Proposition 24 Took Away the Only Good Thing in California’s Privacy Legislation

Daniel Castro Ashley Johnson November 4, 2020
November 4, 2020

(Ed. Note: The “Innovation Fact of the Week” appears as a regular feature in each edition of ITIF’s weekly email newsletter. Sign up today.)

California’s Proposition 24, which amended the California Consumer Privacy Act of 2018 (CCPA), passed on Tuesday, forcing businesses that have already struggled to comply with the CCPA’s onerous and costly obligations to start over with a new set of even more burdensome rules. Notably, it removed one of the CCPA’s only positive, common-sense provisions: its 30-day notice and cure period, which gives businesses a grace period to avoid penalties if they fix violations within 30 days.

The CCPA went into effect on January 1, 2020 and gave consumers in California the right to access the personal data collected on them in the last year; the right to refuse to allow companies to sell their personal data; the right to know why companies collect this data and what third parties they shared it with; the right to erase personal data collected about them; and the right to sue companies that have collected information on them in the event of a data breach. The law comes with high costs for businesses in every sector, including initial compliance costs estimated to reach $55 billion and fines of up to $7,500 per violation. To put that into context, that is enough money to give every low-income family with children in America two laptops and two years of broadband service.

One of the few silver linings in the CCPA was that it included a 30-day grace period for businesses with an alleged violation or that suffered a data breach due to a lack of reasonable security measures. If a business addressed a violation within 30 days of being informed of it, it would avoid fines. In the case of a data breach, if a business implemented reasonable security measures within 30 days of the breach, consumers could not sue the business for violating the CCPA.

The 30-day notice and cure provision struck the right balance between increasing consumer protections and minimizing costs for businesses, costs which ultimately would be passed on to consumers. As it was originally written, the provision encouraged compliance among good actors—companies found to be out of compliance had an opportunity to fix their mistake without penalty. At the same time, the provision still allowed regulators to take action against bad actors that willfully ignored the law.

Prop 24 eliminates the CCPA’s 30-day notice and cure period. Now, even if businesses quickly address a violation or strengthen their security in response to a data breach, regulators can still fine them and consumers can still sue them for consumer privacy violations. This forces companies to predict exactly what regulators want, giving them no margin of error as they roll out new products or services because they will otherwise face expensive consequences. It also fails to separate good actors from bad ones, and punishes all companies the same, regardless of their intent or the harm they caused. 

These new rules will be especially burdensome for small and medium-sized firms, many of which are already struggling during the ongoing COVID-19 pandemic, and which have fewer resources to devote to compliance, fines, and legal fees. These are companies that, under the existing CCPA before Prop 24, could already expect to spend anywhere from $50,000 to $450,000 on compliance.

Coming so quickly on the heels of the CCPA, Prop 24 will increase the costs to businesses before the state has had a chance to fully evaluate the effects of its new consumer privacy law. It eliminates a key provision in the CCPA that provides good actors with much-needed leniency in the face of complex regulation. By removing the 30-day penalty fix, Prop 24 has succeeded in making a bad privacy law even worse.