SF Chronicle Op-Ed: “Prop. 24 is the Wrong Policy Approach, at the Wrong Time, via the Wrong Process”

[I published this op-ed in the San Francisco Chronicle yesterday]

Most voters initially are inclined to support Prop. 24, the California Privacy Rights Act (CPRA). Everyone wants more privacy. But that initial support dissolves after careful scrutiny. Prop. 24 does not do much to advance privacy, and it comes with a huge catch that all voters should oppose. For that reason, the smart vote is no on Prop. 24.

Prop. 24’s roots trace to the California Consumer Privacy Act (the CCPA), a comprehensive, sprawling, and insanely complicated privacy law that took effect this year. The CCPA already protects your privacy; you don’t need to vote yes on Prop. 24 to get its privacy benefits.

The CPRA copied the CCPA but added hundreds of major and minor changes. Some changes increase consumer privacy, others don’t. On balance, compared to the CCPA, the CPRA has a mixed effect on your privacy.

These changes are costly. Businesses already spent lots of money to comply with the CCPA, and the CPRA will impose additional compliance costs. These costs will hit businesses at a time when they already are struggling due to the pandemic and economic downturn.

If Prop. 24 doesn’t enhance your privacy, then why is it on the ballot? This is the huge catch: Prop. 24 is intended to eliminate the Legislature’s supervision of consumer privacy law. The CPRA lets the Legislature amend it only in limited circumstances; and the requirements virtually ensure that any attempted amendment will trigger lengthy and costly lawsuits over the Legislature’s authority. Rather than fight those battles, the Legislature probably will ignore the CPRA.

This means that Prop. 24 fundamentally rejects the Legislature’s role in representing Californians. Normally, we expect our legislators to advocate for their constituents’ interests. Voting yes on Prop. 24 strips away our legislators’ power to do their jobs, even as the CPRA becomes problematic or out of date over time.

This is a bad idea. Consumer privacy law is extraordinarily complex (the CPRA is a complicated tangle of 52 pages of poorly drafted legalese), so it is hard to anticipate what we need from a future privacy law. Our world will keep evolving and we expect privacy law to evolve with it. The CPRA makes that functionally impossible.

This is a terrible time to make permanent choices about privacy. First, we’re in the middle of a pandemic and a high-stakes national election, which is distracting our attention from this extremely important — and extremely complex — question.

Second, we don’t have enough information yet to know how well California’s existing privacy law works. Recall that the CCPA (the CPRA’s model) is a new law — it went into effect in January — and the California Department of Justice gained full enforcement authority over the CCPA only two months ago.

What do we know about what works in the CCPA and what doesn’t? Virtually nothing. We haven’t had time to study its effects and figure out what adjustments it needs. Nevertheless, without learning any of those lessons, the CPRA would take away California’s power to make those needed adjustments.

Fundamentally, Prop. 24 is asking whether you think the Legislature should have no role in managing consumer privacy. Voting “yes” indicates you think there’s no point in continuing to think about how to best balance privacy with many other policy considerations, because the CPRA is the perfect solution for the rest of our lives. If you can’t confidently say that, vote no on Prop. 24.

Prior CCPA/CPRA Posts

* Over 50 Privacy Professionals & Experts Oppose Prop. 24
Californians: VOTE NO ON PROP. 24, The California Privacy Rights Act (CPRA)
A Review of the “Final” CCPA Regulations from the CA Attorney General
The CCPA Proposed Regs’ Data Valuation Calculation Provisions Provide Flexibility, But Raise Ambiguity & Transparency Concerns (guest blog post)
My Third Set of Comments to the CA DOJ on the CCPA Regulations
Comments on the DOJ’s Proposed Modifications to the CCPA Regulations
Eric Goldman’s Comments to the California DOJ Draft Regulations for the Consumer Privacy Act (CCPA) (Part 3 of 3)
Some Lessons Learned from the California Consumer Privacy Act (CCPA), 18 Months In (Part 2 of 3)
Resetting the California Consumer Privacy Act (CCPA)…with 2 Weeks To Go! (Part 1 of 3)
And At the End of the Day, the CCPA Remains Very Much the Same (Guest Blog Post)
A Recap of the Senate Judiciary Committee Hearing on Amending the California Consumer Privacy Act (Guest Blog Post)
Want Companies to Comply with the CCPA? Delay Its Effective Date (Guest Blog Post)
Recap of the California Assembly Hearing on the California Consumer Privacy Act
A Status Report on the California Consumer Privacy Act
41 California Privacy Experts Urge Major Changes to the California Consumer Privacy Act
California Amends the Consumer Privacy Act (CCPA); Fixes About 0.01% of its Problems
Recent Developments Regarding the California Consumer Privacy Act
The California Consumer Privacy Act Should Be Condemned, Not Celebrated
A First (But Very Incomplete) Crack at Inventorying the California Consumer Privacy Act’s Problems
Ten Reasons Why California’s New Data Protection Law is Unworkable, Burdensome, and Possibly Unconstitutional (Guest Blog Post)
A Privacy Bomb Is About to Be Dropped on the California Economy and the Global Internet
An Introduction to the California Consumer Privacy Act (CCPA)