Building off the California Consumer Privacy Act of 2018 (“CCPA”), the California Privacy Rights Act of 2020 (“CPRA”) is a proposed ballot initiative aimed to amend and broaden the CCPA. If passed by California voters in November 2020, the CPRA would enhance consumer privacy rights, impose additional restrictions on the use of personal information by businesses, and create a new California state agency dedicated to privacy enforcement. Six of the most important provisions of the CPRA that you should understand include:
1. SCOPE
The CPRA narrows the CCPA’s definition of a “business.” Under the CCPA, a business must meet one of three thresholds: (1) derives fifty percent or more of its annual revenue from sharing or selling the personal information of California consumers; (2) has annual gross revenue over $25 million; or (3) buys, shares, or sells the personal information of greater than 50,000 California consumers, households, or devices. Under the CPRA, the third threshold would be increased to 100,000 and devices removed from the calculation. Consequently, smaller businesses that buy, share, or sell personal information would have a higher bar to meet before CPRA applies to them.
2. ENFORCEMENT
A new California Privacy Protection Agency would be established to enforce regulations under the CPRA. The Agency would be authorized to implement regulations, investigate potential violations, and issue fines. The California Attorney General is currently responsible for enforcement of the CCPA, and the proponents hope that a dedicated agency will result in stricter enforcement.
3. SENSITIVE PERSONAL INFORMATION
A new sub-category of personal information called “sensitive personal information” will be created under the CPRA. Sensitive personal information includes data relating to the consumer’s biometric identification, finances, health, and exact location. Businesses collecting sensitive personal information will be required to notify the consumer at or before the time of collection of: (1) the category of information the business will collect; (2) the retention period; and (3) whether the information will be sold by the business. Businesses will also be required to provide a “Limit The Use of My Sensitive Personal Information” link to allow consumers to restrict use of their sensitive personal information.
4. RIGHT TO CORRECTION
Following in the footsteps of the European Union’s General Data Protection Regulation, the CPRA would grant California consumers the right to correct inaccurate personal information held by a business. As with other rights granted by the CCPA, the business would be required to inform consumers of this right.
5. CHILDREN’S DATA PRIVACY
The CPRA will triple the maximum regulatory fines for intentional violations by a business collecting personal information from consumers under the age of 16 without consent.
6. EXCEPTIONS EXTENDED
If the CPRA passes, current CCPA exceptions for personal information collected in the employer-employee and business-to-business contexts that are set to expire on January 1, 2021 will be extended to January 1, 2023.
Californians for Consumer Privacy, the group responsible for the CPRA initiative, announced in early May 2020 that it had secured the number of signatures needed for the CPRA to reach the first threshold to make the November 2020 ballot. Currently, the signatures are being verified by state authorities and observers anticipate enough signatures will be verified for the initiative to move forward. If placed on the ballot, CPRA is expected to pass and if passed, will become operative on January 1, 2023 (although with a lookback period to January 1, 2022). We will continue to monitor the CPRA’s progress.
* Aaron Parry contributed to this post.
A Partner at M&S, Josh advises clients on a range of proactive and responsive matters, helping them achieve their business goals while complying with federal and state privacy and other consumer protection laws.