As the CCPA enforcement date of July 1, 2020 approaches next week, California privacy rights were already on the minds of many businesses. However, just as organizations wrap up month and year-long projects to address those costly and onerous requirements, the CCPA may be “old news.” Expanded California privacy rights (together with yet more resource and time-intensive compliance projects for businesses) may be coming---we will have to wait until November to find out. Yesterday, June 24, 2020, the California Secretary of State announced that “CCPA 2.0” or the California Privacy Rights Act of 2020 (“CPRA”) has enough valid signatures and will appear on the November 2020 ballot.
A similarly styled ballot initiative was the driving force behind the CCPA. The 2018 initiative (which was led by the same consumer privacy organization as the CPRA) also received enough verified signatures to appear on the November 2018 ballot. However, due to nuances in California Election Code, legislators were able to quickly draft what we now know as the CCPA, with the understanding from the sponsors of the ballot initiative that if the CCPA was enacted into law, the ballot initiative would be dropped (the thought being that a hastily drafted law was better than the rigid ballot measure which state legislators cannot amend once voted into law). For this 2020 ballot initiative pushing forth the CPRA, the window of opportunity has now closed for any such last-minute negotiation or intervention by legislators and the CPRA will be put to vote this November. If adopted by California voters, the CPRA would become effective on January 1, 2023 and apply to personal information collected by businesses on or after January 1, 2022. Certain technical provisions would take effect shortly after election day. The CPRA would present expanded rights for consumers, more similar to those available under the EU General Data Protection Regulation, as well as stiffer penalties for non-compliance. Below we highlight some of the many changes the CPRA would introduce.
Employee and B2B data
The CPRA would retain the limited exceptions to certain requirements for personal information collected in the employment and business contexts, which currently apply under the CCPA until the end of 2020. Those exceptions would sunset for the CPRA on January 1, 2023.
Sensitive Personal Information; Limits on Use
The CPRA would create a new category of “sensitive personal information” and California residents would have more rights to restrict or limit how businesses can use or disclose that data. The term includes Social Security number, driver’s license number, passport number, financial account information, precise geolocation, race, ethnicity, religion, union membership, personal communications, genetic data, biometric or health information, and information about sex life or sexual orientation.
The CPRA would create new disclosure obligations for businesses. Under the CPRA, businesses likely would need to update their privacy statements again, to include new disclosures not currently required under the CCPA or CalOPPA, including the types of sensitive personal information collected and whether such sensitive information is sold or shared and how long (time period) the business intends to retain personal information or the criteria to determine the retention period.
As with the CCPA, the CPRA would require businesses to obtain opt-in consent to sell or share data pertaining to California residents under age 16. However, under the CPRA, companies could be subject to triple the fines currently set forth in the CCPA for violation of this specific obligation.
A New Regulator in California; Enforcement
The CCPA is set to be enforced by the California Attorney General. The CPRA would establish the California Privacy Protection Agency to implement and enforce the law. The CPRA would also eliminate the 30-day cure period following notice of alleged non-compliance with the law, an important measure currently provided under the CCPA.
Privacy Rights (Updates to Existing Rights and New Rights)
The CPRA would introduce new rights for consumers, such as the right to restrict use and disclosure of sensitive personal information (as described above) or to correct or amend personal information the consumer believes to be inaccurate. The CPRA would expand existing rights, including an extension of the lookback period beyond 12 months for a “Right to Know” request (which may require businesses to overhaul their consumer rights processes to accommodate the new “lookback period”). Businesses would still need to use commercially reasonable efforts to comply with a verifiable request.
The CPRA would also amend the CCPA’s data breach liability provision. As amended, data breach obligations would also be triggered where a consumer’s email address is compromised in combination with a password or security question and answer that would permit access to the consumer’s account, which further aligns with the state’s consumer breach notification law.
As entities continue to navigate the economic crisis and the pandemic, compliance with California privacy laws may yet become even more complicated, between proposed amendments to the CCPA via AB-3119, which could further limit how businesses can share personal information and require prior consent in certain cases and the expansive amendments that would apply if the ballot measure is passed by votes. If enacted, the CPRA will set forth new privacy compliance tasks for regulated businesses, many of whom are already taxed handling return-to-work privacy concerns and implementing practices to address the final proposed CCPA regulations, including create additional rights that will likely require changes in practices that were designed for the CCPA as it exists today.