California Prop 24 Passes: What Marketers Need to Know

Digital media should expect a tighter definition of what 'personal information' is and who has access to it

The proposals are an overhaul of CCPA, which some said had been targeted by lobbyists. Californians for Consumer Privacy
Headshot of Ronan Shields

Away from the drama of the U.S. presidential election and the potential impact those results will have on Big Tech, digital marketers will be paying attention to a more local ballot initiative in California where privacy is on the docket.

Proposition 24, the Consumer Privacy Rights Act, is poised to become law with 56%—or 6.3 million California residents—voting in favor of it, to 44%­­ (4.96 million) against. The results will be certified by Dec. 11.  

CPRA is essentially an overhaul of the preexisting California Consumer privacy Act, already deemed the most comprehensive U.S. data privacy law. It centers on a number of core principles that were supported by a host of high-profile privacy advocates, including former presidential hopeful Andrew Yang.

Core CPRA principles

  • Greater protection of California residents’ personal information, including ethnicity, financial, genetic, geolocation, health, private communications, race, religion, sexual orientation and union membership
  • More safeguards for the information of minors, including an opt-in requirement to sell the data of consumers under age 16, and tripling of maximum fines for violations
  • Stricter limitations on the potential for lobbyists to dilute privacy-protection measures voted upon by California residents, including measures to inhibit the retention of sensitive data
  • The establishment of a California Privacy Protection Agency to enforce the above requirements, which will be funded by up to $10 million per year

Efforts to dilute CCPA

The revisions to CCPA, which itself only became enforceable in July, are the result of efforts from notable privacy advocate Alastair Mctaggart who is said to have grown frustrated with efforts to dilute CCPA, which was passed by lawmakers in 2018.

Sources told Adweek the revisions, which won’t become enforceable until 2023, will align California’s privacy regulations more closely with the General Data Protection Regulations of the EU.

Omer Tene, chief knowledge officer and vp at consumer advocacy body IAPP, told Adweek additional provisions for the reporting of data breaches plus the right to correct inaccurate data retention are among the most significant changes.

“I think at a high level, I would say that this law greatly expands the scope of CCPA,” he said.

Tene further explained that many companies had attempted to position their treatment of consumer information as “not selling data” since CCPA was drafted into law in 2018—a definition that would exempt them from gaining consent under CCPA.

“Alastair Mctaggart had been upset at the fact that many businesses had lobbied hard over the past year and a half to water down some of the provisions of CCPA. The fact that it’s a ballot initiative will make it harder for them to do that.”

Jason Kint, CEO of a trade body representing premium publishers called Digital Content Next, told Adweek the renewed protocols would favor those with a direct relationship with consumers, while inhibiting the monetization capabilities of some of the internet’s household names.

“It clearly closes a couple of areas where big companies like Google and Facebook are continuing to track users and collect data,” he said. “If you look at some of the previous investigations, Facebook and Google collect most of their data as third parties on other people’s properties, so this limits that.”

How companies should start preparing for CPRA

Sources told Adweek those in the digital media ecosystem should prepare for CPRA by looking at the strengthened definition of what constitutes “personal information” and which partners in their supply chain have access to it.

Celine Guillou, counsel at California-based law firm Hopkins Barley, also told Adweek that CPRA’s definition of sensitive information is more comprehensive compared to GDPR. “And what CPRA aims to do is to add a new button [to a given website] on top of Do Not Sell My Data … that basically restricts the processing of sensitive information.”


@ronan_shields ronan.shields@adweek.com Ronan Shields is a programmatic reporter at Adweek, focusing on ad-tech.
{"taxonomy":"","sortby":"","label":"","shouldShow":""}