The California Privacy Rights Act (CPRA), a proposed initiative to codify far-reaching amendments to the California Consumer Privacy Act (CCPA) and sometimes referred to as “CCPA 2.0”, is back in play and heading to the November 2020 ballot. A series of dramatic procedural twists and turns culminated with initiative backers successfully obtaining a writ of mandate directing the Secretary of State to direct counties to verify signatures for the ballot proposal by the June 25th Constitutional deadline. This verification involved each county conducting a random sample of the more than 800,000 signatures that proponents had submitted to place the initiative on the ballot.
Before the California court’s ruling, observers were skeptical that signatures could be verified before the deadline. Initiative proponents were almost two weeks behind the recommended schedule when they delivered signatures to be verified by California’s 58 counties. This meant counties had until June 26th to verify signatures — a day after the June 25th Constitutional deadline. Experience with other initiatives this year had shown that several large counties were waiting until the deadline to complete verifications, so proponents petitioned the court to push the deadline up by a day in order to meet the Constitutional deadline. The court agreed to do so, finding good cause existed to force counties to complete verifications a day early. And, as it happened, the extra time was not needed, as counties finished the count two days ahead of their initial deadline.
Next Steps – Initiative Likely to Pass, But Critics Have Been Vocal
CPRA will be on the ballot this November and has a strong chance of passing. According to polls conducted by proponents in late 2019, 88 % of California voters reported they would vote in favor of the initiative. Nevertheless, many oppose the initiative – including some proponents of the original CCPA – because it will rewrite much of the CCPA before Californians and the business community have much of an opportunity to see how it works. The CCPA went into effect on January 1, 2020, regulations have been proposed as final but not yet been finalized, and July 1st is the first day that the Attorney General can bring any enforcement action. Arguments against the initiative were heard at a June 19th hearing in the state Assembly which was required under state initiative law, but is not expected to result in the initiative being pulled from the November 2020 ballot.
Impacts on Businesses if Voters Approve CPRA
If the CPRA passes, businesses will need to gear up to comply with several amendments to the CCPA that go into effect January 1, 2023. In the short term, the CPRA will help businesses by preserving through 2022 the employee and business-to-business exemptions that are otherwise scheduled to sunset on December 31, 2020.
Substantively, the CPRA will usher in a new era in California privacy law through the creation of the first state data privacy agency in the United States, with the power to implement and enforce the amended CCPA. It will also change the CCPA in several significant respects, some of which we highlight below:
New Duties Imposed on Businesses That Collect Personal Information and Their Service Providers.
Data Minimization. The business’s collection, use, retention and sharing of personal information would be required to be “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed.” Proposed Cal. Civ. Code § 1798.100(a)(3). 1
Data Retention Disclosure. Businesses would be required, at or before the point of collection, to inform consumers as to the length of time the business intends to retain each category of personal information. Id.
Deletion Requests Sent to Third Parties and Service Providers. Businesses would be required to communicate deletion requests to third parties to whom the business has sold or shared such personal information, to delete the consumer’s personal information, unless this proves impossible or involves disproportionate effort.” § 1798.105(c)(1). Service providers would be required to do the same with any of their service providers, contractors, or third parties. § 1798.105(c)(3).
Data Security and Cooperation with Data Subject Requests Codified for Service Providers and Third Parties. The CPRA would require businesses to contractually bind service providers, contractors and third parties to cooperate with responses to data subject requests and to maintain the same level of privacy protection (e.g., reasonable security) as is required of businesses under CCPA. § 1798.100(d). This may not be a significant change as a practical matter, as many businesses have already included such provisions in CCPA service provider addendums and related contracts.
New Rights for Sensitive Personal Information
CPRA would add a new category of “sensitive personal information” to the CCPA and give consumers the ability to opt-out of the sharing or sale of that information, in ways similar to the existing CCPA right to opt out of the “sale” of personal information generally.
“Sensitive personal information” is defined under the CPRA with reference to specific categories of data that include, without limitation, precise geolocation data, social security and passport numbers, financial account information, customer log-in data with a password, information revealing racial or ethnic origin, religious or philosophical beliefs, or union membership; health data; and the content of a consumer’s mail, email, and text messages unless the business is the intended recipient. See § 1798.140(v)(L)
Businesses would need to make separate disclosures for sensitive personal information (§ 1798.100(a)(2)) and provide opt-out rights allowing consumers to stop businesses from using or disclosing personal information through an additional opt-out link entitled “Limit the Use of My Sensitive Personal Information.” §§ 1798.121(a) and 1798.135(a)(2).
Opt-In Consent to Share for Cross-Context Behavioral Advertising or Sell Children’s Information. A business would be prohibited from sharing for cross-context behavioral advertising or selling personal information of children under 16 years old without consent of a parent (under 13) or the child (13 to 15 year olds). Additionally, fines for violations involving the personal information of minors would be increased and would apply to service providers, contractors and others. §§ 1798.120(c), 1798.199.90.
Behavioral Advertising Opt-Out. Consumers would be able to opt out of cross-context behavior advertising through an additional opt-out option entitled “Do Not Sell/Do Not Share/Do Not Share My Personal Information for Cross-Context Behavioral Advertising.” § 1798.185(a)(19). The CPRA defines cross-context behavioral advertising as the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally interacts. § 1798.140(k).
Annual Cybersecurity Audits and Regular Risk Assessments for High Risk Data Processors. Businesses whose processing of consumers’ personal information “presents a significant risk to consumers’ privacy or security” would be required to perform annual cybersecurity audits and submit to the new California data protection agency, “on a regular basis,” risk assessments weighing the benefits of processing personal information to the business, the consumer, other stakeholders, and the public, against the potential risks to the consumer. § 1798.185(a)(15).
Expands Data Breach Liability to Include Email Addresses With Passwords. CPRA extends potential liability for data breaches beyond current California law by expanding the private right of action to include data breaches involving email addresses with a password or other security questions and answers that would permit access to the account. § 1798.150(a)(1). This is a potentially significant expansion, as emails and passwords are often involved in data breaches.
Businesses Subject to CCPA. CPRA would modify the definition of, and create the following new categories of, a “business”:
Joint Venture/Partnerships: “A joint venture or partnership composed of businesses in which each business has a least a 40 percent interest.” There is no requirement of co-branding. The joint venture or partnership and each business “that composes [sic] the joint venture or partnership shall separately be considered a single business.” However, personal information “in the possession of each business and disclosed to the joint venture or partnership “shall not be shared with the other business.” § 1798.140(d)(3).
Self-Certifying Entities: Businesses that do not meet the threshold criteria to qualify as a CCPA business could voluntarily certify that they are compliant with the CCPA and agree to be bound by the law. Their names will be made available to the public. § 1798.140(d)(4).
Reasonableness Requirement for Common Branding: The “common branding” element of the existing alternative definition of a “business” that controls or is controlled by another business that does business in California and meets CCPA monetary or data thresholds would be modified to include a requirement that “the average consumer would understand that two or more entities are commonly owned.” § 1798.140(d)(2).
Compliance Efforts Should Begin Soon After Passage
While most of the CPRA would not go into effect until January 2023, obligations of businesses with respect to the personal information covered by the amended CCPA would relate to personal information collected beginning in January 2022. § 1798.130(a)(2)(B).
1 All code references hereinafter are to the CPRA’s proposed amendments to California Civil Code.