Apple, Facebook & Google - How California's new privacy measures apply

Posted:
in General Discussion
California voters passed a new privacy law that would strengthen and close loopholes in exisiting regulatory protections. Here's what it could mean for Big Tech and consumers elsewhere.

Credit: Unsplash
Credit: Unsplash


On Nov. 3, Californians voted on a new privacy measure called Proposition 24 that would strengthen current privacy regulations in the state. As of Nov. 4, projections indicate that consumers have voted to pass the law. It's set to take effect in 2023.

Unlike past regulatory privacy pushes in California and elsewhere, Proposition 24 isn't building anything from the ground up. Instead, it revises and amends provisions of existing privacy law in California.

Here's what Proposition 24 does, what it doesn't do, and how it may affect companies and consumers in other states and countries.

What does California Privacy Rights Act do?

The California Privacy Rights Act, or Proposition 24, essentially adds and amends some provisions in the California Consumer Privacy Act (CCPA), which took effect in the state in January.

Compared to the CCPA, Proposition 24 gives Californians the right to tell businesses not to share their data, as opposed to just prohibiting companies from selling it. That closes a loophole in CCPA that businesses used to skirt current regulations.

Proposition 24 also adds more specific protections for certain sensitive data, allowing users to tell businesses not to use information categories like race, genetic information, sexual orientation, and geographic location.

It also will create a standalone agency with a $10 million budget tasked with enforcing California privacy laws, and also enables district attorneys from county and state governments to get involved. Currently, the task of privacy regulation enforcement is left up to the state's attorney general's office, which has said that it can only handle a few cases per year.

Additionally, the measure triples the fines for privacy violations if an affected consumer is under 16 years of age, requires that companies obtain permission from the parents of consumers who are younger than 13 before they start collecting data.

What are some criticisms of Proposition 24?

Like the CCPA, Proposition 24 requires that consumers explicitly opt out of data collection. Research shows that many people don't bother to change the default settings on their platforms, devices, or apps.

Additionally, the Electronic Frontier Foundation warns that Proposition 24 could further "pay for privacy" schemes by exempting "loyalty clubs" from the CCPA's existing regulations on businesses charging different prices when they exercise privacy rights.

Additionally, the proposition gives companies a bit more power when it comes to refusing to comply with a consumer's request to delete their data. A section of Proposition 24 allows businesses to refuse data deletion if the retention of that data could "help to ensure security and integrity."

There are other privacy advocates who suggest that the proposition doesn't go far enough to protect the privacy of consumers. But it's worth noting that the measure includes language that prevents future legislators from weakening any existing privacy protections. If changes are made in the future, they must "further protect consumers' rights."

How Proposition 24 affects Big Tech

Big Tech companies, including Google and Facebook, have been uncharacteristically silent about the proposed privacy changes in Proposition 24. That's likely because some of its included provisions may make regulatory compliance easier.

Kristen Mathews, a partner at law firm Morrison & Foerster who focuses on privacy regulations, told Fast Company that many businesses are likely in favor of some of Proposition 24's provisions.

For example, the proposed California Privacy Protection Agency is required by the measure to create specifications for an "opt-out signal," or a piece of code that alerts companies that a user doesn't want to be tracked. Although that could affect ad revenue, it would make it easier for companies to remove consumers from their data collection practices.

Of course, since Prop 24 closes existing loopholes and introduces more stringent privacy protections in some data categories, it's still incredibly likely that it'll impact advertising revenue for companies like Facebook and Google. One expert said that if advertising technology doesn't evolve, the business model of advertising may become obsolete.

Because Apple doesn't rely on advertising as a revenue source, Proposition 24 may not have much effect on the company. The data types that Proposition 24 goes further to protect are already ones that Apple doesn't use.

What will consumers notice in California and beyond?

Proposition 24 goes further to protect certain types of data for California users, but it doesn't represent as massive of a change as the GDPR or the previously passed CCPA in 2018.

Because of that, it's likely that existing privacy policies and pop-ups won't need much tweaking to be Proposition 24-compliant. Most major websites and internet companies have already overhauled their policies for the GDPR and CCPA, and the provisions included in Prop 24 isn't likely to require as big of changes.

