While businesses are busy finalizing CCPA preparations, a new privacy initiative in California called the California Privacy Rights Act (CPRA) may be headed to the November 2020 ballot.

The original CCPA began in 2018 as a ballot initiative in California but was enacted by the California legislature in June of 2018. However, Californians for Consumer Privacy, the leaders behind the original ballot initiative, are unsatisfied with the current version of the CCPA. According to Californians for Consumer Privacy, two things have happened since the CCPA was passed: first, they believe large companies have worked to weaken the effectiveness of CCPA. Second, they believe technological tools have evolved in ways that exploit consumers’ data with potentially dangerous consequences. On May 4, 2020, Californians for Consumer Privacy announced that they had received over 900,000 signatures to qualify the CPRA for the November 2020 ballot in California. Here are a few examples of the new rights and requirements the CPRA would impose:

  • Right to restrict use of “sensitive personal information”;
  • Right to correct data;
  • Storage limitation: right to prevent companies from storing information longer than necessary and right to know the length of time a business intends to retain each category of personal information;
  • Data minimization: right to prevent companies from collecting more information than necessary;
  • Right to opt out of advertisers using precise geolocation (< than 1/3 mile);
  • Penalties if email address and email password are stolen due to negligence;
  • Restrictions on onward transfers of personal information;
  • Establishes California Privacy Protection Agency to protect consumers;
  • Requires high risk data processors to perform regular cybersecurity audits and risk assessments; and
  • Requires the appointment of a chief auditor with power to audit businesses’ data practices.

 

These new rights and requirements would add additional responsibilities to businesses subject to the CCPA. For example, with the expanded definition of “sensitive personal information” businesses would need to evaluate if they are collecting sensitive personal information, and if so, be prepared to limit the disclosure and use of this sensitive personal information if the consumer makes a request. The storage limitation requirement would make it necessary for businesses to implement a data retention policy surrounding the storage of personal information and be ready to tell consumers how long they intend to keep each category of personal information. These changes would create a law more similar to the GDPR than the CCPA now. Consumers would be given greater control over their personal information and businesses would face additional compliance obligations on top of those preparations done for the CCPA.

Whether the CPRA will be on the ballot in November will depend on if the secretary of state can verify at least 623,212 signatures by the June 25 deadline. If there are enough valid signatures, the CPRA will be on the ballot in 2020 and could change California’s privacy laws once again.