The California Privacy Rights and Enforcement Act (“CPRA”)—the latest ballot initiative spearheaded by Alastair MacTaggart and his group Californians for Consumer Privacy—has qualified for the November 3, 2020 ballot, according to an email sent by the California Secretary of State’s office. The ballot initiative reached more than the 623,212 signatures it needed to qualify. Early polling data released by Californians for Consumer Privacy indicates that the CPRA will overwhelmingly be voted into law.
There was some uncertainty earlier in the month as to whether California counties would be able to count and certify enough signatures for the CPRA to make the November ballot before the June 25 deadline. Mactaggart, however, filed a lawsuit against the California Secretary of State Alex Padilla on June 8, alleging that his office had not “immediately” notified county officials to begin the random-sampling verification process for signatures. A California judge issued a writ of mandate on June 19 that required the California Secretary of State to direct counties in California to report the results of their random-sample signature verification on or before June 25, which led to the CPRA qualifying for the ballot in time.
The CPRA qualified for the November ballot a week before the California Attorney General can begin enforcing the California Consumer Privacy Act (“CCPA”) on July 1st, and all indications are that the CPRA will replace the CCPA as the new privacy law in California. The CPRA builds upon the CCPA’s framework by creating additional rights for consumers and further compliance obligations for businesses.
The good news for businesses is that, should the CPRA be voted into law, the CCPA’s current business-to-business and employee data exceptions (which are set to expire on January 1, 2021) would now expire on January 1, 2023. This means that the California legislature would have between November 2020 and January 2023 to decide how to address those exemptions on a permanent basis.
Should it pass, the substantive portions of the CPRA would not become operative until January 1, 2023, and most of the law would apply to information that a business collects after January 1, 2022 (with the exception being the right to access).
Key differences between the CCPA and CPRA include:
- The establishment of the California Privacy Protection Agency, which would be in charge of enforcing the law instead of the California AG’s office.
- The addition of a new right of correction for consumers.
- A slightly broader private right of action for data breaches: In addition to what is currently protected under California’s data breach statute, the CPRA expands the CCPA’s private right of action for data breaches so that it also applies to consumers whose email addresses in combination with a password or security question that would permit access to the account are compromised.
- An expanded right to know: Under the CPRA, businesses must inform consumers if they have been “profiling” them using automated processes (this is similar to the General Data Protection Regulation in the EU) and whether they have used a consumer’s personal information for the business’s own political purposes.
- An expanded right to opt-out: Instead of only applying to “sales,” the CPRA provides consumers with the right to opt-out of any sharing of their data with third parties.
- Distinguishing between “personal information” and “sensitive personal information”: The latter receives additional protections under the law.
We will continue to provide updates as we learn more about the CPRA.