On May 4, 2020, Californians for Consumer Privacy (CCP), the organization behind the ballot initiative that led to the California Consumer Privacy Act (CCPA), announced that it has begun submitting signatures to qualify the California Privacy Rights Act (CPRA) for California’s November 2020 ballot.
The CPRA seeks to amend the CCPA and align it even more closely with the EU’s General Data Protection Regulation (GDPR). If passed, the CPRA would enter into force January 1, 2023, and largely move rulemaking and enforcement from the California Attorney General (AG) to a new privacy agency. The CPRA would prohibit all amendments except those consistent with the CPRA’s intent, thereby calcifying the law for all practical purposes. Please see here to read about the previous iteration of the CPRA and here for the complete text of the CPRA.
Conceivably, the CPRA could take the same course CCPA, which also began as a ballot initiative before a preemptive compromise version was passed by the California Legislature. However, the Legislature may not now have the appetite to take up another privacy measure, particularly in the current COVID-19 climate. A compromise seems particularly unlikely given that the CPRA reflects the CCP’s apparent view that the CCPA’s protections were materially diluted during the legislative process. Nonetheless, covered businesses should stand at the ready to make their views known to key legislators as part of a holistic approach to shaping the outcome of the CPRA.
If added to the ballot, the CPRA appears to have a good chance of passing given the relative appeal of ballot measures as a means of forging policy and the popularity of consumer privacy issues in the state: an October 2019 survey conducted by Goodwin Simon Strategic Research found that 88 percent of registered voters said they would vote in favor of the CPRA.
With the CCPA’s July 1 enforcement date looming, the significant investment companies have already made in building their CCPA compliance programs (the California Department of Justice’s standardized regulatory impact assessment estimated the cost of initial compliance with the CCPA at $55 billion), and ongoing uncertainty about the final implementing of regulations, the CPRA’s potential to become law heralds new challenges and prolonged uncertainty for a wide swath of sectors.
We outline below some of the CPRA’s key provisions. If passed, the CPRA would:
Scope And Definitions
- Amend certain CCPA triggers to qualify as a “business.” Among the most consequential amendments are (i) the CPRA’s increase of the number of California residents (“consumers”) or households about which a business buys, sells, or “shares” personal information from 50,000 to 100,000, and (ii) removal of devices from the calculation. The CPRA would also narrow the scope of activities that trigger this volumetric threshold by removing receiving or sharing personal information for commercial purposes from the list of relevant processing activities.
- Extend the CCPA’s employee and “B2B” exemptions from their scheduled January 1, 2021, expiration date to January 1, 2023. These changes reflect the CCPA’s underlying policy goal to prioritize protecting traditional consumer privacy interests.
- Establish a new category of “sensitive personal information,” which includes Social Security, driver’s license, or passport numbers; financial account information; precise geolocation; and, in line with the GDPR definition, race, ethnicity, religion, union membership, personal communications, genetic data, biometric or health information, and information about sex life or sexual orientation. The CPRA would empower consumers to restrict the use of sensitive personal information, including for advertising or marketing.
- Expand the CCPA’s definitional exclusion for “publicly available” personal information from that lawfully obtained from government records to include information “lawfully made available to the public by the consumer or from widely distributed media.” The practical impact of this significant change would be that much of the information collected from the public web would no longer be subject to the CCPA’s restrictions. This would eliminate a barrier to entry for many companies whose business models depend on processing publicly available data to offer such services as talent acquisition and social media analytics, to name a few.
- Exclude from the definition of personal information “lawfully obtained, truthful information that is a matter of public concern,” reducing the exposure of media organizations to potentially problematic CCPA rights requests (for example, if a public figure were to make a deletion request to silence critics).
Enforcement And Liability
- Create the California Privacy Protection Agency (Agency) to implement and enforce the law by investigating alleged violations and imposing fines. The Agency would be comprised of appointed experts in privacy, technology, and consumer rights, and would provide guidance to businesses and consumers on their responsibilities and rights.
- Grant the AG and, when it is ready, the Agency additional rulemaking authority and obligations, such as requiring the issuance of regulations regarding the definition and use of sensitive personal information, or the performance of cybersecurity audits or risk assessments (similar to data protection impact assessments under the GDPR.
- Remove the compulsory 30-day cure period prior to administrative enforcement actions for CCPA violations, while granting the Agency authority to provide a business a time period in which it may cure violations. (The 30-day cure period for private claims related to data breaches remains unchanged, although implementation and maintenance of reasonable security practices following a breach does not constitute a cure with respect to that breach.)
- Change the civil penalty for CCPA violations to an administrative fine that would no longer be required to be assessed and recovered in a civil action. Amounts would remain unchanged (up to $2,500 per violation or $7,500 for each intentional violation), although fines for violating the CCPA’s opt-in-to-sale requirement for consumers under 16 would be tripled to up to $7,500 per violation.
