The Privacy Puzzle: A Baffled Voter's Guide to California's Prop 24

Proposition 24 is a 52-page law that overhauls privacy laws in California. It's so complex that it has split the privacy community, and experts disagree about what it would mean for Californians. Most voices agree Prop 24 has some changes to love, and some to reject. The typical voter is probably very uncertain about whether to vote "Yes" or "No".

We are San Diego Privacy, a small group of privacy advocates in San Diego, and we'd like to help by offering a neutral analysis. Below you'll find 10 of the biggest issues with Prop 24, along with the main points supporters (the "Yes" side) and opponents (the "No" side) make about that issue.

We suggest you first pick the issues in purple that jump out to you the most. Then, keep count of whether you find the Yes side or the No side more compelling, for the issues you've picked. Last, total up your counts.

Then, as always, go vote your values.

Update: When you pick the issues below that matter to you, consider downloading a shareable image of that issue as well, and posting it on social media to generate discussion.

I feel strongly about Pay For Privacy

Pay for Privacy means that if you demand privacy, companies can charge you more for goods and services.

  • Companies that rely on targeted advertising, like newspapers or free streaming music services, currently rely on targeted ads.
  • Some privacy options allow you to block the ability to show you targeted ads.
  • Pay-for-privacy is already allowed in existing California law.
What is "Pay For Privacy"?

Yes Side Says:

  • Says Prop 24 keeps existing pay-for-privacy laws alive.
  • Claims companies who rely on targeted ads, like newspapers, would be imperiled if pay-for-privacy was eliminated.

    • Consumer Reports says Prop 24 doesn't substantially change pay-for-privacy law from the existing law.

    When interviewed, Prop 24 author Alastair Mactaggart warns the newspaper industry would be hit hard if pay-for-privacy options were blocked. (Union-Tribune video interview with Yes on 24)

    Sources

    No Side Says:

  • Says Prop 24 doesnt fix the problem of pay-for-privacy, which is already in current law.
  • Argues privacy is a constitutional right of Californians; it is not for sale.
  • Warns Prop 24 further emboldens businesses to charge consumers for privacy.

    • The Union-Tribune video interview with No On 24 showcases Prop 24 opponents' pay-for-privacy complaints.

    The EFF's neutral analysis notes Prop 24 changes pay-for-privacy enough to encourage more companies to use it.

    Sources

    Authors' Note: It's important to emphasize here that pay-for-privacy is already allowed in current law. Opponents see Prop 24's choice to further expand pay-for-privacy, rather than ban it, as one reason to oppose it.

    I feel strongly about Global Opt-Out

    Global Opt-Out allows you to set up your privacy options in one place, and have them apply universally. Prop 24 allows companies to ignore those global settings, in some cases.

    • In the future, you'll be able to set your privacy preferences in one place, rather than at each site or service.
    • Prop 24 includes provisions for allowing companies to ignore your global privacy preferences for certain reasons, like if they want you to pay.
    • There could be other reasons companies won't have to respect your global privacy preferences.
    What is Global Opt Out?

    Yes Side Says:

  • Believes pay-for-privacy means companies must be allowed to ignore your global privacy settings in order to ask you to pay (See "Pay For Privacy" above).

    • The Wired article covers Yes on 24's argument for why they believe it is important for companies to have the option to ignore your privacy settings.

    Sources

    No Side Says:

  • Argues consumers should be opted-out of all data collection by default.
  • Warns that Prop 24 allows companies to ignore your universal opt-out if they put a "Do Not Sell" button on their site.

    • The League of Women Voters is part of a coalition of privacy organizations that believe companies should affirmatively ask you to opt-in prior to collecting your data, rather than ask you to opt-out after the fact.

    The No on 24 Union-Tribune interview describes opponents' concerns regarding the Do Not Sell button exemption.

    Sources

    Authors' Note: This is a good place to note that many privacy advocates believe all efforts to collect your data should require affirmative consent from you, rather than using the "opt-out" model where companies collect your data first, and then require you to ask it be deleted or not collected.

    I'm concerned about privacy law Enforcement

    Current privacy laws in California are rarely enforced. Only the California Attorney General can enforce California's privacy laws.

    • California previous privacy agency was previously closed during budget cuts.
    • The California attorney general has signaled that they don't have enough resources for enforcement.
    • The California attorney general has asked the legislature to allow individuals the right to sue to enforce their privacy.
    What's going on with enforcement?

    Yes Side Says:

  • Says Prop 24 establishes a new state enforcement agency, with funding.
  • Says Prop 24 will enable some city and county officials to enforce the law, in addition to the California attorney general.

    • SPUR's analysis covers the new state enforcement agency.

    Yes on 24's Union-Tribune interview covers supporters' claim that the proposition expands enforcement capability to city and county officials.

    Sources

    No Side Says:

  • Argues individuals should be able to sue companies to enforce their privacy choices, but Prop 24 left that out.
  • Believes the new enforcement agency established by Prop 24 would be underfunded and ineffective.

