I would actually really like to do more Ate Up With Motor content, but I have serious doubts about whether I legally can — and whatever extent I might be able to now may completely disappear on January 1, when California really goes to war with the First Amendment.

I don’t have access to any legal counsel to assess whether it really is as drastic as it appears, but the actual text of the revised law that voters approved in November 2020, which becomes fully operative on Jan. 1, 2023, is REALLY drastic. It’s SO drastic, in fact, that it’s unclear how any publisher, film studio, TV network, or other media entity (other than news-reporting entities like newspapers) will be able to lawfully function, although vertically integrated big tech companies like Google, Microsoft, and Facebook will be largely untouched. Any time I bring this up, people think I’ve lost my mind, and I’m pretty sure that the people who voted for the referendum assumed it does something quite a bit different than it actually does.

To give a sense of how drastic an experiment in social engineering Prop. 24 is, if you are deemed a “business” subject to the law’s requirements, starting in January, it will become unlawful for you to so much as buy office supplies or postage from a retail store without first providing the checkout clerk with a detailed notice at collection describing all the categories of personal information you may gather from talking to them or reading their name badge, what purposes you’ll use the information for, how long you’ll retain each category of information, and whether it will be shared or sold (with a notice of the right to opt-out). The same will apply if you contact a government agency or any other entity whose employees and officers are California residents, so watch out if you try to contact your legislators to complain.

Under Prop. 24, it will become unlawful as of January 1 for any “business” to disclose ANY personal information of any California resident that isn’t already publicly available or “lawfully obtained, truthful information that is a matter of public concern” for any business or commercial purpose whatsoever except under a written contract that limits the recipient’s use of the information to certain specified purposes; requires the recipient to provide the consumer to whom the information pertains with all the rights provided by Prop. 24; and gives the business the contractual authority to actively monitor the recipient’s compliance and “stop and remediate unauthorized use of personal information.” Contracts involving the sale or disclosure of a California resident’s personal information, including in published works, will become largely unenforceable because any resident will have the unwaivable right to kibosh the release of their information at almost any time. This doesn’t include information that was already publicly available, but if it’s not publicly available (e.g., a new book of interviews and photos that haven’t previously been published) and not “a matter of public concern,” the resident can generally stop publication or distribution at will (with a limited, temporary exception for a “physical item” the business has “incurred significant expense” to produce in reliance on prior consent), and any contractual agreement to the contrary will be deemed unenforceable. On top of that, the law will make it unlawful to retain any personal information for any purpose NOT disclosed in the “notice at collection,” or “for longer than is reasonably necessary” to achieve the disclosed purpose, so retaining research notes and email may be subject to enforcement action and substantial fines.

Oh, and if you are a California resident as well as a “business” or the owner of a “business,” you’re also considered a “consumer,” which means it’ll be unlawful for you to disclose your OWN information for a business or commercial purpose without a restrictive contract of the kind described above. This includes “sharing” your information (which means making it available for behavioral advertising purposes, even it’s NOT for money or valuable consideration) with any website or service you use in the course of your business activity. So, using the Internet will become more or less categorically unlawful for “businesses,” and lots of luck with stuff like trying to get your phone or computer fixed. (It’ll no longer be lawful for a “business” to take their device to a commercial repair service, unless those services RADICALLY step up their game in terms of the contractual agreements they’re willing to offer.)

That is what the law says (Cal. Civ. Code Section 1798.100 et seq., as amended by Prop. 24) — and it’s already passed and already on the books, although its full requirements aren’t yet operative.

All of that is an absolutely devastating blow to the First Amendment and the First Sale Doctrine, not to mention common sense, but the law’s intent and intended scope are quite explicit. And, since California is claiming broad extraterritoriality for these privacy rights, it will apply to any “business” anywhere that handles the personal information of any California resident.

You see why I don’t think I can do this (or anything else) anymore?

You’re GREATLY underestimating the scope of California privacy law, which seems to be a widespread misconception among the people who supported the CCPA and who voted for Prop. 24.

First, the law’s definition of personal information is extremely broad: It includes any “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” (A “consumer” just means any natural person who resides in California.) With regard to online information, both current law and Prop. 24 consider IP addresses to be “persistent identifiers,” so the IP address of an individual website visitor is personal information, as is any information about their “interaction with an internet website, application, or advertisement.” Therefore, even if your website does not use analytics or advertising, it is definitely collecting visitors’ personal information simply through the web server processing the operations involved in making the site work. (This is true under the GDPR as well.) Depending on how the server manages its log data, that personal information may not be maintained for very long, but it is unequivocally “collected.”

Second, these laws DO NOT only apply to data collected online. (Cal. Civ. Code § 1798.175 states this very explicitly.) Talk to someone in person or over the phone? You’ve “collected” personal information about them. Read about someone in a newspaper or magazine, or listen to a song on the radio? Again, you have collected personal information about anyone involved in the material you read or listened to to whom the information can reasonably be linked. Prop. 24 does have a broader exemption for “publicly available information” than does the current CCPA (which only considers information to be publicly available if it is “made lawfully available to the general public from federal, state, or local government records”), but on January 1, it will remove the current exemptions for interacting with a business or government agency to obtain or provide products or services (e.g., where you talk to an employee of a business from whom you’re buying something) and for information collected from your own owners, officers, and employees (which includes you if you’re a sole proprietor residing in California!).

There is literally no way under the definitions of Prop. 24 that any business could “turn off all data collection” unless everyone associated with the business and its operations is a nonresident located outside of California AND no one acting for or on behalf of the business ever directly or indirectly interacts with California residents unless every aspect of the collection or use of personal information from California residents “takes place wholly outside of California.”