Of the changes that will take place, they're likely to be applied broadly. Many companies opted to implement GDPR-compliant policies across their platforms.

For California residents, browsers or devices that automatically tell websites and platforms not to track their users will act as an "automatic" opt-out. That could be important with upcoming iOS 14 privacy changes that make it much easier for users to tell apps not to track them across the web.

Will Proposition 24 inspire federal privacy regulations?

California currently has some of the toughest -- and only -- privacy regulations in the United States. With the passage of Proposition 24, those protections are only going to get stronger across many categories. Some privacy advocates believe this could signal a sea change across the U.S.

Former presidential candidate Andrew Yang, for example, told ABC7 in October that he believes that Proposition 24 could empower lawmakers and consumers in other states to follow through.

"After this becomes the law in California, I believe other states are going to look up and say 'why do Californians have all these data and privacy rights that we don't have'," Yang asked. "So as usual, California could end up leading the way."

Amid increased scrutiny of Big Tech, lawmakers may see California's lead as a signal to strengthen consumer privacy protections at the federal level. Past bills that focused on privacy legislation had bipartisan support, but there hasn't been much headway in the wake of the coronavirus pandemic.

And if federal legislators don't take action soon enough, other large U.S. states could introduce their own privacy laws, according to Alastair Mactaggart, the founder of the group behind Proposition 24.

"This is a new reality for one in eight Americans, it ain't going away. I think you'll start to see more of a push to get good protections in the country. And if that doesn't work, I think other big states will adopt something like ours," Mactaggart told Vox.

Comments

  • Reply 1 of 12
    lkrupplkrupp Posts: 9,989member
    "It also will create a standalone agency with a $10 million budget tasked with enforcing California privacy laws, and also enables district attorneys from county and state governments to get involved. Currently, the task of privacy regulation enforcement is left up to the state's attorney general's office, which has said that it can only handle a few cases per year.”

    Bottom line? Yet another government bureaucracy established to suck money out of taxpayers. In reading this article I don’t see all that much change.

    "Proposition 24 also adds more specific protections for certain sensitive data, allowing users to tell businesses not to use information categories like race, genetic information, sexual orientation, and geographic location."


    And what kind of business, other than medical, would possess race, genetic, sexual orientation data?
    williamlondonbeowulfschmidtwatto_cobra
  • Reply 2 of 12
    I really wish the law required companies to allow access to hardware without an account if it is not needed for the device to function. For example, I have to create an account to update the firmware on certain HomeKit devices. I just bought a gimbal for my iPhone and I have to create an account to “register” it. It will not function unless it is registered. I have example after example where I have I have to register by providing my email and creating a password which has nothing to do with the function of the product. Every time you create an account, it is just another possibly of your information getting hacked.  My guess is they use this information to generate additional income by selling this information to advertisers.  A person that buys a gimbal for their phone might be more likely to buy clip on lenses for example. 


    edited November 2020 JaiOh81watto_cobra
  • Reply 3 of 12
    j2fusion said:
    I really wish the law required companies to allow access to hardware without an account if it is not needed for the device to function. For example, I have to create an account to update the firmware on certain HomeKit devices. I just bought a gimbal for my iPhone and I have to create an account to “register” it. It will not function unless it is registered. I have example after example where I have I have to register by providing my email and creating a password which has nothing to do with the function of the product. Every time you create an account, it is just another possibly of your information getting hacked.


    Create an account with fake information.
    JaiOh81
  • Reply 4 of 12
    Sarkany said:
    j2fusion said:
    I really wish the law required companies to allow access to hardware without an account if it is not needed for the device to function. For example, I have to create an account to update the firmware on certain HomeKit devices. I just bought a gimbal for my iPhone and I have to create an account to “register” it. It will not function unless it is registered. I have example after example where I have I have to register by providing my email and creating a password which has nothing to do with the function of the product. Every time you create an account, it is just another possibly of your information getting hacked.


