What Is Proposition 24 and How Does it Affect Businesses?

What Is Proposition 24 and How Does it Affect Businesses?


You may be aware that last week an important poll was held—that’s right, you guessed it: California voters made the decision to pass Proposition 24, known more formally as the California Privacy Rights and Enforcement Act.

Here at Impact, we’re keen observers of the data protection landscape and the litany of data privacy acts that have emerged over the last few years.

For businesses, these acts raise questions about compliance and the associated costs in maintaining it. Given that California constitutes such a large population, data privacy laws affecting the state often have a knock-on effect around the country, and many SMBs with CA customers have to prepare, much like how American businesses had to prepare for GDPR.

What Is Proposition 24?

Proposition 24’s purpose is to expand and amend the previous CCPA bill that passed back in 2018.

It seeks to do this by giving consumers more control over their data and requiring more of businesses to protect this data.

CCPA introduced the right of Californians to demand what information companies are collecting from them, an opt-out, and the right to have information deleted if so desired.

Prop 24 goes a step further, laying out additional protections for sensitive personal information, expanding opt-outs available to users to include data sharing (one of the ways large tech firms generate advertising revenue) and requiring businesses to provide more mechanisms for consumers to access, correct, and delete their information.

The bill also creates a new dedicated agency, the California Privacy Protection Agency, which will take over responsibilities for prosecution from the California Attorney General—the first such move in the US.

Opponents are concerned about concessions made to businesses that meant the bill could be brought forward, notably the expansion of “pay for privacy” schemes, whereby businesses are permitted to offer discounts to those willing to share information—in effect creating a tiered system in which those who can afford a higher price tag will be given stronger privacy protections for their data.

Campaigners argue this will disproportionately affect residents on lower incomes.

Why Is Proposition 24 Important?

Businesses across the country have been keeping a close eye on laws like Proposition 24, primarily out of interest of what may well be coming their way a few years down the line.

Bills like CCPA, or more recently New York’s SHIELD Act, have changed the conversation around data privacy—and what’s expected of companies that possess customer data.

Where before companies looked across the Atlantic at the effects GDPR has had on data privacy, now all eyes are on states like New York and California—two states that together they comprise one-fifth of the US population.

Regardless of where a business is based, if it has a customer in California, it must abide by CCPA or risk being subject to penalties.

The point being, these laws are acting as something of a bellwether for other states, and indeed there are many that are readying themselves for similar bills, Florida being one example.

In lieu of a federal law for data privacy—which is still at the early committee stage; quite a ways off it becoming anything close to resembling law—states are taking it upon themselves to draft legislation.

While data privacy laws are still lacking in pervasiveness and scale, the number of them has doubled since 2016—an indication of how prominent a topic they’ve become.

At least 25 states have enacted some kind of consumer protection—though it’s worth noting most are basic at best and considered weak as far as data privacy goes. At the moment it’s baby steps and there’s a long way to go, but momentum is building.

Digital privacy by state

But What Does This Actually Mean for SMBs?

What this means for SMBs is that they should strongly consider getting their compliance in order now, because sooner or later they will have to abide by one data privacy law or another.

US businesses have fallen foul of GDPR laws across the pond and faced steep penalties—over $400 million has been levied against US-based firms according to a report published last year.

Just as they are now responsible to data belonging to EU citizens, the same is now true for businesses with California- or New York-based citizens.

In short, businesses fall foul of these compliance regulations simply by not paying attention, and being on the wrong end of a compliance penalty is a disaster; not only because of hefty fines, but more importantly the drastic reputational damage that a data breach can have on an SMB.

SMBs and Compliance

The elephant in the room with all this is the simple fact that many SMBs are walking a tightrope when it comes to compliance.

Data security is one of the primary motivating factors in business tech investment, second only to cloud solutions and infrastructure spending.

Business data security among SMBs is lacking, with two-thirds of them experiencing a data breach over the last 12 months.

Furthermore, consumers are becoming far more demanding about how their data is handled. The expectation from laws like CCPA and SHIELD is that customer information is protected to an acceptable standard, and this expectation is increasingly shared and indeed driven by consumers too.

In fact, 84% of them say they would take their business elsewhere if they felt uncomfortable with the data protection standards by an organization they deal with.

90% of business leaders recognize that customer trust is a competitive advantage of the future, but less than half of business leaders consider privacy and security to be a top priority for firms.

Bottom Line

Only 47% of Chief Compliance Officers say their organization has an enterprise-wide reporting system that is integrated with compliance monitoring across functions and business units.

In a time when data privacy is more important than ever, there is a sizable number of SMBs that are simply unprepared for what’s to come.

We have new and emerging legislation like Prop 24 being signed into law, an increasing desire from consumers to take more ownership of their data, and businesses that are being targeted by—and falling victim to—cybercriminals and hackers.

The end result is that SMBs must get themselves ahead of the game by looking ahead at the types of legislation to come, and to understand that sooner rather than later they will have to ensure that they have the right data security protections in place to be assured they can be in compliance.

Only 69% of CCOs say their organization leverages technology to support its compliance initiatives. Laws like CCPA will continue to be enacted in states around the US, and savvy businesses are already making sure their data privacy programs are prepared for the future. 

Impact Networking’s cybersecurity solution has all your bases covered—through our risk assessment we can determine where your weakness are and address them appropriately through best-in-class tech solutions with oversight from a dedicated Virtual Chief Information Officer from our Security Operations Center to make sure your business is fully compliant with relevant laws and regulations.