August 8, 2020

Volume X, Number 221

August 07, 2020

Subscribe to Latest Legal News and Analysis

August 06, 2020

Subscribe to Latest Legal News and Analysis

August 05, 2020

Subscribe to Latest Legal News and Analysis

California Screamin’ – Privacy Rollercoaster Becoming Steeper for Businesses

As the CCPA enforcement date of July 1, 2020 approaches next week, California privacy rights were already on the minds of many businesses. However, just as organizations wrap up month and year-long projects to address those costly and onerous requirements, the CCPA may be “old news.” Expanded California privacy rights (together with yet more resource and time-intensive compliance projects for businesses) may be coming---we will have to wait until November to find out. Yesterday, June 24, 2020, the California Secretary of State announced that “CCPA 2.0” or the California Privacy Rights Act of 2020 (“CPRA”) has enough valid signatures and will appear on the November 2020 ballot.  

A similarly styled ballot initiative was the driving force behind the CCPA. The 2018 initiative (which was led by the same consumer privacy organization as the CPRA) also received enough verified signatures to appear on the November 2018 ballot. However, due to nuances in California Election Code, legislators were able to quickly draft what we now know as the CCPA, with the understanding from the sponsors of the ballot initiative that if the CCPA was enacted into law, the ballot initiative would be dropped (the thought being that a hastily drafted law was better than the rigid ballot measure which state legislators cannot amend once voted into law). For this 2020 ballot initiative pushing forth the CPRA, the window of opportunity has now closed for any such last-minute negotiation or intervention by legislators and the CPRA will be put to vote this November. If adopted by California voters, the CPRA would become effective on January 1, 2023 and apply to personal information collected by businesses on or after January 1, 2022. Certain technical provisions would take effect shortly after election day. The CPRA would present expanded rights for consumers, more similar to those available under the EU General Data Protection Regulation, as well as stiffer penalties for non-compliance. Below we highlight some of the many changes the CPRA would introduce.  

Employee and B2B data

The CPRA would retain the limited exceptions to certain requirements for personal information collected in the employment and business contexts, which currently apply under the CCPA until the end of 2020. Those exceptions would sunset for the CPRA on January 1, 2023.  

Sensitive Personal Information; Limits on Use

The CPRA would create a new category of “sensitive personal information” and California residents would have more rights to restrict or limit how businesses can use or disclose that data. The term includes Social Security number, driver’s license number, passport number, financial account information, precise geolocation, race, ethnicity, religion, union membership, personal communications, genetic data, biometric or health information, and information about sex life or sexual orientation.  

Increased transparency

The CPRA would create new disclosure obligations for businesses. Under the CPRA, businesses likely would need to update their privacy statements again, to include new disclosures not currently required under the CCPA or CalOPPA, including the types of sensitive personal information collected and whether such sensitive information is sold or shared and how long (time period) the business intends to retain personal information or the criteria to determine the retention period.

Minors

As with the CCPA, the CPRA would require businesses to obtain opt-in consent to sell or share data pertaining to California residents under age 16. However, under the CPRA, companies could be subject to triple the fines currently set forth in the CCPA for violation of this specific obligation.

A New Regulator in California; Enforcement

The CCPA is set to be enforced by the California Attorney General. The CPRA would establish the California Privacy Protection Agency to implement and enforce the law. The CPRA would also eliminate the 30-day cure period following notice of alleged non-compliance with the law, an important measure currently provided under the CCPA.  

Privacy Rights (Updates to Existing Rights and New Rights)

The CPRA would introduce new rights for consumers, such as the right to restrict use and disclosure of sensitive personal information (as described above) or to correct or amend personal information the consumer believes to be inaccurate. The CPRA would expand existing rights, including an extension of the lookback period beyond 12 months for a “Right to Know” request (which may require businesses to overhaul their consumer rights processes to accommodate the new “lookback period”). Businesses would still need to use commercially reasonable efforts to comply with a verifiable request.  

Data Breaches

The CPRA would also amend the CCPA’s data breach liability provision. As amended, data breach obligations would also be triggered where a consumer’s email address is compromised in combination with a password or security question and answer that would permit access to the consumer’s account, which further aligns with the state’s consumer breach notification law.