    • Private right of action (the right for individuals to sue) is desired by many privacy organizations, including the EFF.

    Opponents stated their objection to Prop 24's new enforcement agency in their video interview with the Union-Tribune.

    Sources

    Authors' Note: Privacy advocates feel very strongly that Californians should have the "private right of action," or the right to sue companies to enforce privacy law. It seems to us unlikely that privacy organizations will support overhauls to California's privacy laws without that private right of action being included.

    I'm concerned about How Prop 24 Was Created

    Prop 24 is a 52-page law with so much complexity that even experts disagree on its meaning. It was written privately and then submitted directly to voters.

    • Alastair Mactaggart wrote Prop 24. It has not been reviewed by the legislature.
    • Mactaggart invited some industries to provide changes to Prop 24 as it was drafted.
    • Mactaggart helped get California's existing CCPA privacy law passed through the legislature.
    What's the deal with Prop 24's origins?

    Yes Side Says:

  • Argues privacy laws are under assault by lobbyists, and Prop 24 is the fastest way to stop that.
  • Warns that there isn't enough enforcement of existing privacy laws, and that Prop 24 provides more enforcement.

    • Yes on 24's Union-Tribune interview has a discussion of Mactaggart's motivations for writing this as a Prop.

    The same video also has Mactaggart's intentions on enforcement.

    Sources

    No Side Says:

  • Argues existing privacy laws only started to be enforced three months ago, and that it's too soon to overhaul those privacy laws.
  • Believes the legislature should write and pass future privacy laws, not private parties.
  • Warns that privacy organizations were excluded from writing Prop 24, but that industries were invited.

    • Opponents of Prop 24 voiced their concerns about overhauling existing laws in the video interview with the Union-Tribune.

    In the same interview, opponents state their concerns that this law skipped the legislature. League of Women Voters does as well.

    The Protocol article has the most detailed account of how Mactaggart and privacy organizations clashed.

    Sources

    Authors' Note: Due to the way this law is being proposed directly to voters, rather than going through the long process of the legislature, there are a lot of experts disagreeing with each other regarding Prop 24's implications.

    I feel strongly about Protecting Sensitive Data

    Prop 24 classifies some types of data as "sensitive," such as race, sexual orientation and precise GPS coordinates, and restricts how companies can use them.

    • Prop 24 sets up a new class of information called Sensitive Information.
    • Sensitive information includes: precise geolocation; race; ethnicity; religion; genetic data; private communications; sexual orientation; and specified health information.
    • Fines are tripled for violations of the law for children under the age of 16.
    What's the deal with "Sensitive Data"?

    Yes Side Says:

  • Says Prop 24 will protect sensitive information where current law does not.
  • Says Prop 24 further restricts companies use of precise geo-location data.

    • Ballotpedia maintains a list of the Prop 24's details with links, including the new sensitive information law.

    Mactaggart describes the new precise location restriction in Yes on 24's Union-Tribune interview.

    Sources

    No Side Says:

  • Argues more types of data, such as immigration status, should be considered sensitive.
  • Believes companies should obtain your explicit consent prior to collecting any data, including sensitive data.

    • The EFF points out the immigration status issue.

    This is the opt-in disagreement that many privacy organizations have with Prop 24, EFF among them.

    Sources

    Authors' Note: It's important to note that the restrictions on using precise geo-location will not prevent apps like Maps or rideshare apps from using that data when they need to.

    I'm concerned about Exemptions from privacy laws.

    Prop 24 exempts some companies and industries from complying with the law.

    • There are many special exemptions in Prop 24. Some examples are exemptions: for emergencies, for employees, for child welfare, for yearbooks.
    • Companies who believe their security will suffer if they delete consumer data get an exemption from deletion requirements.
    • An exemption for the commercial credit industry was written by that industry and placed into Prop 24.
    What's the concern about Exemptions?

    Yes Side Says:

  • Argues a "security and integrity" exemption is needed for companies who would be less secure if they deleted your data.
  • Believes commercial credit agencies should be granted exemptions to track bankruptcies and maintain the commercial loan system.

    • Mactaggart explains his justification of the security and integrity exemption in the Yes on 24 video interview with the Union-Tribune.

    The Protocol article does a good job digging into the commercial credit industry exemption granted by Mactaggart.

    Sources

    No Side Says:

  • Warns "security and integrity" exemption is overbroad and will be abused.
  • Opposes the exemption for commercial credit agencies, as written.
  • Believes many exemptions are poorly written, including the cross-border exemption (see "Privacy Loss At Border")

    • 11 privacy organizations wrote to Mactaggart warning of the problems with the security and integrity exemptions.
    The same document details their opposition to the commercial credit industry exemption and all of their objections to numerous exemptions given in Prop 24.

    Sources

    Authors' Note: See the below section regarding "Privacy Loss at the Border" for another important exemption that merits its own attention.

