Apple, Facebook & Google - How California's new privacy measures apply
California voters passed a new privacy law that would strengthen and close loopholes in exisiting regulatory protections. Here's what it could mean for Big Tech and consumers elsewhere.
Credit: Unsplash
On Nov. 3, Californians voted on a new privacy measure called Proposition 24 that would strengthen current privacy regulations in the state. As of Nov. 4, projections indicate that consumers have voted to pass the law. It's set to take effect in 2023.
Unlike past regulatory privacy pushes in California and elsewhere, Proposition 24 isn't building anything from the ground up. Instead, it revises and amends provisions of existing privacy law in California.
Here's what Proposition 24 does, what it doesn't do, and how it may affect companies and consumers in other states and countries.
Compared to the CCPA, Proposition 24 gives Californians the right to tell businesses not to share their data, as opposed to just prohibiting companies from selling it. That closes a loophole in CCPA that businesses used to skirt current regulations.
Proposition 24 also adds more specific protections for certain sensitive data, allowing users to tell businesses not to use information categories like race, genetic information, sexual orientation, and geographic location.
It also will create a standalone agency with a $10 million budget tasked with enforcing California privacy laws, and also enables district attorneys from county and state governments to get involved. Currently, the task of privacy regulation enforcement is left up to the state's attorney general's office, which has said that it can only handle a few cases per year.
Additionally, the measure triples the fines for privacy violations if an affected consumer is under 16 years of age, requires that companies obtain permission from the parents of consumers who are younger than 13 before they start collecting data.
Additionally, the Electronic Frontier Foundation warns that Proposition 24 could further "pay for privacy" schemes by exempting "loyalty clubs" from the CCPA's existing regulations on businesses charging different prices when they exercise privacy rights.
Additionally, the proposition gives companies a bit more power when it comes to refusing to comply with a consumer's request to delete their data. A section of Proposition 24 allows businesses to refuse data deletion if the retention of that data could "help to ensure security and integrity."
There are other privacy advocates who suggest that the proposition doesn't go far enough to protect the privacy of consumers. But it's worth noting that the measure includes language that prevents future legislators from weakening any existing privacy protections. If changes are made in the future, they must "further protect consumers' rights."
Kristen Mathews, a partner at law firm Morrison & Foerster who focuses on privacy regulations, told Fast Company that many businesses are likely in favor of some of Proposition 24's provisions.
For example, the proposed California Privacy Protection Agency is required by the measure to create specifications for an "opt-out signal," or a piece of code that alerts companies that a user doesn't want to be tracked. Although that could affect ad revenue, it would make it easier for companies to remove consumers from their data collection practices.
Of course, since Prop 24 closes existing loopholes and introduces more stringent privacy protections in some data categories, it's still incredibly likely that it'll impact advertising revenue for companies like Facebook and Google. One expert said that if advertising technology doesn't evolve, the business model of advertising may become obsolete.
Because Apple doesn't rely on advertising as a revenue source, Proposition 24 may not have much effect on the company. The data types that Proposition 24 goes further to protect are already ones that Apple doesn't use.
Because of that, it's likely that existing privacy policies and pop-ups won't need much tweaking to be Proposition 24-compliant. Most major websites and internet companies have already overhauled their policies for the GDPR and CCPA, and the provisions included in Prop 24 isn't likely to require as big of changes.
Of the changes that will take place, they're likely to be applied broadly. Many companies opted to implement GDPR-compliant policies across their platforms.
For California residents, browsers or devices that automatically tell websites and platforms not to track their users will act as an "automatic" opt-out. That could be important with upcoming iOS 14 privacy changes that make it much easier for users to tell apps not to track them across the web.
Former presidential candidate Andrew Yang, for example, told ABC7 in October that he believes that Proposition 24 could empower lawmakers and consumers in other states to follow through.
"After this becomes the law in California, I believe other states are going to look up and say 'why do Californians have all these data and privacy rights that we don't have'," Yang asked. "So as usual, California could end up leading the way."
