This piece first ran in the SF Chronicle.

Prop. 24 is the wrong policy approach, at the wrong time, via the wrong process


Most voters initially are inclined to support Prop. 24, the California Privacy Rights Act (CPRA). Everyone wants more privacy. But that initial support dissolves after careful scrutiny. Prop. 24 does not do much to advance privacy, and it comes with a huge catch that all voters should oppose. For that reason, the smart vote is no on Prop. 24.

Prop. 24’s roots trace to the California Consumer Privacy Act (the CCPA), a comprehensive, sprawling, and insanely complicated privacy law that took effect this year. The CCPA already protects your privacy; you don’t need to vote yes on Prop. 24 to get its privacy benefits.

The CPRA copied the CCPA but added hundreds of major and minor changes. Some changes increase consumer privacy, others don’t. On balance, compared to the CCPA, the CPRA has a mixed effect on your privacy.

These changes are costly. Businesses already spent lots of money to comply with the CCPA, and the CPRA will impose additional compliance costs. These costs will hit businesses at a time when they already are struggling due to the pandemic and economic downturn.

If Prop. 24 doesn’t enhance your privacy, then why is it on the ballot? This is the huge catch: Prop. 24 is intended to eliminate the Legislature’s supervision of consumer privacy law. The CPRA lets the Legislature amend it only in limited circumstances; and the requirements virtually ensure that any attempted amendment will trigger lengthy and costly lawsuits over the Legislature’s authority. Rather than fight those battles, the Legislature probably will ignore the CPRA.

This means that Prop. 24 fundamentally rejects the Legislature’s role in representing Californians. Normally, we expect our legislators to advocate for their constituents’ interests. Voting yes on Prop. 24 strips away our legislators’ power to do their jobs, even as the CPRA becomes problematic or out of date over time.

This is a bad idea. Consumer privacy law is extraordinarily complex (the CPRA is a complicated tangle of 52 pages of poorly drafted legalese), so it is hard to anticipate what we need from a future privacy law. Our world will keep evolving and we expect privacy law to evolve with it. The CPRA makes that functionally impossible.

This is a terrible time to make permanent choices about privacy. First, we’re in the middle of a pandemic and a high-stakes national election, which is distracting our attention from this extremely important — and extremely complex — question.

Second, we don’t have enough information yet to know how well California’s existing privacy law works. Recall that the CCPA (the CPRA’s model) is a new law — it went into effect in January — and the California Department of Justice gained full enforcement authority over the CCPA only two months ago.

What do we know about what works in the CCPA and what doesn’t? Virtually nothing. We haven’t had time to study its effects and figure out what adjustments it needs. Nevertheless, without learning any of those lessons, the CPRA would take away California’s power to make those needed adjustments.

Fundamentally, Prop. 24 is asking whether you think the Legislature should have no role in managing consumer privacy. Voting “yes” indicates you think there’s no point in continuing to think about how to best balance privacy with many other policy considerations, because the CPRA is the perfect solution for the rest of our lives. If you can’t confidently say that, vote no on Prop. 24.

Eric Goldman is a law professor at Santa Clara University School of Law, where he directs the school’s Privacy Law Certificate.