Businesses within the scope of California’s groundbreaking privacy law, the California Consumer Privacy Act (CCPA), which went into effect January 1, 2020, may need to revise privacy policies and change their compliance programs once again if a new ballot initiative passes this November. Californians for Consumer Privacy, the group that sponsored the CCPA, announced last week that it is submitting over 900,000 signatures in favor of the California Privacy Rights Act (CPRA) to qualify the initiative for the November 2020 ballot.
The CPRA would amend the CCPA by expanding consumers’ rights and imposing additional obligations on businesses that buy, sell, or share the personal information of California residents, including non-California third parties that share data with California businesses.
Significantly, the CPRA would also establish a new California Privacy Protection Agency, funded with $10 million from the State’s General Fund. This new Agency may serve a function similar to Europe’s Data Protection Authorities, and could be part of the groundwork for California to be recognized as having “adequate” privacy protections by the European Union.
Among the expansion of consumers’ rights under the CPRA, the proposal would create a new category of Sensitive Personal Information (SPI), which would receive additional protections. SPI would include consumers’ “precise” geolocation, the content of emails or text messages, philosophical or religious beliefs, information on consumers’ health or sex life, and account log-in or financial information “in combination with any required security” (e.g. passwords).
In addition, consumers could recover damages under the data breach provision if the combination of consumers’ e-mail address and password were to be exposed. Such damages were previously limited to data breaches that included a consumer’s first name or initial and last name combined with certain data elements, such as social security numbers and bank accounts. The CPRA would also eliminate a business’s ability to cure a data breach by implementing reasonable security measures after the fact.
Consumers will also receive new rights to control their information under the CPRA. Under the CCPA, consumers had the right to opt-out of the sale of their personal information. The CPRA will allow consumers to opt-out of any sharing of their personal information for advertising or marketing, and further, businesses will need consumer consent prior to the sale of SPI. If requested, consumers will also have the right to correct inaccurate information collected by businesses.
To ensure consumers’ access to these rights, the CPRA would require businesses to provide access to an email, phone number, or webpage to allow consumers to request deletion or correction of their personal information. Further, businesses must inform customers of their additional rights and the categories of data being collected and the purpose for collection “prominently and conspicuously” on their website. If personal information is collected on premises, including by vehicle, then the categories and purpose of such collection must also be displayed on location “in a clear and conspicuous manner.”
The CPRA further imposes these obligations on third parties who have received information from California businesses. Such third parties will be required, by agreement, to comply with the CPRA. Additionally, when a California business receives a request from a consumer to delete his or her personal information, under the CPRA, the business will be required to notify service providers, contractors, and all third parties to whom the business has sold or shared personal information to comply with the request.
At this stage, the 900,000 signatures must be verified by county election officials before the initiative qualifies for the ballot. Should the CPRA make it to the ballot in November, Californians for Consumer Privacy claims that 88% of voters would likely vote in favor of it, but further independent polling may prove more useful.
The law would enter into force on January 1, 2023, but apply to information collected after January 1, 2022. Significantly, the initiative would extend the CCPA’s exemption for employees and contractors until 2023.
For further detailed background on the CCPA, please visit our CCPA microsite at www.RopesGray.com/CCPA.