Californians take privacy out of legislature’s hands and vote for stricter rules

5 November 2020 by Steve Blum
, , ,


Voters in California decisively strengthened an already strong privacy law, and took away the power of elected officials to amend and enforce it. When the dust cleared yesterday, yes votes on proposition 24 had a 12% lead over the noes. Ballot counting in California might drag on until the middle of December, but it is all but mathematically certain that yes will prevail by a wide margin.

Prop 24 tweaks the California Consumer Privacy Act (CCPA), which sets limits on what companies can do with information about you that they’ve collected. Three immediate changes will have a significant impact – improvements, I’d say – on Californian’s ability to protect their privacy:

  • CCPA restricts companies’ freedom to sell information about you. Prop 24 more or less retains those restrictions, but applies them to companies’ ability to sell or share personal data. That closes a big loophole – it doesn’t take a genius to cook up a business relationship between two companies, or subsidiaries of the same company, that makes it look like data is being shared rather than sold.
  • California legislators can’t change the new law. The California Constitution sharply curtails their power to undo the will of voters, or do the bidding of lobbyists once voters have spoken.
  • Enforcement responsibility shifts from the California attorney general, who also grubs after the same political cash as senators and assembly members, to the newly established California Privacy Protection Agency. That’s not necessarily a big improvement – the new agency will be governed by five politically appointed board members. Jobs like that, even at the rate of $100 a day plus (probably) $206 a day for “expenses”, are in big demand among termed out politicians in Sacramento.

CCPA was approved by the California legislature in 2018, after a privacy advocate – the same one behind prop 24 – collected enough signatures to get a somewhat stricter initiative on the November 2018 ballot. Negotiations then led to passage of CCPA and the withdrawal of the initiative.

In making that deal, Sacramento lawmakers had two objectives. They wanted to water down privacy rules as much as possible to please the lobbyists that pay them millions of dollars a year in exchange for laws that suit monopoly business models, and they meant to keep that cash flowing into their pockets by keeping the power to amend, or even repeal, CCPA in their hands.

No longer.

The joker in the deck lives in Washington, D.C. The same companies and the same front organisations pump even more money into political pockets in D.C. than they do in Sacramento. Partisan squabbling has kept congress from making good on those payments, but federal lawmakers from both parties agree that 1. they should be in charge of regulating privacy and 2. they need to continue collecting lobbyists’ cash. Federal bureaucrats are also eager to take over privacy regulation.

California’s protections can still be preempted by federal action, but until that happens the rules laid down by prop 24, which take effect as soon as the vote is certified, will become the de facto and default privacy standard in the U.S.