May 42020

Stay At Home Orders May Have Killed California’s Ballot Initiative to Expand CCPA [**Update – But Californians for Consumer Privacy Say Maybe Not**]

Sheri Porath Rockwell, Christopher Fonzone and Christopher D. Joyce
, , , ,

UPDATE:  Soon after we published the post below, we learned that the sponsors of the California Privacy Rights Act (CPRA) – i.e., the ballot initiative that aimed to amend and significantly expand the California Consumer Privacy Act (CCPA) – intend to push forward with their attempt to get it on the ballot this year.  On May 4th, the initiative’s sponsors, the Californians for Consumer Privacy, announced on Twitter they were submitting to counties across the state.  Whether county election officials can verify the signatures in time to qualify for the November 2020 ballot remains to be seen.  While conventional wisdom is that the recommended April deadline is an important one to make, the approval process may be different this year due to the COVID-19 pandemic and how it might affect the availability of resources to approve initiatives.  We will continue to monitor this situation and provide updates on Data Matters as appropriate.    

The California Privacy Rights Act (CPRA), the ballot initiative that aimed to amend and significantly expand the California Consumer Privacy Act (CCPA), including by creating the California’s very own data protection authority, the nation’s first, appears to be dead–at least for this ballot season.

To qualify for November’s ballot, the CPRA’s supporters needed to submit for verification more than 620,000 signatures by April 21st.  This they did not do.  This deadline is important because county election officials need enough time to verify signatures and allow the Secretary of State to qualify a ballot measure by the Constitutionally-mandated June 25th deadline.  Thus, as a practical matter, the inability to meet the recommended April 21st deadline likely means CPRA – sometimes referred to as CCPA 2.0 – will not appear on the November 2020 ballot.

While businesses likely welcome the fact that they will not have to undertake efforts to comply with a new set of privacy regulations, less welcome is the fact that the failure of the CPRA means that the initiative’s two-year extension of the CCPA’s exemptions for employee and B2B data will go away.  With those exemptions currently set to expire on January 1, 2021, businesses may thus find themselves needing to provide employees, job applicants, contractors, and business contacts with the full menu of CCPA data subject rights (e.g., copies and deletion of personal information) soon.

The ball is thus in the California legislature’s court.  Whether and how the legislature might extend the employee and B2B exemptions remains to be seen, as the legislature is in recess through at least early May and Governor Newsom has already signaled that he does not want to consider legislation that does not relate to COVID-19 recovery efforts.

Businesses subject to the CCPA will need to keep a watchful eye on developments in Sacramento, particularly the fate of the employee and B2B exemptions.  Under current legislative deadlines, the Governor will have until September 30th to sign bills into law.  In the meantime, it may be prudent for businesses to at least begin thinking about the fact that they might need to respond to access and deletion requests from employees, job applicants, and business contacts in the coming year.

Sheri Porath Rockwell

Century City

sheri.rockwell@sidley.com

Christopher Fonzone

cfonzone@sidley.com

Christopher D. Joyce

Miami

cjoyce@sidley.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.

New EU Cyber Law for the Financial Services Industry with Significant Impact on ICT Service Providers

The new EU Regulation on Digital Operational Resilience for the Financial Sector (DORA) recently entered into force. DORA establishes cybersecurity requirements for information and communication technology (ICT) systems supporting the business processes of financial entities and represents a paradigm shift for the ICT sector.  Critical ICT third-party service providers, who are providing services to regulated financial entities, will also be directly regulated under DORA and subject to regulatory supervision by a regulator to be established under DORA (a so-called ‘Lead Overseer’).