California Proposition 24, an initiative designed to expand the state’s consumer data privacy laws, was approved by voters earlier this month. Prop. 24 will establish the California Privacy Rights Act, which aims to build on the 2019 California Consumer Privacy Act. The CCPA intended to give consumers basic rights to data privacy, including the right to be informed when data is being collected and the right to refuse the selling of personal data, among others. However, in practice, the CCPA ended up functioning more as an ideal than a law, allowing companies to dodge the regulations by claiming things as simple as the fact that their business model did not match the one presented in the law. The California Privacy Rights Act will redefine many of the rights and regulations outlined in the CCPA in order to reduce the exploitation seen under the CCPA, as well as creating a state agency, the Privacy Protection Agency, to enforce the new privacy standards. It will also make it far easier for users to opt-out of data collection as well as reducing the time allotted for companies to fix their mistakes, but the exact details of how this law will play out are largely unknown; until it goes into effect in 2023 the law will stay a plan of action.
Compliance Under the CPRA
The most notable aspect of the California Privacy Rights Act is the creation of the Privacy Protection Agency. In the California Consumer Privacy Act, the enforcement of privacy standards fell to the Attorney General’s office. A state agency dedicated to the necessary enforcements for privacy regulation will allow for much more enforcement to take place. The agency’s interpretation and application of the CPRA will determine the outright impact of the law.
Despite the time needed for the new law to go into action, its ambition will likely set the standard for data protection across the country. A major concern for businesses is the monetary cost of compliance with the new standards, but the change should not be monumental for those that strictly followed the regulations presented in the CCPA. The CPRA is the strongest privacy protection law in the country; it targets the companies that dodged the CCPA and aims, above all else, to protect users. Also, it is similar in its strength to the European Union’s General Data Protection Regulation. Unsurprisingly, this law will affect the majority of businesses, from giants like Apple to small online businesses, but once again the exact details will not be seen until 2023.
As far as support goes, most tech giants have been silent on the issue, as the proposition is not inherently bad for business. The majority of debate has been between consumer data protection advocacy groups. Regardless of how the law plays out, it marks a turning point in consumer data privacy and proves that the issues it faces are ones that need to be addressed.