With Prop. 24, California takes on internet privacy. AgainOctober 15, 2020
Proposition 24 aims to refine and expand the rules of the California Consumer Privacy Act, the 2019 law that gave Californians more power over how companies collect and sell their information.
But a scan of the measure’s supporters and opponents raises questions. If this proposal is meant to give people more privacy and more rights over how their data are used, why is it opposed by the American Civil Liberties Union and the Consumer Federation of California? And if it’s meant to stop online businesses from making money by exploiting personal data, why aren’t internet companies lining up to try to kill it?
A quick read of the measure itself proves impossible. Proposition 24 clocks in at 52 pages of dense technical language concerning the intricacies of online data collection, as intelligible to a layperson as the user manual of an aircraft carrier.
In broad strokes, the 2019 consumer privacy law gave Californians the right to know what data companies collect on them, the right to get the data deleted and the right to tell companies not to package and sell the data to other companies.
Proposition 24 would create a dedicated state agency to enforce the law and add dozens of specifics and exceptions for privacy in certain business cases. If it passes next month, the state will have until 2023 to spin up the agency and figure out how to put the law into action.
To really understand what Proposition 24 would do — and how it made enemies among privacy advocates — it helps to start in 2017 when a Bay Area real estate developer named Alastair Mactaggart started worrying about his privacy.
After a cocktail party conversation with a Google engineer, who explained how the industry tracked users’ location, spending habits and political views, then spun that collected information into money by using it to sell targeted advertising, Mactaggart decided to write a law.
When he went to draft this first ballot measure in 2017, Mactaggart had two significant choices to make: How would Californians tell companies not to monetize their data, and how would companies that broke the law be investigated and punished?
For the first question, he had to pick between an opt-in or opt-out system. Opt-in means that companies have to expressly ask for permission before collecting and selling a user’s data. Opt-out means that companies collect and sell data as a default, but Californians have the right to tell companies to stop.
For the second question, he had to decide between what’s known as a “private right of action” — letting anyone sue a company that they believed violated their new rights — and limiting enforcement to a state agency.
Mactaggart picked opt-out, arguing that opt-in would be too harsh for the companies that collect and sell data, and decided on a private right of action, believing that a flurry of lawsuits would do more to keep companies in line.
But when Mactaggart’s measure gathered enough signatures to get on the ballot in 2018,…