A proposed ballot initiative in California known as the California Privacy Rights Act, which is likely to pass if placed on the 2020 ballot, would both clarify and expand the existing California Consumer Privacy Act. Companies doing business in the state should closely monitor these developments and prepare for compliance, as we outline in this article.
A California ballot initiative known as the California Privacy Rights Act (CPRA) would clarify and expand the California Consumer Privacy Act (CCPA), granting significant new rights to consumers and imposing additional liability risks on companies doing business in the state. The CPRA is an update to the California Privacy Rights and Enforcement Act (CPREA) ballot initiative, which was proposed in late 2019 by the Californians for Consumer Privacy, which also sought to broadly amend and prevent changes to the CCPA that would undermine its consumer protections.
The proposed ballot initiative, submitted by the architects of the CCPA, garnered 900,000 signatures, far more than the roughly 625,000 necessary for certification on the 2020 ballot. Early polling reportedly shows strong support for the measure, so assuming the signatures are approved and the CPRA is placed on the ballot, it is considered likely to pass and to take effect on January 1, 2023.
The CPRA proposes a myriad of changes, and this article will not address them all. What follows is a discussion of the most significant changes for businesses and consumers in California, followed by enforcement and implementation considerations.
New Clarifications, Rights and Responsibilities
In a number of areas, the CPRA would modify the current CCPA in ways that are likely to be welcomed by companies grappling with the often ambiguous and unclear obligations under the current law:
- “Personal information” would no longer include information that is manifestly made public by the individual or the media.
- Businesses that receive deletion requests would be expressly permitted to maintain records of these requests for compliance purposes.
- Consumers could no longer require a business to generate a list of “the categories of personal information it has collected about that consumer” in response to access requests.
- “Service providers” and “contractors” (a new term that appears to replace the “third party” contract provisions) would not need to respond directly to consumer requests to access or delete information.
However, these changes are largely overshadowed by the initiative’s imposition of significant new rights for consumers and responsibilities for businesses subject to the CCPA. These include the following requirements:
- Businesses would need to contend with a new opt-out right to “Limit the Use of My Sensitive Personal Information,” which would require enhanced scrutiny of business practices involving certain “sensitive” categories of information. These sensitive categories of information are reminiscent of (but broader than) the categories of information typically regulated by US data breach notification statutes or are considered “special categories” under the EU General Data Protection Regulation. For purposes of the CPRA, “sensitive” categories will include certain government identifiers (Social Security number, driver’s license, state identification card or passport number); a [...]