As the most important outcome of the 2020 election remains in flux, voters in California and Michigan approved new privacy laws Tuesday: California’s Prop 24, which extends provisions of a 2018 privacy law, and Michigan’s Prop 2, which consolidates piecemeal orders into a requirement for police to seek search warrants before seizing electronic data.
Strengthening privacy is one of the few reliably bipartisan endeavors in modern politics, but the two measures scrambled traditional alliances on privacy: The ACLU opposed the California proposition, while police chiefs supported the Michigan measure. If those politics are any indication, privacy in the post-2020 landscape will be odd, iterative, surprisingly bipartisan, and very complicated.
California's Prop 24 ratifies the California Privacy Rights Act, the successor to 2018’s California Consumer Privacy Act. Conceived as a parallel to Europe’s General Data Protection Regulation, the CCPA left many privacy advocates unhappy with loopholes that let Facebook, Google, and hordes of anonymous data brokers avoid regulation.
The CCPA exempted many forms of targeted advertising, essentially permitting the collection and sharing of personal user data without consent—precisely the activity the law was intended to eliminate. CCPA also left enforcement solely to the already overburdened state attorney general, a concession that caused an ongoing rift between two of its authors, Mary Stone Ross and Alastair Mactaggart. (Mactaggart coauthored the CPRA, which Ross opposed.)
Companies have many ways of profiting from collecting and accessing our data. Few involve money directly exchanging hands in a sale. The law approved Tuesday targets the companies once able to evade regulation by claiming they “share” but don't “sell” data. CPRA combines the concepts of sharing, selling, and monetizing data. It requires companies to disclose what they’re collecting from users and with whom they’re selling or sharing the data, and it requires them to allow users to opt out of having their data collected, whether or not it's “sold” in the literal sense.
CPRA creates a new category of Sensitive Personal Information (SPI), including race, sexuality, religion, and health data. Businesses must disclose to users if they plan to collect, share, or sell SPI. Once informed, users can prevent companies from sharing SPI. It also allocates $10 million to a new California Privacy Protection Agency that will enforce the law.
Finally, the language of the 2018 law left the door open for companies to require users to opt out of tracking from each site they visit rather than end tracking with one swoop. CPRA allows users to employ a global opt-out, such as a Do Not Track tool, but also to allow tracking selectively.
Privacy advocates who oppose CPRA see this as one of many examples of one step forward, two steps backward. Enforcement doesn’t begin until 2023, businesses with less than $25 million in revenue in are exempt, credit reporting giants like Experian and Equifax are exempt from most of its provisions, and companies can still withhold certain perks or discounts from consumers who choose not to share data.
This last concession is especially contentious. The Electronic Frontier Foundation and the ACLU of Northern California, staunch privacy defenders for generations, both cited this for why they opposed Prop 24. Both have concerns it could incentivize a “pay for privacy” structure that encourages people to hand over their data for cash and discounts. This could be especially harmful for communities of color, the ACLU argued in an October blog post, because vulnerable users will be compelled to exchange their data for lower prices, while more privileged users can afford to decline. This contradicts the protections brought on by the new SPI distinction.
CPRA’s biggest supporters, including Consumer Watchdog’s executive director, Carmen Balber, admit the legislation isn’t perfect but evinces a new model for stronger privacy protections.
“I would love to win the whole fight in one fell swoop, but that rarely, if ever, happens in the real world,” Balber says, instead noting that the legislation is written specifically to allow for future revisions. “I think that's probably the model we're going to see for [privacy] reform across the country.”
But iterative updates breed complexity, itself a potential weakness that companies with massive lobbying and legal arms can exploit. If CCPA represented the collective will of the people saying “don’t sell my data,” what followed was two years of companies obfuscating the meanings of the words sell, my, and data. Asked whether it serves the overall goal of transparency for laws such as CPRA to be as complex as the ad-tech ecosystem they purport to regulate, Balber said simple language creates more loopholes than complex language.
“It's not a question of how many words there are. It's a question of whether or not what you want to happen is explained accurately,” she says. “A statute can be complicated. That's a place where more complexity is worse, but this is the law that companies have to follow.
Michigan’s Prop 2 amends the state constitution to require law enforcement to obtain search warrants before seizing a person’s “electronic data or electronic communications.” New technologies have created surveillance dragnets that capture the data of large groups of people, many of whom aren’t suspected of crimes. Prop 2 was introduced in opposition to Michigan State Police’s use of Stingrays, devices that replicate cell towers, tricking them into transmitting the phone’s location and, potentially, the identity of the users.
The measure garnered surprising support from both the ACLU of Michigan and the Michigan Association of Police Chiefs. Several court decisions restrict police access to personal electronic data, but Prop 2 creates a blanket requirement that will apply to new technology.
“That means we can take a stronger position in the future if there's some sort of new emerging technology that we can't even imagine,” says ACLU Michigan policy strategist Merissa Kovach. “This is updated for the world that we live in now.
Instead of relying on existing rules and then extending them to match new technologies—from beepers to cell phones, for example—Prop 2 sets a single legal standard for electronic data. As Kovach notes, similar measures have passed in New Hampshire and Missouri.
“It should be a no brainer if other states want to do it,” she says. “I hope they do.”