The CPRA Will Bring New Rights, Responsibilities and Regulators to California Data Privacy Law
In less than a month, Californians will vote on consumer privacy ballot initiative, the California Privacy Rights Act (“CPRA”). The California Consumer Privacy Act (“CCPA”) went into effect on January 2, 2020 and state Attorney General (“AG”) began enforcing the law’s provisions on July 1, 2020. While the AG and others have touted the CCPA as “groundbreaking,” the activists behind the original CCPA initiative in 2018 maintained that California’s privacy law was baseline but that consumers deserve additional rights. If the CPRA initiative is successful, most of its provisions will go into effect on January 1, 2023, and the CCPA would remain effective until then.
In 2018, a ballot initiative was proposed to create consumer privacy protections. Activists, business interests, and state legislators were able to convince the creators of the ballot initiative to drop the proposal in favor of allowing the CCPA be passed. Because the CCPA was legislatively enacted, significant amendments were considered and some passed. However, if the CPRA is approved by California voters and become state law, it could not be readily amended without requiring further voter action. Recent polling indicates that the CPRA is likely to pass.
Below are some of the more significant changes that the CPRA will bring to legal enforcement, consumer rights and the obligations of the business community.
The CPRA moves away from the existing American model of state Attorneys General enforcing the privacy law, proposing instead a new state agency, the California Privacy Protection Agency. Like the “Supervisory Authorities” under the GDPR, this agency would be charged with enforcing only the California data privacy law. This agency would also have a dedicated funding stream to meet its enforcement tasks. The proposed agency would be comprised of five members appointed by various governmental shareholders including the Governor, Attorney General, State Senate, and Speaker of the Assembly.
Sensitive Personal Information
The CPRA would create a new category for “sensitive personal information” which requires distinct treatment. Sensitive personal information is defined to include social security numbers, financial information, geolocation, genetic data, and other biometric information. The distinct treatment includes granting consumers the right to limit disclosure and use of sensitive personal information except as “necessary to perform the services or provide the goods reasonably expected by an average consumer who requests such goods and services.” Clear and conspicuous links would need to be provided so that consumers are able to exercise this right.
The CPRA requires businesses to abide by representations made in their novel disclosure requirements. Businesses would be required to provide the duration they will retain personal information, the purposes for which they collect personal information, and the volume of personal information collected. Misrepresentations or breaches of those representations would constitute a statutory violation.
Like the GDPR, the CPRA would grant consumers the right to correct inaccurate personal information. Upon a verifiable consumer request, businesses would be required to use commercially reasonable efforts to correct the inaccurate personal information about a California resident. The CPRA also follows the GDPR’s lead in introducing data minimization on a larger scale. Specifically, the CPRA would require that a business’s collection, use, retention, and sharing of a consumer’s personal information be “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed.” The GDPR prevents EU citizens from being subject to solely automated decision making processes. The CPRA would also grant consumers the right to opt-out of automated-decision making.
If the CPRA becomes law, the new enforcement agency can administer fines of $2,500 for each statutory violation, or up to $7,500 for intentional violation or violations involving children’s personal information.