California's landmark data privacy law only went into effect this January, but thanks to the will of voters, an entirely new law will soon go into its place.

On Election Day, more than half of the state's voters approved Proposition 24, a ballot initiative that would create a new state-run data privacy agency tasked with ensuring companies follow the California Privacy Rights Act (CPRA), a new law that would supersede the state's existing data privacy law, the California Consumer Privacy Act (CCPA). The latest effort was spearheaded by real estate developer Alastair Mactaggart, with input from tech giants like Twitter. 

When lawmakers passed the CCPA two years ago, it was hailed as the strictest law in the nation. It was also costly, with California businesses responsible for footing an estimated $55 billion in compliance costs. 

The good news is that the smallest companies may be shielded from complying with this latest data privacy effort. Proposition 24 specifically applies to companies that have more than 100,000 users or households annually. The prior law affected companies with more than 50,000 users, households, or devices. 

Even so, small companies can get bigger--and in that respect the law is something to note. So far, the reviews are mixed. Some consumer advocacy and civil rights groups call the move a victory for users of services offered by California-based companies, as it gives them more power over their information. Others suggest the initiative opens users up to collateral damages like having to suddenly pay for privacy. Still others warn that the higher compliance costs needed to meet the additional regulations could throttle startups.

Specifically, Proposition 24 requires businesses to notify consumers when their information is shared and sold and for how long. Consumers can request that their personal data be deleted, as well as receive free reports from businesses on how their information is being used. It further allows businesses to give consumers discounts or provide payments in exchange for sharing their personal data. 

The measure's supporters, which include former Democratic presidential candidate Andrew Yang and the California NAACP, say it will give consumers more power over data brokers. The law allows users to limit access to private information such as geolocation, gender, sexual orientation, genetic data, age, and health. 

The measure's detractors, including the American Civil Liberties Union of Northern California and the Consumer Federation of California, argue that the effort creates a "pay-for-privacy" structure that allows companies to essentially charge consumers more in exchange for not selling their data. The new law also allows companies to refuse to delete information if they believe it's vital for security purposes.

That's code for allowing companies to hold onto personal data. "Given that the California attorney general and federal regulators do not have the power, budget, or will to enforce penalties, most organizations will likely continue to hoard data because it is easy and rationalize it under the auspices of security and integrity," said Joel Wallenstrom of Wickr, a secure messaging platform.

What's more, compliance is destined to get expensive, said Richard Holober, president of the Consumer Federation of California. "It's much easier for a Google and a Facebook to comply with these rules than it is for some of these smaller players," he said.

To wit, the costs of implementing the new rules would come on top of just having to do so for the older data privacy law, which went into effect in January. Overall, implementing the 2018 CCPA law was estimated by California's attorney general to cost companies $55 billion--with the bigger cost burden falling on small to midsize businesses. Fully implementing the CCPA was expected to cost companies with fewer than 20 employees as much as $50,000, and companies with fewer than 500 employees as much as $450,000, according to the attorney general's report.

It's worth noting that small businesses are exempt from complying with the new law, according to a legislative analysis by the California State Legislature of Proposition 24. The new data privacy rules would apply only to companies that fit specific criteria:

  • Companies making more than $25 million in annual revenue
  • Companies that buy, sell, or share the personal data of more than 100,000 consumers or households annually. The older law applied to businesses with more than 50,000 consumers, households, or devices. 
  • Companies that earn 50 percent or more of their annual revenue from selling personal data 

Indeed, small businesses aren't the target of Proposition 24, say privacy advocates. "What [Proposition 24] is targeting is not the activities of a smaller company, but the hardcore granular data manipulation that you see of big data brokers and advertisers online," said Carmen Balber, executive director of Consumer Watchdog, a consumer advocacy group. 

Businesses of all sizes will have some time to prepare for the new Proposition 24 regulations, which will become operative in 2023. But, until then, challengers of the measure will have to push the courts and the California State Legislature for changes.