- Broaden consumers’ control over their data by allowing them to opt out of “sharing” personal information (in addition to the current CCPA right to opt out of “sales”). “Share” is any disclosure or transfer of personal information to a third party “for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.” “Cross-context behavioral advertising” includes targeted advertising based on prior browsing activity (commonly known as behavioral advertising/retargeting). This change would have two significant impacts: (i) it would clearly establish that consumers have the right to opt out of behavioral advertising/retargeting; and (ii) clarify that disclosures related to behavioral advertising/retargeting would not be a “sale” of personal information.
- Add a right for consumers to correct inaccurate personal information, similar to the right to rectification under the GDPR. Businesses would also have to implement data integrity principles, including taking reasonable steps to ensure they do not collect, retain, or share inaccurate personal information.
- Allow businesses to refuse to honor access requests for information used for security purposes or that would expose trade secrets. This is significant for companies that are able to rely on similar exceptions under the GDPR.
Obligations on Businesses
- Expand the CCPA’s transparency requirements by mandating that businesses provide notice of why they collect personal information, how much information they collect, and how long they retain personal information. Businesses would also be required implement data minimization principles. These requirements are in line with the GDPR’s data retention and minimization obligations, as well as its principle of proportionality.
- Require businesses to disclose the role of automated decision making in certain instances, including performance at work, economic situation, heath, personal preferences and others, as well as allowing certain opt-out rights in relation to the use of automated decision making. These changes, consistent with the GDPR’s right to be free from automated decision making, could hinder the increasingly common practice of businesses relying on AI and other algorithms to boost efficiency and productivity, potentially stifling innovation across sectors.
- Require businesses to provide links on their homepage to allow consumers to opt out of the sharing of personal information for behavioral advertising/retargeting and limit the use of sensitive personal information (in addition to providing the CCPA-mandated “Do Not Sell My Personal Information” link if engaging in sales).
- Require businesses to enter into contracts with third parties, service providers, and contractors that (i) state that personal information is sold or disclosed for limited and specified purposes; (ii) require the third party or service provider to provide at least the level of privacy protection required by the CCPA and notify the business if it cannot; and (iii) allow the business to audit the third party, service provider, or contractor’s use of personal information and remediate unauthorized uses. The CCPA currently does not mandate these contractual terms.
- Require service providers to (i) assist businesses in complying with their CCPA obligations, (ii) alert businesses when they engage sub-processors, and (3) enter into contracts with such sub-processors. These measures would bring the CCPA closer into line with the similar GDPR obligations for data processors.
The Longish View
Unless the business community, privacy advocates, and California State Legislature reach a CCPA-like, eleventh-hour compromise, the CPRA is on track to be added to the November ballot in California and currently faces good odds at becoming law. If so, covered businesses would be subject in the near term to the AG’s enforcement and rulemaking authority, only to have that authority shift after two years to the new Agency. This outcome would add more uncertainty to the AG’s rulemaking process currently underway and undermines regulatory certainty; exacerbate already existing confusion about key terms in the CCPA; lead to significant additional compliance costs and resources; and potentially cast doubt on the precedential value of CCPA enforcement actions undertaken after July 1, 2020. Passage of the CPRA could also impede innovation and potentially discourage some data-driven companies from doing business in California. All of the foregoing could further galvanize industry to pressure Congress to pass comprehensive federal privacy legislation.
The CPRA’s path may take several twists and turns between now and Election Day. We will continue to keep you apprised of key developments.
Goodwin's Chambers and Legal 500 ranked Privacy & Cybersecurity practice offers a fully integrated, multi-disciplinary approach to clients' data protection needs. One of the longest-standing of any Am Law 50 firm, our global team is uniquely positioned to provide the most innovative solutions to guide clients through the collection, use, processing and protection of their most sensitive information. Our senior lawyers include a globally known, solution-oriented privacy practitioner and former Chief Privacy Officer of the U.S. Department of Homeland Security in the Obama administration; a Legal 500 “Leading Lawyer” and a “Next Generation Lawyer” in Cyber Law and Data Breach Response, as well as four other Legal 500 Cyber Law ranked partners, several former federal prosecutors, and multiple FTC, GDPR, CCPA, HIPAA, GLBA, and COPPA experts. We have handled hundreds of data breaches, including high-profile, global incidents involving everything from ransomware to nation-state attacks; have advised on over 700 public and private transactions in the last year alone; and have designed practical solutions and strategic privacy, information security, and compliance programs for startups, global enterprises, and everything in between. We have litigated landmark privacy cases and defended against class action and government enforcement actions brought by the FTC, OCR/HHS, state attorneys general, and regulators across the globe.