As entities continue to navigate the economic crisis and the pandemic, compliance with California privacy laws may yet become even more complicated, between proposed amendments to the CCPA via AB-3119, which could further limit how businesses can share personal information and require prior consent in certain cases and the expansive amendments that would apply if the ballot measure is passed by votes. If enacted, the CPRA will set forth new privacy compliance tasks for regulated businesses, many of whom are already taxed handling return-to-work privacy concerns and implementing practices to address the final proposed CCPA regulations, including create additional rights that will likely require changes in practices that were designed for the CCPA as it exists today. 

Copyright © 2020 Womble Bond Dickinson (US) LLP All Rights Reserved.National Law Review, Volume X, Number 177

TRENDING LEGAL ANALYSIS


About this Author

Tara Cho CIPP/US CIPP/E Data Security Attorney Womble Bond
Partner

Tara focuses her practice on privacy and data security issues across multiple industries such as technology, retail, e-commerce, and life sciences, with an emphasis on compliance risks and regulatory requirements affecting the healthcare sector. Tara became certified as a legal specialist in Privacy and Information Security Law by the North Carolina State Bar Board of Legal Specialization in 2018 as part of the inaugural class of specialists in this field – one of just 10 attorneys in the state to hold this certification.

She helps clients with all aspects of privacy and data...

919-755-8172
Theodore Claypoole, Intellectual Property Attorney, Womble Carlyle, private sector lawyer, data breach legal counsel, software development law
Senior Partner

As a Partner of the Firm’s Intellectual Property Practice Group, Ted leads the firm’s IP Transaction Team, as well as data breach incident response teams in the public and private sectors. Ted addressed information security risk management, and cross-border data transfer issue, including those involving the European Union and the Data Protection Safe Harbor. He also negotiates and prepares business process outsourcing, distribution, branding, software development, hosted application and electronic commerce agreements for all types of companies.

Ted currently serves as Chair of the American Bar Association’s Cyberspace Committee in the Business Law Section, and has recently co-authored the books  Privacy in the Age of Big Data: Recognizing Threats, Defending Your Rights and Protecting Your Family and Protecting Your Internet Identity: Are You Naked Online? with Theresa Payton.

His practice includes media and advertising issues, especially online, mobile platforms and on social networks. He solves legal problems in payment systems and financial data processing. Advising clients on complex intellectual property development and licensing programs, he builds strategic technology and marketing alliances.

704-331-4910
Nadia Aram, Womble Carlyle, Intellectual Property Attorney, technology licensing lawyer, commercial agreements legal counsel, private securities law
Associate

Nadia advises clients in a variety of business transactions involving the use and commercialization of intellectual property and technology. She has experience drafting and negotiating a broad variety of contracts, including technology licenses, services, consulting and other complex commercial agreements to help clients realize the value of their assets day-to-day, and as part of strategic product and technology acquisitions and divestitures. Nadia also practices in the areas of franchise law, and advertising, sweepstakes & promotions law, including advising clients...

919-755-2119
Taylor Ey, Intellectual property attorney, Womble Carlyle, Law Firm
Associate

Taylor is an associate in the Intellectual Property Practice Group in Womble Carlyle’s Research Triangle Park Office.

Education

J.D. | 2016 | Wake Forest University School of Law | cum laude | Notes and Comments Editor, Wake Forest Law Review, 2015-2016 | Teaching Assistant, Legal Analysis, Writing and Research I & II, Writing for Judicial Chambers

M.S. |2012 | The Ohio State University | Biomedical Engineering

B.S. | 2011 | The Ohio State University | Biomedical Engineering | Minor, Life Sciences | cum laude

919-484-2306
Dominic Dhil Panakal Womble Atlanta
Associate

Dominic is a member of the firm’s IP Transactions, FinTech, and Privacy and Cybersecurity practices.

Dominic advises clients on international and domestic data privacy laws.  He also assists in drafting Software as a Service agreements, privacy policies, terms of use, and licensing contracts.

404.879.2481