Why EFF Doesn’t Support California Proposition 24

This November, Californians will be called upon to vote on a ballot initiative called the California Privacy Rights Act, or Proposition 24. EFF does not support it; nor does EFF oppose it.

EFF works across the country to enact and defend laws that empower technology users to control how businesses process their personal information. The best consumer data privacy laws require businesses to get consumers’ opt-in consent before processing their data; bar data processing except as necessary to give consumers what they asked for (often called “data minimization”); forbid “pay for privacy” schemes that pressure all consumers, and especially those with lower incomes, to surrender their privacy rights; and let consumers sue businesses that break these rules. In California, we’ve worked with other privacy advocates to try to pass these kinds of strengthening amendments to our existing California Consumer Privacy Act (CCPA).

Prop 24 does not do enough to advance the data privacy of California consumers. It is a mixed bag of partial steps backwards and forwards. It includes some but not most of the strengthening amendments urged by privacy advocates. This post addresses some of the provisions in this 52-page ballot initiative, and some missed opportunities.

More compulsion to pay for our privacy

Prop 24 would expand “pay for privacy” schemes. Specifically, the initiative would exempt “loyalty clubs” from the CCPA’s existing limit on businesses charging different prices to consumers who exercise their privacy rights. See Sec. 125(a)(3). This change would allow a business to withhold a discount from a consumer, unless the consumer lets the business harvest granular data about their shopping habits, and then profit on disclosure of that data to other businesses. The initiative also would expand an existing CCPA loophole (allowing “financial incentives” for certain data processing) from just “sale” of such data, to also “sharing” of it.

Unfortunately, pay-for-privacy schemes pressure all Californians to surrender their privacy rights. Worse, because of our society’s glaring economic inequalities, these schemes will unjustly lead to a society of privacy “haves” and “have-nots.”

A missed opportunity on privacy-preserving defaults

EFF advocates for an opt-in model of data processing, where businesses cannot collect, use, share, or store our information without first getting our explicit consent. This makes privacy the default option. Studies show that defaults matter, because most people don’t change the settings of their devices and apps. Privacy should be the default, particularly when it comes to ensuring consumers have control over how their information flows into a complicated data ecosystem.

The CCPA, while an important law, places the burden on consumers to opt-out of the retention and sale of their information. But most people will never do this. This allows businesses to continue to retain and sell their data, though many of these people do not want this.

Now is the time to flip the default, and thus ensure strong privacy protection. Prop 24 misses an opportunity to do so.

A half-step on data minimization

Prop 24’s data minimization rule is only a partial step forward. Businesses must be prohibited from collecting a consumer’s personal information beyond what is necessary to provide the consumer the good or service they requested. That was the approach in this year’s California A.B. 3119 (Asm. Wicks), which the privacy coalition supported.

But Prop 24 uses the wrong yardstick: instead of looking to the consumer’s own expectations, Prop 24 looks instead to the business’ purposes. See Sec