Patrick Walsh
Originally published at blog.ironcorelabs.com.

Privacy Was On The Ballot

And it won. Again.

In the U.S. we just had an election with the highest voter turnout in history. While most people had their eyes on the Presidency, there were some weighty issues like data privacy being decided across the country.

California, Maine, Massachusetts, and Michigan all addressed privacy at some level, with California taking the strongest stance, again. Here’s a roundup of each state and how the changes might affect you.

California

The California Consumer Privacy Act (CCPA), which passed a couple of years ago, only just went into effect this summer. But before it could even be tested, Californians voted to strengthen it with the California Privacy Rights and Enforcement Act (CPRA).

Now CPRA is somewhat controversial even in the privacy community, but here are the less controversial changes:

  • From “do not sell” to “do not share”: CCPA made it hard for companies to sell your data without full disclosure and consent, but it ignored the fact that many of the big tech companies that make money off of consumer data don’t sell that data so much as share it. I’m talking about Google and Facebook in particular.
  • No more exclusions for ad targeting: The original CCPA had a bit of an asterisk where ad targeting was an approved business purpose — a reason for gathering and storing information. So companies must have a good reason for keeping data on you and under that clause, pretty much any data could be kept and may even be exempt from deletion requests. CPRA removes ad targeting as an approved business purpose and theoretically closes this loophole.
  • No more amendments that weaken privacy: The original CCPA had a mess of amendments that came in and undercut it by creating loopholes. CPRA expressly forbids this by only allowing amendments that improve privacy. I didn’t even know you could constrain future amendments, so I find this clause extremely interesting.
  • Global opt-out via “do-not-sell” browser preference: The original CCPA forced buttons and disclosures on company home pages. CPRA makes this requirement stronger and forces a pop-up. That’s not great for usability. But companies don’t have to put anything on their home page if they instead honor a browser preference that can be passed to a website telling it not to sell or share data. This is interesting because it’s a huge incentive for companies to honor an automated opt-out request. We used to have a “Do Not Track” header field that has been phased out since few companies honored it. Now there’s teeth behind it.

On the more controversial side, CPRA explicitly allows pay-for-privacy schemes where you can get a service for free by giving up your privacy with the option to pay to keep your privacy. The framers wanted to allow for journalism that has ad-based and subscription-based models, but it opens the door for a world where only the wealthy can keep their private data private.

Regardless, the bottom line is that Californians again voted to strengthen their privacy protections and that these new rules are likely to impact us all as companies comply with them regardless of where a user is coming from.

Recommended further reading via Wired: The Fight Over the Fight Over California’s Privacy Future

Maine

Meanwhile, in Portland, Maine, police and city agencies can no longer use facial recognition technologies. This one has more teeth than some similar bans in Boston, San Francisco, New York (only applied to inside of schools) and Portland, Oregon, by adding civil fees of $1,000 to anyone who is surveilled in violation of the ordinance. The private sector can still use the technology as can federal law enforcement.

Massachusetts

Massachusetts tackled a niche problem where automakers are putting increasingly invasive data collection into cars. The on-board diagnostics data, “telematics,” includes secret and proprietary data collection. Under the newly passed initiative, manufacturers will have to create standards, allow owners free access to the data being collected on them, and forbid dealers and repair facilities from accessing the data without the permission of the car owner. This is billed as a “right to repair” law where that data may be needed in order for someone to work on their own vehicle, but the provisions give owners not just the right to see the data, but to control who can access it and when.

Michigan

Michigan passed a constitutional amendment to protect electronic data from warrantless searches. The entire change to the Michigan Constitution is actually quite simple. This amendment changes the constitution by adding the parts in bold below:

The person, houses, papers, possessions, and electronic data and electronic communications of every person shall be secure from unreasonable searches and seizures. No warrant to search any place or to seize any person or things or to access electronic data or electronic communications shall issue without describing them, nor without probable cause, supported by oath or affirmation.

Arguably this was unnecessary and redundant — certainly the police believed so. They didn’t oppose the change but basically called it pointless. And perhaps it is. But there are a lot of gray areas and loopholes when it comes to government access of digital data.

Sadly, this doesn’t tackle most of those problems, like the third-party doctrine, but it may lead to more challenges to police surveillance that purchases data such as location data from third-parties.

2021: Federal Time

We now have breach disclosure laws in all 50 states, but we still lack a federal breach disclosure law (unless you count HIPAA, which only covers breaches of health data). States and municipalities are passing patchwork laws covering different aspects of the intersection of privacy and technology. I’m generally in favor of this since gridlock at the federal level has prevented comprehensive modernization of privacy protections at that level.

Perhaps this time around the voters have spoken loudly enough to send a message to Congress: Protection from Government — and private — intrusions of our privacy is important to us all. Let’s make it the undisputed law of the land in 2021.