CCPA Has Just Gone Into Effect, But Businesses May Need to Prepare for a New California Privacy Law
The California Consumer Privacy Act (CCPA) is not yet one month old, but movement has already started on a new California privacy law. In November 2019, the advocacy group Californians for Consumer Privacy, led by Alastair Mactaggart, the architect of CCPA, submitted a proposed California ballot initiative to the Office of the California Attorney General that would build upon the consumer privacy protections and requirements established by CCPA. In December 2019, as required under state law, California Attorney General Xavier Becerra released a title for and summary of the proposed ballot initiative, which will be known as the California Privacy Rights Act (CPRA).
Key Provisions of the CPRA
CPRA seeks to give California consumers additional control over and protection of their personal information in five core ways.
CPRA would require businesses to disclose when and how automated decision making is used for decisions that significantly affect a consumer’s life, such as decisions relating to housing and employment.
CPRA would create strengthened protections for children’s personal information by tripling the maximum penalties for improper collection and sale of the personal information of consumers under age 16.
CPRA would define a new category of sensitive personal information under California law. Sensitive personal information would include information relating to finances, biometrics, health status, geolocation, religion, race, union membership and private communications. Under CPRA, California consumers would have the right to prohibit the use of sensitive personal information for advertising or marketing.
CPRA would create new disclosure obligations and require businesses to abide by the representations made in their disclosures. Under CPRA, businesses would be required to disclose the period of time for which they will retain personal information, the reasons for which they collect personal information and the amount of personal information collected. Businesses would be in violation of CPRA if they retain information for longer than disclosed, use personal information for a purpose other than the purposes disclosed or use more personal information than is necessary to provide the relevant product or service.
CPRA would establish a new California Privacy Protection Agency, which would be responsible for enforcing and implementing consumer privacy laws and imposing administrative fines. CCPA is enforced by the Office of the Attorney General, whose enforcement resources may be limited. The creation of a dedicated agency would likely allow for much broader enforcement than is currently possible.
Like CPRA, CCPA originated from a ballot initiative started by Californians for Consumer Privacy. In 2018, Californians for Consumer Privacy launched a successful campaign to get a consumer privacy bill on to the November 2018 ballot. After Californians for Consumer Privacy collected enough signatures to get the measure on the ballot, the California legislature preemptively worked with businesses and interest groups to pass a less demanding compromise bill, which become CCPA.
Californians for Consumer Privacy is currently working to gather signatures for the proposed CPRA in order to qualify the bill as a measure on the November 2020 ballot. The group will have to obtain approximately 623,000 signatures, or 5% of the number of individuals who voted in the most recent state gubernatorial election, to get the measure on the ballot. Members of the California legislature, including Senate Majority Leader Robert Hertzberg, have allegedly already voiced support for the measure, creating the possibility of another Legislature-initiated solution even if the initiative fails. The progression of the measure will be an important development to observe in the coming year.