On September 25, 2019, Alastair Mactaggart, the founder of Californians for Consumer Privacy, the organization responsible for the ballot initiative that led to the California Consumer Privacy Act (CCPA), filed an initiative to qualify the California Privacy Rights and Enforcement Act (CPREA) for the state's November 2020 ballot. Companies already in the midst of CCPA compliance preparations may have to contend with expanded obligations if the history of the CCPA (i.e. its origins as a ballot initiative) is repeated. The CPREA would appear to bring the CCPA significantly more in line with key elements of the GDPR, potentially changing the calculus for companies currently evaluating whether and how to harmonize their CCPA and GDPR compliance programs. Moreover, the CPREA could obscure progress being made by the California Attorney General (AG) on the CCPA’s implementing regulations and exacerbate existing confusion about key provisions of the CCPA. (The proposed regulations are expected to be published later this month.) In light of reports anticipating that complying with the CCPA will cost companies $55 billion, developments concerning the CPREA’s progress should be closely monitored, and early opportunities to work through trade associations to make industry views known to key legislators may prove useful.
The CPREA, if enacted as drafted, will make the following changes to the CCPA:
- Enhance protections for a new category of “sensitive personal information” which will include financial, biometric, and precise location information as well as the contents of private communications. In particular, the CPREA will require affirmative, opt-in consent for the sale of such information and will allow consumers to opt out of the use of sensitive personal information for advertising or marketing;
- Prohibit businesses from retaining personal information “for longer than is reasonably necessary to achieve the specific disclosed purpose” for which the personal information was collected (similar to the storage limitation principle of the GDPR) and from collecting personal information that is not “reasonably necessary to achieve the purposes for which it is collected” (similar to the data minimization principle of the GDPR);
- Establish that consumers would have the right to be aware of:
- any processing of personal information for political purposes; and
- automated processing of personal information to determine “eligibility for financial or lending services, housing, insurance, education admission, employment, or health care services,” along with “meaningful information” about the logic used in the automated processing (this right too has been imported from the GDPR);
- Require businesses to:
- enter into contracts with third parties, service providers, and contractors that (1) state that personal information is sold or disclosed for limited and specified purposes, (2) require the third party or service provider to provide at least the level of privacy protection required by the CCPA and notify the business if it cannot, (3) allow the business to audit the third party, service provider, or contractor’s use of personal information and remediate unauthorized uses (the CCPA currently includes none of these requirements); and
- “take reasonable steps” to ensure it does not “collect, retain, or share inaccurate personal information” (roughly similar to the GDPR’s right to rectification);
- Establish the California Privacy Protection Agency, a new agency empowered to issue regulations and enforce the CCPA through administrative actions (civil enforcement will remain with the Attorney General);
- Require service providers to (1) help businesses respond to rights requests, (2) alert businesses when they engage sub-processors, and (3) enter into contracts with such sub-processors (these measures will also bring the CCPA closer into line with the GDPR);
- Require “large data processors” (businesses that collect the personal information of 5 million or more California residents in a given year) to perform annual security audits;
- Clarify that disclosures of personal information relating to “cross-context behavioral advertising” (defined as targeted advertising based on a consumer’s action over time and across websites) would constitute a sale of personal information;
- Extend the scope of CCPA rights requests from 12 months preceding the request to all consumer personal information since passage of the CPREA; and
- Clarify that one member of a household cannot obtain personal information relating to another member of a household without consent.
For companies currently struggling with the absence of exceptions to consumer rights requests for fraud prevention, security or trade secret data, the CPREA appears to offer some relief by clarifying that businesses are not required to disclose in response to an access request: (i) “data generated to help ensure security or integrity”; (ii) trade secrets; or (iii) educational assessment information where access to such information would jeopardize the educational assessment itself.
The CPREA would also: (i) narrow the scope of the volume of processing trigger to qualify as a business under the CCPA by increasing the threshold from buying, selling, or receiving personal information relating to 50,000 consumers to buying or selling (but not receiving) personal information relating to 100,000 consumers; and (ii) expand the exemption for publicly available information (which currently covers only information lawfully obtained from government records) to include information made generally available to the public by the consumer or through “widely distributed media.” In addition, under the CPREA, businesses will not be required to honor deletion and opt-out requests if the business “has incurred significant expense in reliance on the consumer’s express consent” and compliance with the request “would not be commercially reasonable.”
We will continue to monitor the situation and keep you apprised of developments.
Goodwin’s Chambers and Legal 500 ranked Privacy & Cybersecurity practice offers a fully integrated, multi-disciplinary approach to clients’ data protection needs. One of the longest-standing of any Am Law 50 firm, our global team is uniquely positioned to provide the most innovative solutions to guide clients through the collection, use, processing and protection of their most sensitive information. Our senior lawyers include a former Chief Privacy Officer of the U.S. Department of Homeland Security in the Obama Administration and a Legal 500 Recommended Lawyer, a Legal 500 “Leading Lawyer” and a “Next Generation Lawyer” in Cyber Law and Data Breach Response, as well as three other; Legal 500 Cyber Law ranked partners, several former federal prosecutors, and multiple GDPR, CCPA, FTC, HIPAA, and COPPA experts. We have handled hundreds of data breaches, including high-profile, global incidents involving everything from ransomware to nation-state attacks; have advised on over 700 public and private transactions in the last year alone; and have designed strategic privacy, information security and compliance programs for startups, global enterprises, and everything in between. We have litigated landmark privacy cases and defended against class action and government enforcement actions brought by the FTC, OCR/HHS, state attorneys general and regulators across the globe.