    Create an account with fake information.
    Many still need a valid email address. 
    watto_cobra
  • Reply 5 of 12
    j2fusion said:
    Many still need a valid email address. 
    I have a “throw away” Gmail account that I use for these types of situations. 
    jahbladeJFC_PAbeowulfschmidtwatto_cobra
  • Reply 6 of 12
    gatorguygatorguy Posts: 23,365member
    lkrupp said:
    "It also will create a standalone agency with a $10 million budget tasked with enforcing California privacy laws, and also enables district attorneys from county and state governments to get involved. Currently, the task of privacy regulation enforcement is left up to the state's attorney general's office, which has said that it can only handle a few cases per year.”

    Bottom line? Yet another government bureaucracy established to suck money out of taxpayers. In reading this article I don’t see all that much change.

    "Proposition 24 also adds more specific protections for certain sensitive data, allowing users to tell businesses not to use information categories like race, genetic information, sexual orientation, and geographic location."


    And what kind of business, other than medical, would possess race, genetic, sexual orientation data?
    Any of the big three credit bureaus, plus data brokers like Axciom, Oracle, Verisk, Experian, Spokeo, LexisNexis and a few hundred others, along with pharmacies and certain other consumer services providers. 

    EDIT: For example these are types of personal  data that pharmacies share with third parties. 

    We collect CA(lifornia) Personal Information for the business and commercial purposes described in the "How We Use Your Information" 
    section above. We also share and/or disclose CA Personal Information as follows:
    Sharing your CA Personal Information for business purposes: As described above... we may share the following categories of CA Personal Information with third parties who are considered "service providers" as defined under California law since we disclose CA Personal Information to them for our business purposes. We also list representative data elements for each of these categories of CA Personal Information:
    • Identifiers: such as name, address, telephone number, email address, age, date of birth, username and password for our websites, online identifiers, IP address;
    • Characteristics of protected classifications under California or Federal Law: such as sex, gender, age (40 or older);
    • Commercial information: such as products or services purchased, obtained or considered, other purchasing or consuming histories or tendencies, payment information, health and medical information, health insurance information, and loyalty program participation information;
    • Internet or other electronic network activity information: such as computer and connection information, statistics on page views, traffic to and from the websites, ad data and other standard weblog information;
    • Geolocation information: including location data and precise location data, such as physical location information through the use of our services on your mobile phone or device by, for example using satellite, cell phone tower, WiFi signal, beacons, Bluetooth and near field communication protocols. If you use our mobile application, your device may share location information when you enable location services. We may be able to recognize the location of a mobile device in stores through use of Bluetooth technology;
    • Audio, visual, or similar information: such as photographs you share, in-store security video, customer service audio recordings; and
    • Inferences drawn from other personal information: such as consumer preferences, characteristics, predispositions, and behavior.

    As described above, examples of business purposes include product and service fulfillment, internal operations, prevention of fraud and other harm, and legal compliance.

    The categories of third party service providers to which we may share the above described categories include Payment Processing Companies, Data Analytics Providers, Fraud Prevention Providers, Cloud Storage Providers, IT Service Providers, Professional Service Providers, Delivery Partners, and Marketing Companies.

    This is also a good link for those curious about how your health data ends up for sale from a broker.  https://diginomica.com/data-brokers-and-implications-data-sharing-good-bad-and-ugly

    And this: https://www.npr.org/sections/health-shots/2018/07/17/629441555/health-insurers-are-vacuuming-up-details-about-you-and-it-could-raise-your-rates


    edited November 2020 danncer
  • Reply 7 of 12
    gatorguy said:
    lkrupp said:
    "It also will create a standalone agency with a $10 million budget tasked with enforcing California privacy laws, and also enables district attorneys from 

    And what kind of business, other than medical, would possess race, genetic, sexual orientation data?
    We also list representative data elements for each of these categories of CA Personal Information:
    • Audio, visual, or similar information: such as photographs you share, in-store security video, customer service audio recordings
    That item includes race data, it also includes what language you speak. Since it's audio-visual, it also includes any visible medical issues you have like whether you use a wheelchair. And it includes a lot of information about your personality, including your personality type. In many cases people wear outward indications of their religion, so it also includes religious affiliation for some people.
    edited November 2020 danncer
  • Reply 8 of 12
    j2fusion said:
    Sarkany said:
    j2fusion said:
    I really wish the law required companies to allow access to hardware without an account if it is not needed for the device to function. For example, I have to create an account to update the firmware on certain HomeKit devices. I just bought a gimbal for my iPhone and I have to create an account to “register” it. It will not function unless it is registered. I have example after example where I have I have to register by providing my email and creating a password which has nothing to do with the function of the product. Every time you create an account, it is just another possibly of your information getting hacked.


