By Pam Greenberg
Statewide ballot measures cover a broad range of topics, but privacy measures are not often among them, despite Americans’ growing concerns about the issue and an increasing number of consumer privacy bills introduced in state legislatures recently, many similar to and motivated by the California Consumer Privacy Act (CCPA).
This year, however, two significant privacy-protecting measures were on the ballot and approved by voters in California and Michigan.
California: Proposition 24 establishes the California Privacy Rights Act (CPRA), expanding what is already considered the toughest privacy law in the U.S.
The CCPA itself began as an initiative in 2018, spearheaded by a California real estate developer, Alistair MacTaggart, who, with supporters, collected enough signatures to make it to the ballot that year. Legislators working with constituents concerned about the restrictive ballot measure, however, quickly negotiated and passed legislation—the CCPA—in exchange for an agreement to drop the initiative.
Although the CCPA has only been effective since January of this year, MacTaggart’s group, Californians for Consumer Privacy, decided that legislative efforts to “water down” the CCPA necessitated a new initiative to protect and expand the law.
The CCPA currently gives California consumers the right to know about the personal information a business collects about them and how it is used and shared and the right to delete it and opt-out of its sale. It prevents businesses from discriminating against consumers for exercising those rights and requires them to give consumers notice of their privacy policies.
Proposition 24, which was approved by 56% of California voters, expands those rights, allowing consumers to correct inaccurate personal information and to prevent businesses from sharing personal information.
It also limits businesses’ use of “sensitive personal information,” which is expanded to include a social security number, driver’s license, state ID card or passport number, account log-in or credit card number in combination with a security or access code or password. Sensitive information also includes a consumer’s race, ethnic origin, religious or philosophic beliefs or union membership; information in mail, email and text messages; precise geolocation information; genetic, health or biometric data; and information about a person’s sex life or sexual orientation.
Among many other detailed provisions, CPRA also establishes a data protection enforcement agency. It also specifically allows the legislature to amend the law with a simple majority vote, but only to further the primary goal of strengthening consumer privacy. The law will take effect Jan. 1, 2023.
Opponents of Prop 24 encompassed a wide mix of interests: the ACLU of Northern California, the National Federation of Independent Business, the Consumer Federation of California, the California Nurses Association, the California Small Business Association, and the Los Angeles Area Chamber of Commerce, among others.
Michigan: Voters approved Proposal 20-2 this month, which amended the state’s constitutional protection against unlawful searches and seizures to include electronic devices and communications. Law enforcement now must obtain a warrant prior to searching a citizen’s cell phone or other electronic devices. The Michigan provision is very similar to a constitutional amendment passed by Missouri voters in 2014 (art. I, § 15).
Eleven states have constitutions with express provisions relating to a right to privacy—most dating to the late 1960s or early ‘70s. An exception is New Hampshire, where voters approved a privacy ballot measure in Nov. 2018, adding the following words to the state’s constitution in art. 2-b: “Right to Privacy: An individual's right to live free from governmental intrusion in private or personal information is natural, essential, and inherent.”
Pam Greenberg tracks technology, cybersecurity, privacy and related issues for NCSL.