Background

Alastair Mactaggart, the driver behind the current California Consumer Privacy Act (CCPA) in 2018 (CCPA, published a new version of a consumer privacy act in September 2019). Since then, it has been modified and is being submitted to California county governments for inclusion on the California ballot for voting. In California Elections Code, Article 3, Section 9035 requires that initiative measures for statutes be presented to the Secretary of State with a minimum number of signatures, at least 5 percent of the total numbers of registered voters in the most recent gubernatorial election, in this case, no less than 623,212. 

The Office of the Attorney General released the title and summary of the initiative back in December 2019 as one of the first steps in a ballot initiative. On May 4, 2020, the Californians for Consumer Privacy announced that it was submitting over 900,000 signatures for qualification of the California Privacy Rights Act of 2020 (CPRA) as a ballot initiative and is now submitting the petitions to all counties for inclusion on the ballots in November.  If passed, the CPRA would take effect January 2023 with a one-year look back to January 2022. Some provisions, however, are presented for 2021, such as a new state privacy agency responsible for implementing and enforcing the CCPA.

Previously, this same group sponsored CCPA to be on the November 2018 ballot. However, the California Legislature passed its version of the CCPA in June 2018, which was signed into law – and has been amended twice since then. To date, the regulations to implement the CCPA have not been issued, yet enforcement is slated to begin July 1, 2020.

About the CPRA

The CPRA’s intent is to amend the CCPA by adding new definitions, new individual rights, and broadening the enforcement elements of the CCPA. Key provisions include:

  • Enhanced obligations on third parties, including service providers and contractors
    • Providing notice where data is collected (businesses acting as third parties) 1798.100(b)
    • Contractual obligations to comply with the law and to provide certain levels of privacy protection Section 1798.100(d) 
    • Cooperate on consumer requests, including deletion and flowdown obligations 1798.105(c)(3)
  • Explicit security provisions (reasonable as appropriate to nature of information) 1798.100(e)
  • New right of correction 1798.106
  • New right to limit use and disclosure of sensitive personal information 1798.121
  • Addition of definitions of “consent,” “contractor,” “sensitive personal information,” and “share” (as proposed §1798.145(h), (j), (ae), and (ah) respectively). Each of which carries new or enhanced obligations. A summary of these new definitions are listed here, with the exception of “sensitive personal information” which is provided in full below.
    • “Consent” must be freely given, specific, informed and unambiguous, with a clear affirmative action or statement and includes what does not indicate consent, such as acceptance of general terms or muting or closing a piece of content. (h)
    • “Contractor” is very similar to a service provider.(j)
    •  “Sensitive personal Information” means: (1) personal Information that reveals (A) a consumer’s social security, driver’s license, state Identification card, or passport number; {B) a consumer’s account log-In, financial account, debit .card, or credit card number In combination with any required security or access code, password, or credentials allowing access to an account; (C) a consumer’s precise geolocat/on; (D) a consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership; (E) the contents of a consumer’s mall, email and text messages, unless the business Is the Intended recipient of the communication; (F) a consumer’s genetic data; and (2}(A) the processing of biometric Information for the purpose of uniquely identifying a consumer; (B) personal Information collected and analyzed concerning a consumer’s health; or {C) personal Information collected and analyzed concerning a consumer’s sex life or sexual orientation. Sensitive personal Information that Is “publicly available” pursuant to paragraph {2) of subdivision (v) of Section 1798.140 shall not be considered sensitive personal Information or personal information. (ae)
    • “Share,” “shared,” or “sharing” is very much like selling, but in regards to cross-context behavioral advertising. (ah)
  • Additional element of data sharing to the definition of “business” for those who share control and branding with a business subject to the CCPA, Section 1798.140(d)(2) 
  • Creation of a California Consumer Protection Agency. Section 1798.199
  • Requiring an annual cybersecurity audit for businesses whose processing of personal information presents a significant risk to consumers – and submitting risk assessments to the new Consumer Privacy Protection Agency. Section 1798.185(a)(15)
  • Subjecting violations involving the personal information of individuals known to be under the age of 16 to the increased penalty level of $7,500 each violation. Section 1798.155(a)

These are certainly not all of the changes proposed by the CPRA and one should read the complete text to understand the potential impact.

Next steps

Under the previous initiative, which became the CCPA, negotiations were held to enact state law in lieu of the ballot initiative proceeding. It is unknown whether similar discussions are being held about the CPRA. As permitted under California Constitutional Law, the CPRA will be listed on the ballot in November as long as the remaining requirements are met.\

 

Share This

Share this post with your friends!

div>