September 28, 2020

Volume X, Number 272

September 28, 2020

Subscribe to Latest Legal News and Analysis

California Privacy Rights Act Makes it to the November Ballot (US)

As California employers continue to grapple with compliance with employee-related portions of the California Consumer Privacy Act, it is worth keeping an eye on a follow-on law, the California Privacy Rights Act (CPRA), which now has enough signatures to be on California’s November 3, 2020 ballot. Of particular concern to employers should be the fact that if passed as a ballot measure, it will make provisions of the law virtually impossible to amend or alter through the normal legislative and regulatory process. It also means that employers will have a final deadline for compliance which will likely not be extendable for any reason absent another statewide ballot measure. Our colleagues at Squire Patton Boggs’ Security & Privacy//Bytes blog have the details.

The number of verified signatures necessary to put the CPRA on the November ballot cleared its final hurdle on June 24, 2020. This means November 3, 2020 will be a pivotal day for privacy law in California, and will also impact the US more broadly.

Recap: the Road to Certification

The CPRA process began in the fall of 2019 with the filing of a ballot initiative by Alastair Mactaggart on behalf of the group Californians for Consumer Privacy. By mid-March 2020, the group had collected roughly 930,000 signatures in support. The following developments then ensued:

  • May 4: The signatures were submitted to the counties in which they were collected to be counted. (See our prior post for more details.)

  • May 13/14: Riverside County reported its 56,346 signatures at 5:27pm on May 13th, after the Office of the Secretary of State of California had closed for the day. The Secretary of State ordered the counties to begin the random sample count at 4:14pm on May 14, which pushed the deadline for counties to report on validated signatures to June 26, 2020. This one-day delay threatened to derail CPRA as a viable initiative for the November 2020 ballot.

  • June 8: Californians for Consumer Privacy representatives filed a motion for writ of mandate to order the Secretary of State to direct counties to complete their random sampling counts by June 25, the deadline for the measure to be certified. (See our prior post for more details.)

  • June 19: The hearing on the writ of mandate was held at the Sacramento Superior Court, and Judge Chang ruled in favor of the proponents to ensure that the procedural delay would not prevent CPRA from being on the ballot in November. The order moved the deadline for counties to report to June 25, in time for the measure to be certified subject to meeting the automatic qualification threshold. (See our prior post for more details.)

  • June 24: Two of the final three counties reported their random sample counts, resulting in 718,233 verified signatures. This is 32,699 signatures more than the required number of 685,534 to qualify for automatic certification for the November 2020 ballot. The Secretary of State made this official and certified the measure as eligible for the ballot.

Key Provisions and Details

The CPRA builds on and amends the California Consumer Privacy Act (“CCPA.”) If the referendum passes, the new law will go into effect on January 1, 2023, with the exception of certain provisions that will have immediate effect. Unlike the CCPA, the CPRA limits future amendments to those that further consumer privacy, which means the CA Legislature will not be able to amend the law to reduce consumer rights or water-down requirements.

Some of the key and likely impactful elements are highlighted below. We will be following up with detailed posts on the various changes and considerations in the coming days and weeks.

  • Creation of a New Privacy Protection Agency: The CPRA creates the California Privacy Protection Agency which will be initially funded with $5 million dollars in 2020-2021, and $10 million in each following year.

  • More Regulations: The CPRA initially requires the Attorney General to update and amend the CCPA regulations with a significant number of new provisions. The baton will then pass to the newly created California Privacy Protection Agency on the later of July 1, 2021 or six months after the new Agency notifies the AG that it is ready to take over. The final regulations arising from the CPRA must be adopted by July 1, 2022.

  • Special Treatment for Sensitive Personal Information: The CPRA defines a new category of sensitive personal information and affords it heightened protections.

  • Additional Rights: Consumers will have additional rights such as the ability to correct their personal information, opt-out of advertisers using precise geolocation, and restrict usage of sensitive personal information.

  • Risk Assessments and Audits: The new Agency will have the authority to audit a business’s privacy practices and issue regulations requiring annual audits and regular risk assessments for organizations that meet certain thresholds.

