August 7, 2020

Volume X, Number 220

August 06, 2020

Subscribe to Latest Legal News and Analysis

August 05, 2020

Subscribe to Latest Legal News and Analysis

August 04, 2020

Subscribe to Latest Legal News and Analysis

New California Privacy Ballot Initiative Would Expand the CCPA

A proposed ballot initiative in California known as the California Privacy Rights Act, which is likely to pass if placed on the 2020 ballot, would both clarify and expand the existing California Consumer Privacy Act. Companies doing business in the state should closely monitor these developments and prepare for compliance, as we outline in this article.

IN DEPTH


A California ballot initiative known as the California Privacy Rights Act (CPRA) would clarify and expand the California Consumer Privacy Act (CCPA), granting significant new rights to consumers and imposing additional liability risks on companies doing business in the state. The CPRA is an update to the California Privacy Rights and Enforcement Act (CPREA) ballot initiative, which was proposed in late 2019 by the Californians for Consumer Privacy, which also sought to broadly amend and prevent changes to the CCPA that would undermine its consumer protections.

The proposed ballot initiative, submitted by the architects of the CCPA, garnered 900,000 signatures, far more than the roughly 625,000 necessary for certification on the 2020 ballot. Early polling reportedly shows strong support for the measure, so assuming the signatures are approved and the CPRA is placed on the ballot, it is considered likely to pass and to take effect on January 1, 2023.

The CPRA proposes a myriad of changes, and this article will not address them all. What follows is a discussion of the most significant changes for businesses and consumers in California, followed by enforcement and implementation considerations.

New Clarifications, Rights and Responsibilities

In a number of areas, the CPRA would modify the current CCPA in ways that are likely to be welcomed by companies grappling with the often ambiguous and unclear obligations under the current law:

  • “Personal information” would no longer include information that is manifestly made public by the individual or the media.

  • Businesses that receive deletion requests would be expressly permitted to maintain records of these requests for compliance purposes.

  • Consumers could no longer require a business to generate a list of “the categories of personal information it has collected about that consumer” in response to access requests.

  • “Service providers” and “contractors” (a new term that appears to replace the “third party” contract provisions) would not need to respond directly to consumer requests to access or delete information.

However, these changes are largely overshadowed by the initiative’s imposition of significant new rights for consumers and responsibilities for businesses subject to the CCPA. These include the following requirements:

  • Businesses would need to contend with a new opt-out right to “Limit the Use of My Sensitive Personal Information,” which would require enhanced scrutiny of business practices involving certain “sensitive” categories of information. These sensitive categories of information are reminiscent of (but broader than) the categories of information typically regulated by US data breach notification statutes or are considered “special categories” under the EU General Data Protection Regulation. For purposes of the CPRA, “sensitive” categories will include certain government identifiers (Social Security number, driver’s license, state identification card or passport number); a consumer’s account log-in, financial account, debit card or credit card number in combination with any required code or password to access the account; precise geolocation information; a consumer’s racial or ethnic origin, religious or philosophical beliefs or union membership; the contents of a consumer’s mail, email and text messages, unless the business is the intended recipient of the communication; genetic data; biometric information that is used to uniquely identify a consumer; health information and information about a consumer’s sex life or sexual orientation.

  • The existing right to opt out of the “sale” of information would explicitly apply to any personal information that is “shared” for behavioral advertising purposes, resolving a debate over the applicability of the “sale” provisions to the online advertising ecosystem.

  • In addition to the CCPA’s obligation to maintain reasonable security for a subset of sensitive categories of personal information (as defined in California’s data breach notification law, and enforceable by the CCPA’s private right of action for individuals affected by data breaches), the CPRA would create an affirmative requirement for businesses to maintain reasonable security for all categories of personal information as defined in the CCPA.

  • A new right that permits California consumers to have inaccurate personal information corrected, in addition to the rights to access and delete personal information granted by the CCPA.

Enforcement and Amendments

In addition to its substantive changes, the proposed initiative would significantly alter the way the CCPA is enforced and implemented. Although the proposal would not create a new private right of action, it would create a new administrative agency, the California Privacy Protection Agency (Agency), which would be governed by a five-member board appointed by a combination of the California governor, attorney general, Senate Rules Committee and speaker of the assembly. Once the CPRA goes into effect, the attorney general may still bring civil actions for violations of the CCPA; however, the Agency would be vested with full administrative power, authority and jurisdiction to implement and enforce the CCPA and adopt regulations to further the purpose of the CCPA.

Unlike the original CCPA ballot initiative, which would have required a supermajority to amend, the new initiative would be subject to amendment by the California legislature through the normal legislative process, with one major caveat: the laws must be “consistent with and further the purpose” of the initiative. Should the initiative pass, this provision could significantly limit further amendments to the CCPA, and is likely to engender debate over what changes do or do not “further the purposes” set out in the initiative.

If passed, the CPRA will have significant impact on companies doing business in California. As companies continue to evaluate their compliance posture with the CCPA, they should also closely monitor developments with the CPRA and begin preparations for compliance.

© 2020 McDermott Will & EmeryNational Law Review, Volume X, Number 141

TRENDING LEGAL ANALYSIS


About this Author

Laura E. Jehl Partner Global Privacy & Cybersecurity  Autonomous Vehicles  Compliance  Consumer Data & Digital Marketing  Cross-Border Data Protection  Data Breach Management  Data Licensing & Strategies  Employer Data Privacy  Health Information Privacy  Information Security & Risk Mitigation  Privacy Litigation & Governmental Investigations  FinTech and Blockchain  Technology & Commercial Transactions  Telecommunications Transactions  Energy  Food, Beverage & Agribusiness  Healthcare  Technology  Alcohol
Partner

Laura Jehl serves as global head of the Firm’s Privacy and Cybersecurity Practice. Focusing on the intersection of data, law and emerging technologies, Laura advises clients on a broad range of privacy and cybersecurity issues. She has extensive experience identifying and mitigating privacy and data protection issues arising out of the collection, use and storage of data as well as the design of new business models, products and technologies. With unique experience as a former senior in-house counsel and C-suite executive, she understands the business, legal and technological challenges...

202-756-8930
Austin Mooney Cybersecurity Attorney
Associate

Austin Mooney focuses his practice on global privacy, cybersecurity, and emerging technologies. A Certified Information Privacy Professional/Europe, he is experienced in helping clients navigate US and international data protection law, including the GDPR. He is well versed in consumer privacy actions, as well as in compliance issues with the Foreign Intelligence Surveillance Act (FISA) and other federal surveillance law. He counsels clients on a wide range of topics, including consumer protection law, cross-border data flows, and data breach response and prevention.

CREDENTIALS

Education

George Washington University Law School, JD, 2017
New College of Florida, BA, Philosophy, 2014

Admissions

District of Columbia

202-756-8781
Amy C. Pimentel, Global Privacy Staff Attorney, McDermott Will & Emery Law Firm
Associate

Amy Pimentel is an associate in the law firm of McDermott Will & Emery LLP and is based in the Firm’s Boston office.  Amy is a member of the Firm’s Global Privacy and Data Protection Affinity Group.  She focuses her practice on consumer protection, privacy, information security and international law.

Amy received her J.D. in 2014 from Northeastern University School of Law.  While in law school, Amy worked at the U.S. Department of Justice in the Office of International Affairs and interned for a judge at the International Criminal Tribunal...

617-535-3948