August 4, 2020

Volume X, Number 217

August 04, 2020

Subscribe to Latest Legal News and Analysis

August 03, 2020

Subscribe to Latest Legal News and Analysis

‘CCPA 2.0’ Initiative Qualifies for CA General Election Ballot

On June 24, the California Secretary of State announced that the California Privacy Rights Act (CPRA) has qualified as a statewide ballot initiative to be listed on this November’s General Election ballot.

The announcement follows official confirmation that the nonprofit group behind the ballot initiative, Californians for Consumer Privacy, obtained in excess of the 623,212 signatures needed in order to qualify for the statewide ballot. This was verified by county elections officials via a random sample method.

What is CPRA? 

CPRA is sometimes referred to as “CCPA 2.0” because it builds on the California Consumer Privacy Act (CCPA) to afford California residents more control over their personal information (PI) and to impose additional obligations on in-scope businesses.

Similar to the CCPA, if passed, CPRA would have a wide-ranging national and international impact well beyond California based businesses. CPRA, like the CCPA, applies to organizations that meet certain eligibility thresholds, and process California residents’ PI. An organization does not need to have offices or employees in California to be subject to CPRA.

Some of the key changes under CPRA are:

  • Establishment of a California Privacy Protection Agency for enforcement;

  • Extension of the CCPA’s employee and business-to-business PI exemptions until 2023;

  • Elimination of the CCPA’s allowance for businesses to have 30 days to cure violations after being notified of alleged non-compliance (Under CPRA, the 30-day cure period is reserved only as a means of preventing individual or class-wide statutory damages as part of a private right of action for security violations);

  • Imposes limitations upon the authority of the Legislature to amend the privacy law;

  • Definitions and restrictions around sensitive PI, precise geolocation, and cross-context behavioral advertising; and

  • New rules in relation to contractual flow downs, notifying consumers of PI retention periods, and updates to the definitions of “business” and “publicly available information.”

For a more detailed summary of the key features of the CCPA 2.0 ballot initiative, see Greenberg Traurig’s January 2020 client alert.

What happens if CPRA passes in November? 

Organizations subject to CPRA will have until January 2023 to take the necessary steps to come into compliance with the new data protection law. Pursuant to CPRA, during this period the California Privacy Protection Agency will be established and issue guidance on various key issues on the application of CPRA.

Is CPRA the same as the CCPA Regulations?

No, these are separate items. In early June, the Office of the California Attorney General (OAG) submitted its finalized CCPA regulations to the California Office of Administrative Law for expedited review. For more information, see our update on the CCPA Regulations here.

Whereas the CCPA will begin being enforced by the OAG on July 1, the highly detailed regulations that accompany the law technically cannot be enforced until the administrative law review is complete. Without an expedited review and alteration of the normal effective date schedule, the regulations will not take effect until Oct. 1.

The CPRA ballot initiative, conversely, is independent of the CCPA and its regulations, in that it will be voted on by California voters as part of the November ballot, and would update the CCPA following its successful passage.

©2020 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume X, Number 178


About this Author

Of Counsel

Darren J. Abernethy is a data privacy attorney with more than a decade of experience, including in private practice in Washington, D.C. and as in-house counsel at startups and a leading privacy technology vendor. He advises clients on matters related to advertising technology, privacy and data governance, and FTC best practices.

Darren focuses on the California Consumer Privacy Act (CCPA), the European Union General Data Protection Regulation (GDPR)/ePrivacy, digital advertising, direct marketing, and product counseling.

Gretchen A. Ramos, Lawyer, Greenberg Traurig, Data, Privacy & Cybersecurity,The Cloud,Artificial Intelligence, Big Data

Gretchen A. Ramos is Co-Chair of the Data, Privacy & Cybersecurity Practice and focuses her practice on privacy, cybersecurity, and information management. A creative problem-solver with a long track record of success in commercial disputes, she never loses sight of the simple fact that she works in a service industry. Clients appreciate not only her legal skills, but also her direct, no-nonsense approach to client service, including her bullet-pointed emails, snapshot executive summaries, and creativity in finding ways to streamline communications for in-house counsel with dozens of other projects—and little time—on their hands.

Gretchen’s clients come from diverse industries, including technology (SaaS), health care and life sciences, consumer products, manufacturing, academic institutions, and non-profits. She provides clients with practical business advice on compliance with state and federal U.S. laws, GDPR, APEC, and other global privacy laws in relation to their external and internal privacy and security procedures, product and app development, and advertising practices. Gretchen also regularly drafts and negotiates contracts concerning data-related vendors, assists clients in assessing privacy risks in corporate transactions, and provides guidance on and conducts privacy and security assessments. She has managed dozens of data breaches, and helps clients prepare for and immediately respond to security incidents and breaches.

Gretchen works closely with her clients to manage data and leverage its value in ways to meet compliance obligations as well as deliver value to the business and instill consumer trust. Her experience working with various industries allows her to quickly assess options and risks, and guide clients, including numerous genomic data companies, in resolving complicated privacy issues.

Gretchen has litigated, mediated, and arbitrated commercial disputes, including class actions, at state and federal courts nationwide, and has tried numerous cases to verdict. Her wide-ranging litigation background allows her to advise clients on the litigation risks they face in determining how to handle data privacy issues. In addition to providing compliance advice, Gretchen defends companies facing FTC and other regulatory investigations, and individual and class action claims involving privacy, information security, and consumer protection.


  • EU GDPR compliance

  • Cross-border transfer mechanisms (Standard Contractual Clauses, Privacy Shield, Binding Corporate Rules), and data processing agreements

  • FTC CIDs, State Attorney General investigations

  • Behavioral advertising, automated processing and profiling

  • Security breach response and notification

  • DPIAs and addressing complicated privacy issues relating to product development


  • Privacy and security gap assessments

Kate Black Shareholder GT Law Miami SF Data, Privacy & Cybersecurity Life Sciences & Medical Technology IP Technology Licensing & Transactions

Kate Black’s practice focuses on data privacy, information protection, and commercial transactions in consumer technology, digital health, life sciences, and genetics. Kate provides companies with comprehensive, practical strategies for meeting their regulatory obligations while building and maintaining public trust and advancing innovative and emerging models of health care research and delivery. She’s managed every aspect of global privacy programs, including supervising privacy assessments, providing product strategy and counseling, managing complex vendor and partner agreements, and...