    Create an account with fake information.
    Many still need a valid email address. 
    Surely you have a 'junk' email address?
    This is just a basic requirement of modern life - a minimum of two email addresses.
    One your 'proper' and personal email address which you only share with people you actually want to exchange emails with. The other can be an excite.com, yahoo.com or whatever  email account used for registering online and other BS needs.
    watto_cobra
  • Reply 9 of 12
    crowleycrowley Posts: 10,029member
    lkrupp said:
    "It also will create a standalone agency with a $10 million budget tasked with enforcing California privacy laws, and also enables district attorneys from county and state governments to get involved. Currently, the task of privacy regulation enforcement is left up to the state's attorney general's office, which has said that it can only handle a few cases per year.”

    Bottom line? Yet another government bureaucracy established to suck money out of taxpayers. In reading this article I don’t see all that much change.

    "Proposition 24 also adds more specific protections for certain sensitive data, allowing users to tell businesses not to use information categories like race, genetic information, sexual orientation, and geographic location."


    And what kind of business, other than medical, would possess race, genetic, sexual orientation data?
    Maybe none? Maybe that part of the legislation is targetted at medical businesses? But I doubt it. Race and sexual orientation is precisely the kind of information that might be harvested for advertising purposes.
  • Reply 10 of 12
    gatorguygatorguy Posts: 23,365member
    crowley said:
    lkrupp said:
    "It also will create a standalone agency with a $10 million budget tasked with enforcing California privacy laws, and also enables district attorneys from county and state governments to get involved. Currently, the task of privacy regulation enforcement is left up to the state's attorney general's office, which has said that it can only handle a few cases per year.”

    Bottom line? Yet another government bureaucracy established to suck money out of taxpayers. In reading this article I don’t see all that much change.

    "Proposition 24 also adds more specific protections for certain sensitive data, allowing users to tell businesses not to use information categories like race, genetic information, sexual orientation, and geographic location."


    And what kind of business, other than medical, would possess race, genetic, sexual orientation data?
    Maybe none? Maybe that part of the legislation is targetted at medical businesses? But I doubt it. Race and sexual orientation is precisely the kind of information that might be harvested for advertising purposes.
    23andMe, Ancestry.com, plus the sources listed in post 6

    That brings up a major difference between Facebook and Google ad placement. Facebook allows Race and Sexual Orientation as categories for their advertising programs. Google doesn't, nor do they even allow advertisers using Google ads to collect that information.

    For years Google has barred ad targeting based on several "sensitive" categories such as race, ethnicity, political party, religion, sexual orientation, health conditions, birth control, credit rating, and more.
    https://support.google.com/adspolicy/answer/143465?hl=en
    edited November 2020 danncer
  • Reply 11 of 12
    j2fusion said:
    Sarkany said:
    j2fusion said:
    I really wish the law required companies to allow access to hardware without an account if it is not needed for the device to function. For example, I have to create an account to update the firmware on certain HomeKit devices. I just bought a gimbal for my iPhone and I have to create an account to “register” it. It will not function unless it is registered. I have example after example where I have I have to register by providing my email and creating a password which has nothing to do with the function of the product. Every time you create an account, it is just another possibly of your information getting hacked.


    Create an account with fake information.
    Many still need a valid email address. 
    mailinator

    It's essentially just a sinkhole for email.  You can check to see what's arrived, e.g. for registration purposes, but any mail sent to a mailinator address goes away within a certain period of time.  And they have other domains besides "mailinator" in case some data harvester has that one blocked.
    watto_cobra
  • Reply 12 of 12
    Some of that looks like it might clash with HIPAA, which specifically allows sharing of certain data, e.g. for billing and insurance purposes.  I wonder how that's gonna fly?

    Guess we'll find out.
    watto_cobra
Sign In or Register to comment.