Amid increased scrutiny of Big Tech, lawmakers may see California's lead as a signal to strengthen consumer privacy protections at the federal level. Past bills that focused on privacy legislation had bipartisan support, but there hasn't been much headway in the wake of the coronavirus pandemic.
And if federal legislators don't take action soon enough, other large U.S. states could introduce their own privacy laws, according to Alastair Mactaggart, the founder of the group behind Proposition 24.
"This is a new reality for one in eight Americans, it ain't going away. I think you'll start to see more of a push to get good protections in the country. And if that doesn't work, I think other big states will adopt something like ours," Mactaggart told Vox.
Credit: Unsplash
On Nov. 3, Californians voted on a new privacy measure called Proposition 24 that would strengthen current privacy regulations in the state. As of Nov. 4, projections indicate that consumers have voted to pass the law. It's set to take effect in 2023.
Unlike past regulatory privacy pushes in California and elsewhere, Proposition 24 isn't building anything from the ground up. Instead, it revises and amends provisions of existing privacy law in California.
Here's what Proposition 24 does, what it doesn't do, and how it may affect companies and consumers in other states and countries.
What does California Privacy Rights Act do?
The California Privacy Rights Act, or Proposition 24, essentially adds and amends some provisions in the California Consumer Privacy Act (CCPA), which took effect in the state in January.Compared to the CCPA, Proposition 24 gives Californians the right to tell businesses not to share their data, as opposed to just prohibiting companies from selling it. That closes a loophole in CCPA that businesses used to skirt current regulations.
Proposition 24 also adds more specific protections for certain sensitive data, allowing users to tell businesses not to use information categories like race, genetic information, sexual orientation, and geographic location.
It also will create a standalone agency with a $10 million budget tasked with enforcing California privacy laws, and also enables district attorneys from county and state governments to get involved. Currently, the task of privacy regulation enforcement is left up to the state's attorney general's office, which has said that it can only handle a few cases per year.
Additionally, the measure triples the fines for privacy violations if an affected consumer is under 16 years of age, requires that companies obtain permission from the parents of consumers who are younger than 13 before they start collecting data.
What are some criticisms of Proposition 24?
Like the CCPA, Proposition 24 requires that consumers explicitly opt out of data collection. Research shows that many people don't bother to change the default settings on their platforms, devices, or apps.Additionally, the Electronic Frontier Foundation warns that Proposition 24 could further "pay for privacy" schemes by exempting "loyalty clubs" from the CCPA's existing regulations on businesses charging different prices when they exercise privacy rights.
Additionally, the proposition gives companies a bit more power when it comes to refusing to comply with a consumer's request to delete their data. A section of Proposition 24 allows businesses to refuse data deletion if the retention of that data could "help to ensure security and integrity."
There are other privacy advocates who suggest that the proposition doesn't go far enough to protect the privacy of consumers. But it's worth noting that the measure includes language that prevents future legislators from weakening any existing privacy protections. If changes are made in the future, they must "further protect consumers' rights."
How Proposition 24 affects Big Tech
Big Tech companies, including Google and Facebook, have been uncharacteristically silent about the proposed privacy changes in Proposition 24. That's likely because some of its included provisions may make regulatory compliance easier.Kristen Mathews, a partner at law firm Morrison & Foerster who focuses on privacy regulations, told Fast Company that many businesses are likely in favor of some of Proposition 24's provisions.
For example, the proposed California Privacy Protection Agency is required by the measure to create specifications for an "opt-out signal," or a piece of code that alerts companies that a user doesn't want to be tracked. Although that could affect ad revenue, it would make it easier for companies to remove consumers from their data collection practices.
Of course, since Prop 24 closes existing loopholes and introduces more stringent privacy protections in some data categories, it's still incredibly likely that it'll impact advertising revenue for companies like Facebook and Google. One expert said that if advertising technology doesn't evolve, the business model of advertising may become obsolete.
Because Apple doesn't rely on advertising as a revenue source, Proposition 24 may not have much effect on the company. The data types that Proposition 24 goes further to protect are already ones that Apple doesn't use.
What will consumers notice in California and beyond?
