A proposed ballot initiative in California known as the California Privacy Rights Act, which is likely to pass if placed on the 2020 ballot, would both clarify and expand the existing California Consumer Privacy Act. Companies doing business in the state should closely monitor these developments and prepare for compliance, as we outline in this article.
A California ballot initiative known as the California Privacy Rights Act (CPRA) would clarify and expand the California Consumer Privacy Act (CCPA), granting significant new rights to consumers and imposing additional liability risks on companies doing business in the state. The CPRA is an update to the California Privacy Rights and Enforcement Act (CPREA) ballot initiative, which was proposed in late 2019 by the Californians for Consumer Privacy, which also sought to broadly amend and prevent changes to the CCPA that would undermine its consumer protections.
The proposed ballot initiative, submitted by the architects of the CCPA, garnered 900,000 signatures, far more than the roughly 625,000 necessary for certification on the 2020 ballot. Early polling reportedly shows strong support for the measure, so assuming the signatures are approved and the CPRA is placed on the ballot, it is considered likely to pass and to take effect on January 1, 2023.
The CPRA proposes a myriad of changes, and this article will not address them all. What follows is a discussion of the most significant changes for businesses and consumers in California, followed by enforcement and implementation considerations.
New Clarifications, Rights and Responsibilities
In a number of areas, the CPRA would modify the current CCPA in ways that are likely to be welcomed by companies grappling with the often ambiguous and unclear obligations under the current law:
“Personal information” would no longer include information that is manifestly made public by the individual or the media.
Businesses that receive deletion requests would be expressly permitted to maintain records of these requests for compliance purposes.
Consumers could no longer require a business to generate a list of “the categories of personal information it has collected about that consumer” in response to access requests.
“Service providers” and “contractors” (a new term that appears to replace the “third party” contract provisions) would not need to respond directly to consumer requests to access or delete information.
However, these changes are largely overshadowed by the initiative’s imposition of significant new rights for consumers and responsibilities for businesses subject to the CCPA. These include the following requirements:
Businesses would need to contend with a new opt-out right to “Limit the Use of My Sensitive Personal Information,” which would require enhanced scrutiny of business practices involving certain “sensitive” categories of information. These sensitive categories of information are reminiscent of (but broader than) the categories of information typically regulated by US data breach notification statutes or are considered “special categories” under the EU General Data Protection Regulation. For purposes of the CPRA, “sensitive” categories will include certain government identifiers (Social Security number, driver’s license, state identification card or passport number); a consumer’s account log-in, financial account, debit card or credit card number in combination with any required code or password to access the account; precise geolocation information; a consumer’s racial or ethnic origin, religious or philosophical beliefs or union membership; the contents of a consumer’s mail, email and text messages, unless the business is the intended recipient of the communication; genetic data; biometric information that is used to uniquely identify a consumer; health information and information about a consumer’s sex life or sexual orientation.
The existing right to opt out of the “sale” of information would explicitly apply to any personal information that is “shared” for behavioral advertising purposes, resolving a debate over the applicability of the “sale” provisions to the online advertising ecosystem.
In addition to the CCPA’s obligation to maintain reasonable security for a subset of sensitive categories of personal information (as defined in California’s data breach notification law, and enforceable by the CCPA’s private right of action for individuals affected by data breaches), the CPRA would create an affirmative requirement for businesses to maintain reasonable security for all categories of personal information as defined in the CCPA.
A new right that permits California consumers to have inaccurate personal information corrected, in addition to the rights to access and delete personal information granted by the CCPA.
Enforcement and Amendments
In addition to its substantive changes, the proposed initiative would significantly alter the way the CCPA is enforced and implemented. Although the proposal would not create a new private right of action, it would create a new administrative agency, the California Privacy Protection Agency (Agency), which would be governed by a five-member board appointed by a combination of the California governor, attorney general, Senate Rules Committee and speaker of the assembly. Once the CPRA goes into effect, the attorney general may still bring civil actions for violations of the CCPA; however, the Agency would be vested with full administrative power, authority and jurisdiction to implement and enforce the CCPA and adopt regulations to further the purpose of the CCPA.
Unlike the original CCPA ballot initiative, which would have required a supermajority to amend, the new initiative would be subject to amendment by the California legislature through the normal legislative process, with one major caveat: the laws must be “consistent with and further the purpose” of the initiative. Should the initiative pass, this provision could significantly limit further amendments to the CCPA, and is likely to engender debate over what changes do or do not “further the purposes” set out in the initiative.
If passed, the CPRA will have significant impact on companies doing business in California. As companies continue to evaluate their compliance posture with the CCPA, they should also closely monitor developments with the CPRA and begin preparations for compliance.