Furthermore, the requirements of Prop. 24 are not waivable by the “consumer.” For example, the restrictions on disclosing information for a business purpose without a restrictive contract will still apply even if the “consumer” says it’s okay or clicks a disclaimer checkbox. Any agreement to the contrary will not be enforceable. (Whether the courts will buy that is another matter, but that is an explicit provision of the law.)

But if YOU never receive the user’s unique IP address, that is if the server never logs the IP to a location that the site’s owner can access, then YOU aren’t responsible for the data collection.

This is simply untrue. If you operate a website, you are legally responsible for the information it collects and processes. Using a third-party service provider, like a web host, that collects and processes the information on your behalf does NOT relieve you of legal responsibility. That’s true under California law, it’s true under federal laws like COPPA and CAN-SPAM, and it’s true under the EU and UK GDPR. If you only have a page on a social media platform or marketplace like Facebook or eBay, you probably aren’t responsible for the data collection practices of the platform itself (although you are responsible for data you collect directly), but a web host does NOT assume sole legal responsibility for the data collection involved with hosting your website. That’s just not how it works, and even if it were, the terms of service for most commercial web hosts will almost certainly contain provisions limiting their liability and requiring you to indemnify them. In general, if you pay someone to do something on your behalf and for your benefit, you’ll likely have at least some responsibility for it unless you can demonstrate that they did it in a way you expressly told them not to do!

Furthermore, I must emphasize again: Prop. 24, the CCPA, and the GDPR DO NOT ONLY APPLY TO ONLINE DATA OR USER DATA. (Again, the California law says this very explicitly.) These laws apply to ANY personal information in any form, collected by ANY means, including talking to people in person, communicating over the phone, communicating via email, using security cameras or motion sensors on your property, or watching people walk by on the street without ever interacting with them. If you talk to a California resident face-to-face in the course of your business, you are collecting at least four categories of personal information from them (and probably at least five under Prop. 24). Moreover, the CCPA and GDPR also consider reading about someone in a published book or watching them on television to be collecting personal data about them; Prop. 24 at least expands the exemption for information that’s publicly available “from widely distributed media.”

The latter is a really big sticking point. Look, Ate Up With Motor even in its best years was never exactly a juggernaut in terms of traffic, and I try to minimize my data collection from visitors (for example, a little while after publishing your comment, I deleted the IP address and user agent information from the website database, and I’ve deleted the notification emails, which, as is standard for WordPress comment notifications, included your IP address and hostname), I haven’t used any behavioral advertising services in years now, I removed Google Analytics, I don’t sell commenters’ email addresses, and I don’t ask visitors to sign up for a mailing list or email newsletter (I personally HATE when websites instantly bombard you with popups about joining their mailing list). However, that’s not all that’s potentially involved or all that’s at stake.

The problem, and the thing that keeps me up nights, is that California has written its privacy laws in ways that create a serious risk of triggering the nightmare situation I’m describing through a combination of legislative overreach, overly broad framing, and the fact that few people seem to grasp how far-reaching the laws actually are.

The description you quote is incomplete, and therefore kind of misleading. Under the CCPA (present law), the threshold described reads in full, “Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.” Prop. 24 changes that to read “Alone or in combination, annually buys, sells, or shares the personal information of 100,000 or more consumers or households.”

However, the CCPA ALSO applies if one “[d]erives 50 percent or more of its annual revenues from selling consumers’ personal information,” which Prop. 24 amends to “[d]erives 50 percent or more of its annual revenues from selling or sharing consumers’ personal information.” To be clear: The law applies if EITHER of those thresholds is met (or if one has annual gross revenues of $25 million or more, which you may be assured I do not and likely never will). So, if the operator of a website or any other type of for-profit enterprise gets half or more of its revenue from, for example, using online advertising that collects visitors’ IP addresses and other personal information, the operator of that enterprise is considered a “business” subject to all the requirements of the law — no matter how much revenue they actually have or how many visitors they get — unless they can credibly demonstrate that few if any of those visitors are from California. (Under these laws, “consumer” really just means “any California resident.”)

Both the CCPA and Prop. 24 define the “sale” of personal information EXTREMELY broadly as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means” any personal information of any California resident “for monetary or other valuable consideration.” The inclusion of “valuable consideration” means, among other things, that if you use third parties to process the information for you (for example, your web host, your phone company or mobile carrier, shipping agencies and postal services), providing a California resident’s personal information to those third parties can be considered “selling” them that information in exchange for the “valuable consideration” of whatever service they provide for you — even if you’re actually paying THEM — unless you have a written contract with them that prohibits them from using the information outside of providing the services to you. Under Prop. 24, “sharing” means “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means” any personal information of any California resident “for cross-context behavioral advertising, whether or not for monetary or other valuable consideration” [emphasis added].

Ironically, the only way your latter statement is true is in the context of online advertising and behavioral advertising. Companies like Google and Facebook maintain that they don’t “sell” personal information because they don’t make it directly available to their advertising clients; instead, a client says something like, “I want to show my ad to at least 10,000 left-handed plumbers 24–34 who like basketball,” and Google or Facebook uses its stockpile of information to show the ad to such users, without actually sharing any of those users’ personal information with the client. Web hosting, email hosting, and other services don’t work like that, practically or legally.

(Prop. 24 purports to want to basically stamp out behavioral advertising, but it will actually just cement the stranglehold big vertically integrated tech companies have on online advertising. Big tech companies can largely avoid letting the mountains of information they collect ever leave the confines of the corporation, which means that by definition, they are neither “selling” nor “sharing” that information, at least as Prop. 24 defines those terms. That is arguable, of course, but Amazon, Facebook, Google, and Microsoft all assert basically that, which I assume means they’re prepared to fight it out in court if they have to — and, given how much money they could throw at it, they might very well win.)