Patrick Walsh
Originally published at blog.ironcorelabs.com.

Privacy Was On The Ballot

And it won. Again.

In the U.S. we just had an election with the highest voter turnout in history. While most people had their eyes on the Presidency, there were some weighty issues like data privacy being decided across the country.

California, Maine, Massachusetts, and Michigan all addressed privacy at some level, with California taking the strongest stance, again. Here’s a roundup of each state and how the changes might affect you.

California

The California Consumer Privacy Act (CCPA), which passed a couple of years ago, only just went into effect this summer. But before it could even be tested, Californians voted to strengthen it with the California Privacy Rights and Enforcement Act (CPRA).

Now CPRA is somewhat controversial even in the privacy community, but here are the less controversial changes:

On the more controversial side, CPRA explicitly allows pay-for-privacy schemes where you can get a service for free by giving up your privacy with the option to pay to keep your privacy. The framers wanted to allow for journalism that has ad-based and subscription-based models, but it opens the door for a world where only the wealthy can keep their private data private.

Regardless, the bottom line is that Californians again voted to strengthen their privacy protections and that these new rules are likely to impact us all as companies comply with them regardless of where a user is coming from.

Recommended further reading via Wired: The Fight Over the Fight Over California’s Privacy Future

Maine

Meanwhile, in Portland, Maine, police and city agencies can no longer use facial recognition technologies. This one has more teeth than some similar bans in Boston, San Francisco, New York (only applied to inside of schools) and Portland, Oregon, by adding civil fees of $1,000 to anyone who is surveilled in violation of the ordinance. The private sector can still use the technology as can federal law enforcement.

Massachusetts

Massachusetts tackled a niche problem where automakers are putting increasingly invasive data collection into cars. The on-board diagnostics data, “telematics,” includes secret and proprietary data collection. Under the newly passed initiative, manufacturers will have to create standards, allow owners free access to the data being collected on them, and forbid dealers and repair facilities from accessing the data without the permission of the car owner. This is billed as a “right to repair” law where that data may be needed in order for someone to work on their own vehicle, but the provisions give owners not just the right to see the data, but to control who can access it and when.

Michigan

Michigan passed a constitutional amendment to protect electronic data from warrantless searches. The entire change to the Michigan Constitution is actually quite simple. This amendment changes the constitution by adding the parts in bold below:

The person, houses, papers, possessions, and electronic data and electronic communications of every person shall be secure from unreasonable searches and seizures. No warrant to search any place or to seize any person or things or to access electronic data or electronic communications shall issue without describing them, nor without probable cause, supported by oath or affirmation.

Arguably this was unnecessary and redundant — certainly the police believed so. They didn’t oppose the change but basically called it pointless. And perhaps it is. But there are a lot of gray areas and loopholes when it comes to government access of digital data.

Sadly, this doesn’t tackle most of those problems, like the third-party doctrine, but it may lead to more challenges to police surveillance that purchases data such as location data from third-parties.

2021: Federal Time

We now have breach disclosure laws in all 50 states, but we still lack a federal breach disclosure law (unless you count HIPAA, which only covers breaches of health data). States and municipalities are passing patchwork laws covering different aspects of the intersection of privacy and technology. I’m generally in favor of this since gridlock at the federal level has prevented comprehensive modernization of privacy protections at that level.

Perhaps this time around the voters have spoken loudly enough to send a message to Congress: Protection from Government — and private — intrusions of our privacy is important to us all. Let’s make it the undisputed law of the land in 2021.