would have been unrecognizable in five years, for the worse," Mactaggart said. "Your and my expectations of what privacy [is] will change, the Legislature is in the right place for that. But there should also be something to counteract the trillions of dollars on the other side."
With that in mind, the new law includes a type of one-way ratchet that lets it be amended by a simple majority of the Legislature like any other law, as long as the amendments don't harm consumer privacy. Mactaggart's approach diverged from that of the sponsors of the newly passed gig worker measure Prop. 22. Part of that law requires a 7/8th majority in order to change its provisions.
"With all due respect, that's sort of saying I'm going to take my toys, go home, and my vision of the world is perfect," Mactaggart said. "We need something that moves with the times, and goes with the times."
Mactaggart said the new privacy agency's annual budget of $10 million should enable it to hire roughly 50 people, which is double the size of the state Attorney General's privacy enforcement staff and 25% more staff than what the Federal Trade Commission has for the entire country. The new law also removes a provision granting exclusive enforcement of the consumer privacy law to the state AG's office, enabling not just the new agency but also all 58 county district attorneys and major city attorneys to prosecute businesses in violation, Mactaggart said.
Because the law now holds companies responsible for ensuring that data it has shared with third parties or vendors is properly deleted upon request, experts say a new industry of companies will likely sprout up to help track down where data has gone. That's especially crucial with an estimated 5,000 data brokers worldwide, which can make tracking data down especially difficult.
These data-brokers are largely unregulated and sell people's personal information for billions of dollars a year. They include large companies like the credit bureaus — Experian, Equifax and TransUnion — and other smaller firms that aggregate personal information from both public and private sources to sell to other companies for advertising, employment, financial and research purposes.
"A dedicated privacy authority is a game changer," said Gabriela Zanfir-Fortuna, senior counsel for global privacy at The Future of Privacy Forum, a Washington, D.C.-based think tank. "This is something that exists in most of all of the other countries that have comprehensive privacy laws and this is something that currently doesn't exist in the U.S. [There's] the FTC but the FTC has a very broad mandate, in antitrust, consumer protection and then it's also privacy focused."
A Leg Up for California Businesses on International Data?
Experts say the new law is very, very close to the European privacy standard known as GDPR, or the General Data Protection Regulation touted by privacy experts as a gold standard. And that matters because it gives California a potential leg up in being deemed as adequate under EU law to deal with European citizen data flows.
"California businesses are going to enjoy a tremendous advantage over businesses in other states, because the European regulators are going to be more permissive to businesses in a state with a rights-based framework and an agency to enforce it," said Chris Hoofnagle, faculty director of the Berkeley Center for Law & Technology.
Mactaggart believes that this advantage will lead businesses to want to locate servers in California and, ultimately, spur other U.S. states to move toward their own privacy law adoptions. He said he's had initial conversations with European experts who told him California's new law should pass muster in allowing state companies to deal with European data.
Of course, the U.S. and European Union would first need to work out concerns over the U.S. national security apparatus that came to light after the Edward Snowden revelations. In July, the European Court of Justice invalidated a U.S.-EU agreement on trans-Altantic data flows over concerns about how the U.S national security apparatus deals with European citizen data, and what independent oversight and recourse citizens have. That has left U.S. and E.U. businesses in a sort of legal limbo.
ACLU Opposition And American Appetite For Privacy
Prop. 24 was notable in that many of the organizations that opposed it like the ACLU, did so because they wanted it to be even stronger.
Jacob Snow, a technology and civil liberties attorney for the ACLU of Northern California, said in a statement Wednesday the new law has "deep flaws" but "sends a clear message from California voters to the California legislature that they expect and demand action to protect their privacy and safeguard their fundamental privacy rights."
Snow said in a statement that it's time for the California Legislature to build on the new law to prohibit companies from charging more for privacy and impose substantial consequences on businesses that break its rules.
All the experts said it was likely that the new California law would put some fire under lawmakers in D.C. to take enacting a new privacy law more seriously.
On Tuesday, Michigan voters overwhelmingly approved — by nearly 89% — a state constitutional amendment that requires a search warrant to access any electronic communications, significantly upping the legal standard necessary to "probable cause." Meanwhile, Washington state lawmakers have again tabled discussion on a new Privacy Act for the third consecutive session, Zanfir-Fortuna said.
"There seems to be this appetite for more data privacy for Americans, especially when they are asked directly to vote on it," Zanfir-Fortuna said.
Many of the details of how California's Prop. 24 will work have yet to be determined. The new privacy agency will be stood up next year and the law won't go into effect until 2023. For many companies, the early rush to abide by the 2018 rule known as CCPA, was frustrated by continual changes as it was finalized.
"There will be a wait-and-see [period]. Companies are going to want to know where to land the plane before they take off on their compliance efforts," Koenig said.
Mactaggart had one message for weary businesses: "If you've taken steps to comply with CCPA it's not like you have to throw it all out, that work is all necessary to comply with CPRA. Now you just need to do more."
How does Prop. 24 impact your business? Are you worried? Excited? Hit me up. My DMs are open on Twitter @latams. You can also email me at tami(at)dot.la, or ask for my contact on Signal, for more secure and private communications.
- Two California Ballot Measures Could Have Outsized Impact On ... ›
- California Passes Nation's Most Stringent Consumer Data Privacy Law ›