May the 4th be with Alastair Mactaggart?

On May 4, the Californians for Consumer Privacy, led by founder Alastair Mactaggart, announced its submission to qualify the California Privacy Rights Act for the November 2020 ballot. Because of COVID-19 social distancing measures in place in California and the huge number of signatures required, the announcement surprised many political observers.

However, the CPRA’s presence on the ballot is still not a “done deal.” County election officials and the secretary of state will now begin the process of reporting and verifying the signatures, which may last through June 25th. Californians for Consumer Privacy has announced that it has collected about 900,000 signatures. 675,000 valid signatures are required to place the Initiative on the ballot.[1]

Early polling strongly suggests that if the CPRA — aka CCPA 2.0 — is certified for the ballot, it will pass and become effective Jan. 1, 2023, and move California privacy law a bit further in the direction of the EU General Data Protection Regulation.

The CPRA would amend the language of the CCPA and require additional rulemakings, which would introduce new uncertainties. Here are highlights of how the CPRA would change the CCPA.

Some good news for CCPA-regulated “businesses”

The CPRA would:
  • Limit businesses’ liability for violations of the law by “third-party” businesses.
  • Create an operationally significant limited exception to deletion and access rights for many types of unstructured data.
  • Clarify the definition of “sale” and differentiate and exempt from the “Do Not Sell” right and the CCPA “selling” notice requirements, the “sharing” of personal information for cross-context behavioral advertising in some instances.
  • Clarify that businesses may offer loyalty, rewards, premium features, discounts or club card programs.
  • Amend the second threshold of the definition of a “business” to remove “devices.” and increase the number of consumers or households from 50,000 to 100,000 or more, thereby exempting more small businesses.
  • Exempt businesses from needing to provide access to “specific pieces of personal information” from data generated to help ensure security or integrity or as prescribed by regulation.
  • Extend the employee and business-to-business moratoria to Jan. 1, 2023, allowing time to address employee privacy questions in a separate bill.

Some bad news for CCPA “businesses” and “service providers”

Companies subject to the CPRA would need to update their California privacy programs to include a new:

  • Category of personal information, sensitive data, defined (somewhat differently than under the GDPR) as government identifiers, account and login information, precise geolocation data, racial or ethnic origin, religious or philosophical beliefs, union membership, contents of mail, email and text messages, genetic data, and certain sexual orientation, health and biometric information.
  • Set of requirements for this sensitive data, including a right to “Limit the Use of My Sensitive Personal Information” and special website link and additional data minimization requirements.
  • Right to limit the use of sensitive data for any secondary purpose and a new notice requirement to provide a separate link titled “Limit the Use of My Sensitive Personal Information” or accommodate an optional technical signal solution.
  • Right to data minimization, as well as providing notice to consumers about the length of time each category of personal information will be retained.
  • Right to correct inaccurate personal information.
  • Right to know, access and receive personal information collected before the 12-month lookback period for data collected on or after Jan. 1, 2022.
  • Direct obligations on service providers to assist businesses with CPRA compliance activities.
  • Definition of cross-context behavioral advertising and limitations that, as noted above, exempts certain analytics functions but clearly targets this activity to do-not-sell obligations.
  • Type of business covered under the CCPA — a joint venture or partnership composed of businesses in which each business has at least a 40% interest.
  • Inclusion of email account credentials in the categories of personal information potentially subject to the CCPA “reasonable security” private right of action under Section 1798.150(a).

Enforcement and fines 

A new California Privacy Protection Agency would replace the attorney general’s office as the regulator implementing CPRA rules and enforcing its requirements against violators. Penalties would be tripled for violations regarding minors under the age of 16, and the private right of action for consumers is expanded to cover breach of an email address in combination with a password and security question and answer permitting access to the email account.

Also on the state privacy law horizon

The Washington Privacy Act failed the second year in a row, and COVID-19 stay-in-place orders cut short legislative sessions in most other states where omnibus privacy bills had some chance of passing. Stay tuned for further potential privacy legislation in California, which considered several privacy bills at an Assembly Privacy Committee hearing May 4, and in New Jersey, if that state’s legislature is able to reconvene in the fall. It is also worth watching the evolution of a U.S. Uniform Law Commission draft model uniform privacy law, which is likely to be finalized next summer and whose content remains highly unsettled as of now.

All this state activity may generate new interest in a federal privacy law.

This article has been reprinted from the IAPP Daily Dashboard.