Proposition 24 goes further to protect certain types of data for California users, but it doesn't represent as massive of a change as the GDPR or the previously passed CCPA in 2018.Because of that, it's likely that existing privacy policies and pop-ups won't need much tweaking to be Proposition 24-compliant. Most major websites and internet companies have already overhauled their policies for the GDPR and CCPA, and the provisions included in Prop 24 isn't likely to require as big of changes.
Of the changes that will take place, they're likely to be applied broadly. Many companies opted to implement GDPR-compliant policies across their platforms.
For California residents, browsers or devices that automatically tell websites and platforms not to track their users will act as an "automatic" opt-out. That could be important with upcoming iOS 14 privacy changes that make it much easier for users to tell apps not to track them across the web.
Will Proposition 24 inspire federal privacy regulations?
California currently has some of the toughest -- and only -- privacy regulations in the United States. With the passage of Proposition 24, those protections are only going to get stronger across many categories. Some privacy advocates believe this could signal a sea change across the U.S.Former presidential candidate Andrew Yang, for example, told ABC7 in October that he believes that Proposition 24 could empower lawmakers and consumers in other states to follow through.
"After this becomes the law in California, I believe other states are going to look up and say 'why do Californians have all these data and privacy rights that we don't have'," Yang asked. "So as usual, California could end up leading the way."
Amid increased scrutiny of Big Tech, lawmakers may see California's lead as a signal to strengthen consumer privacy protections at the federal level. Past bills that focused on privacy legislation had bipartisan support, but there hasn't been much headway in the wake of the coronavirus pandemic.
And if federal legislators don't take action soon enough, other large U.S. states could introduce their own privacy laws, according to Alastair Mactaggart, the founder of the group behind Proposition 24.
"This is a new reality for one in eight Americans, it ain't going away. I think you'll start to see more of a push to get good protections in the country. And if that doesn't work, I think other big states will adopt something like ours," Mactaggart told Vox.
Comments
Bottom line? Yet another government bureaucracy established to suck money out of taxpayers. In reading this article I don’t see all that much change.
"Proposition 24 also adds more specific protections for certain sensitive data, allowing users to tell businesses not to use information categories like race, genetic information, sexual orientation, and geographic location."
And what kind of business, other than medical, would possess race, genetic, sexual orientation data?
EDIT: For example these are types of personal data that pharmacies share with third parties.
We collect CA(lifornia) Personal Information for the business and commercial purposes described in the "How We Use Your Information" section above. We also share and/or disclose CA Personal Information as follows:
As described above, examples of business purposes include product and service fulfillment, internal operations, prevention of fraud and other harm, and legal compliance.
The categories of third party service providers to which we may share the above described categories include Payment Processing Companies, Data Analytics Providers, Fraud Prevention Providers, Cloud Storage Providers, IT Service Providers, Professional Service Providers, Delivery Partners, and Marketing Companies.
This is also a good link for those curious about how your health data ends up for sale from a broker. https://diginomica.com/data-brokers-and-implications-data-sharing-good-bad-and-ugly
And this: https://www.npr.org/sections/health-shots/2018/07/17/629441555/health-insurers-are-vacuuming-up-details-about-you-and-it-could-raise-your-rates
This is just a basic requirement of modern life - a minimum of two email addresses.
One your 'proper' and personal email address which you only share with people you actually want to exchange emails with. The other can be an excite.com, yahoo.com or whatever email account used for registering online and other BS needs.
That brings up a major difference between Facebook and Google ad placement. Facebook allows Race and Sexual Orientation as categories for their advertising programs. Google doesn't, nor do they even allow advertisers using Google ads to collect that information.
For years Google has barred ad targeting based on several "sensitive" categories such as race, ethnicity, political party, religion, sexual orientation, health conditions, birth control, credit rating, and more.
https://support.google.com/adspolicy/answer/143465?hl=en
It's essentially just a sinkhole for email. You can check to see what's arrived, e.g. for registration purposes, but any mail sent to a mailinator address goes away within a certain period of time. And they have other domains besides "mailinator" in case some data harvester has that one blocked.
Guess we'll find out.