    I'm concerned about Impacting Future Privacy Laws

    Prop 24 places limits on how privacy laws can be changed in the future.

    • Prop 24 attempts to ensure privacy laws can only be strengthened.
    • Prop 24 lays out a series of privacy values that any privacy law changes must adhere to.
    • Prop 24 specifies that consideration for business interests must be included when considering any new privacy law.
    What's the concern about future privacy laws?

    Yes Side Says:

  • Believes Prop 24 will ensure future privacy laws will only be allowed if they strengthen consumer privacy even further.

    • Mactaggart describes his vision of how privacy law can be changed by the legislature in the Union-Tribune video interview.

    Sources

    No Side Says:

  • Warns that Prop 24 gives companies too much power over whether new privacy laws can be approved by the legislature.

    • No on 24's video interview with the Union-Tribune is the best description of their handcuffing concerns..

    Sources

    Authors' Note: Due to the way Prop 24 is written, there is a large amount of disagreement over whether it sets a "floor" for privacy laws, which prevents weakening of privacy, or whether it sets a "ceiling" on privacy law which could prevent strengthening of privacy law. Or, maybe both!

    I feel strongly about my Right to Delete data collected by companies.

    Prop 24 changes existing law regarding your rights to ask companies to delete your data.

    • Companies are required to maintain a "chain of custody" of partners they share your data with.
    • When you request a company delete your data, they also have to notify those partners to delete your data.
    • Companies can be exempt from deleting your data in certain circumstances.
    What is Right to Delete?

    Yes Side Says:

  • If you request your data be deleted, Prop 24 strengthens the requirement that companies must notify their partner companies to also delete your data.

    • EPIC's neutral analysis covers the "chain of custody" improvements in Prop 24.

    Sources

    No Side Says:

  • Warns Prop 24 gives exemptions to companies so they don't have to delete your data in some cases, like if they believe deleting your data will weaken their security.

    • 11 privacy organizations wrote to Mactaggart warning of the problems with the security and integrity exemptions (search the doc for "integrity").

    Sources

    I'm concerned about Minimizing Data Collection

    Prop 24 places some restrictions on how much data is collected, how long that data is stored, and what type of data is being used.

    • Prop 24 requires companies to store only data they need, and only for as long as they need it.
    • Prop 24 also sets up restrictions on Sensitive Information (see "Sensitive Information" item above).
    What is Data Minimization?

    Yes Side Says:

  • Says Prop 24 requires companies to only collect data they need for specific purposes, instead of collecting everything they can.
  • Believes Prop 24 will minimize the amount of data companies collect and store about you.

    • The Union-Tribune's interview with Yes on 24 has Mactaggart's description of what he calls "purpose limitations," which others call data minimization. He describes both what it is and what he believes it will do for consumers.

    Sources

    No Side Says:

  • Argues Prop 24's data minimization rules rely on businesses defining their own purposes.
  • Warns consumers will be surprised by how ineffective data minimization rules will be, due to being too loose.

    • EFF addresses both of these concerns.

    Sources

    I'm concerned about Privacy Loss at the Border

    Prop 24 explicitly allows companies to store data on your device and only collect it once you leave California and aren't protected by the state's laws.

    • This change received little attention in the media. Here is the current law:
    • This shall not permit a business from storing, including on a device, personal information about a consumer when the consumer is in California and then collecting that personal information when the consumer and stored personal information is outside of California.
    • Prop 24 changes "shall not permit" to "shall not prohibit."
    What changes when I leave California?

    Yes Side Says:

  • Claims California's current CCPA privacy law had a typo in it, and Prop 24's one-word change fixes the typo.

    • Prop 24 sent this explanation directly to us, the Authors, at our request. Here is a link to their statement.

    Sources

    No Side Says:

  • Rejects claim that there is "a typo" in existing CCPA law.
  • Believes this one-word change allows companies to circumvent California law by waiting for you to leave the state before collecting stored data.
  • Notes that current law explicitly bans this behavior.

    • The No on 24 campaign responded directly to the authors regarding their rejection of the claim that CCPA has a "typo" in it.

    The No on 24 campaign responded directly to us (the authors) regarding their belief that this change undermines current privacy law.

    Here is a link to their statement.

    Sources

    Authors' Note: We were unable to locate robust analysis of this issue, so we had to reach out directly to the "Yes" and "No" campaigns for direct response to our questions about the change proposed by Prop 24. The claim by Yes on 24, that Prop 24 is simply fixing a typo in the law, strikes the authors as a little bizarre, given its potential implications.

    This guide was a passion project authored by Joel Alexander, Ike Anyanetu, Zac Brown, J. Lilliane, and Seth Hall. It was last updated on October 27, 2020.

    San Diego Privacy is a new effort sponsored by TechLead San Diego . Get in touch: techlead@protonmail.com or chat with us on Twitter: @sandiegoprivacy