  • Immediate Extension of Personnel and B2B Exemptions: The current exemptions for personnel/applicants and B2B communications will remain in place through January 1, 2023, extending the current expiration date of January 1, 2021. However, it is virtually certain that they will expire in 2023, as the California Legislature will be precluded from amending CPRA to decrease the rights of personnel or business contacts under the limitation mentioned above.

All of this is happening just as the CCPA is about to become enforceable on July 1, 2020, with the final regulations having been submitted for approval by the California Office of Administrative Law only a few weeks ago.

The next few months will undoubtedly generate many new questions about how businesses should approach CCPA compliance in the face of these impending and potential changes. The Data Privacy and Cybersecurity Team at Squire Patton Boggs is here to help clients evaluate their regulatory requirements and risks, and determine the best approach for their businesses. Please reach out to the authors of this article or your usual SPB contact if you require assistance or have any questions.

© Copyright 2020 Squire Patton Boggs (US) LLPNational Law Review, Volume X, Number 182

TRENDING LEGAL ANALYSIS


About this Author

Michael Kelly Employment Litigation Attorney Squire Patton Boggs San Francisco, CA & Palo Alto, CA
Partner

Michael Kelly has experience in employment litigation, counseling, collective bargaining and arbitration. His practice includes state and federal employment litigation regarding wage and hour issues, age and disability discrimination, sexual harassment and retaliation.

In addition to experience with issues arising under the National Labor Relations Act, Michael has extensive litigation experience with various issues arising under the Railway Labor Act and the WARN Act.

Michael’s recent experience includes representing a national distribution and business service company in...

415-954-0375
Lauren Kitces Data Privacy & Cybersecurity Attorney Squire Patton Boggs Washington DC
Associate

Lauren Kitces is a member of our Data Privacy & Cybersecurity Practice, where she provides business-oriented privacy and cybersecurity advice to a wide range of clients, leveraging her in-house experience to provide mindful guidance. She has strong international experience, which she uses to help translate pre-existing international efforts into US regulatory compliance. Lauren enjoys the nuance and complexities that come with being in a field that is still evolving and forming both nationally and internationally.

Lauren utilizes her analytical thought-process and over 10 years of legal and industry experience to provide clients with sound analysis of multifaceted privacy matters. She has an ability to efficiently address and manage substantive and procedural issues. She has skillful knowledge of subject matter in several areas of privacy, including the California Consumer Privacy Act (CCPA,) General Data Protection Regulation (GDPR) and cross-border data transfers.

Lauren has advised on and facilitated CCPA compliance programs and all facets of CCPA remediation across a range of industries, including for ad-tech, financial services, technology, automotive and retail. She regularly drafts and advises on privacy materials, such as externally and internally-facing privacy notices, corporate policies and training materials.

Lauren also addresses complex matters related to Privacy Shield applications and compliance, leveraging her cross-border knowledge and experience to provide clients with a holistic and informed perspective.

Prior to joining the firm, Lauren worked in-house advising a global risk management, insurance brokerage, advisory and benefits administration company on both US and international data privacy. She was a key figure in implementing corporate compliance with the GDPR, and assessing and managing compliance with myriad other data privacy laws, including the CCPA, Chinese Cybersecurity Law and Brazilian General Data Protection Law.

While her day-to-day work may focus on the current legal requirements, Lauren also stays well-informed of proposed, upcoming and evolving state, national and international privacy laws and requirements.

A passionate contributor to the privacy community, Lauren is regularly sought out for her perspective and is an active public speaker. Lauren is a Certified Information Privacy Professional (CIPP/US). She served as a Chair of the DC IAPP Chapter from 2018-2019 and remains an active participant in the IAPP through her local DC Chapter and the Women Leading Privacy section. She enjoys the opportunity to connect with and learn from others in the privacy industry, and to help those developing in the industry to grow and advance.

202-457-6427
Lydia de la Torre Data Privacy & Cybersecurity Attorney Squire Patton Boggs Palo Alto, CA
Of Counsel

Lydia de la Torre provides strategic privacy compliance advice related to US and EU privacy, including data protection and cybersecurity law, General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), other state’s privacy and cyber laws, US financial privacy laws, and marketing and advertising compliance, as well as information security. She also represents clients in investigations with an eye toward helping them avoid litigation.

Lydia’s work in-house and with organizations has run the gamut, from pre-IPO start-ups to mature Fortune 500 companies, in a...

650-843-3227