UPDATE: Soon after we published the post below, we learned that the sponsors of the California Privacy Rights Act (CPRA) – i.e., the ballot initiative that aimed to amend and significantly expand the California Consumer Privacy Act (CCPA) – intend to push forward with their attempt to get it on the ballot this year. On May 4th, the initiative’s sponsors, the Californians for Consumer Privacy, announced on Twitter they were submitting to counties across the state. Whether county election officials can verify the signatures in time to qualify for the November 2020 ballot remains to be seen. While conventional wisdom is that the recommended April deadline is an important one to make, the approval process may be different this year due to the COVID-19 pandemic and how it might affect the availability of resources to approve initiatives. We will continue to monitor this situation and provide updates on Data Matters as appropriate.
The California Privacy Rights Act (CPRA), the ballot initiative that aimed to amend and significantly expand the California Consumer Privacy Act (CCPA), including by creating the California’s very own data protection authority, the nation’s first, appears to be dead–at least for this ballot season.
To qualify for November’s ballot, the CPRA’s supporters needed to submit for verification more than 620,000 signatures by April 21st. This they did not do. This deadline is important because county election officials need enough time to verify signatures and allow the Secretary of State to qualify a ballot measure by the Constitutionally-mandated June 25th deadline. Thus, as a practical matter, the inability to meet the recommended April 21st deadline likely means CPRA – sometimes referred to as CCPA 2.0 – will not appear on the November 2020 ballot.
While businesses likely welcome the fact that they will not have to undertake efforts to comply with a new set of privacy regulations, less welcome is the fact that the failure of the CPRA means that the initiative’s two-year extension of the CCPA’s exemptions for employee and B2B data will go away. With those exemptions currently set to expire on January 1, 2021, businesses may thus find themselves needing to provide employees, job applicants, contractors, and business contacts with the full menu of CCPA data subject rights (e.g., copies and deletion of personal information) soon.
The ball is thus in the California legislature’s court. Whether and how the legislature might extend the employee and B2B exemptions remains to be seen, as the legislature is in recess through at least early May and Governor Newsom has already signaled that he does not want to consider legislation that does not relate to COVID-19 recovery efforts.
Businesses subject to the CCPA will need to keep a watchful eye on developments in Sacramento, particularly the fate of the employee and B2B exemptions. Under current legislative deadlines, the Governor will have until September 30th to sign bills into law. In the meantime, it may be prudent for businesses to at least begin thinking about the fact that they might need to respond to access and deletion requests from employees, job applicants, and business contacts in the coming year.