CCPA 2.0 Initiative Signatures Submitted For November 2020 Ballot

Alex Nisenbaum, Karen Shin
Troutman Pepper
Contact
LinkedIn
Facebook
X
Send
Embed

Pepper Hamilton LLP

[co-authors: Sadia Mirza, Ronald Raether, Wynter Deagle]*

On May 4, Californians for Consumer Privacy, the organization that sponsored the California Consumer Privacy Act (CCPA) announced that it had submitted enough signatures to put a new privacy law, the California Privacy Rights Act of 2020 (CPRA), before California voters on the November ballot. If approved, the law would establish new consumer privacy rights more stringent than the CCPA.

The initiative to create the CPRA, formerly known as the California Privacy Rights and Enforcement Act of 2020, was filed on September 25, 2019. As originally drafted, the CPRA would (1) create a new right to correct inaccurate personal information, (2) prohibit the sale of “sensitive personal information” without a consumer’s opt-in consent, (3) create a new right for consumers to opt out of the use or disclosure of sensitive personal information for advertising and marketing, (4) establish the California Privacy Protection Agency to enforce the CPRA, and (5) create disclosure obligations for “profiling.” We previously discussed the initial draft of the CPRA here.

The CPRA was renamed and amended in November 2019 to take effect on January 1, 2023 (as opposed to January 1, 2021) and to only apply to personal information collected after January 1, 2022 (as opposed to January 1, 2020). The amended CPRA would also:

  • extend the CCPA’s employee and business-to-business exceptions to January 1, 2023 (as opposed to January 1, 2021)
  • redefine “business” under the CCPA to reduce the scope of covered entities to those that, alone or in combination, annually buy or sell or share the personal information of 100,000 (instead of 50,000) or more consumers or households, or derive 50 percent or more of their annual revenues from selling or sharing consumers’ personal information, in addition to for-profit entities with annual gross revenues of $25 million
  • impose certain obligations directly on service providers (as opposed to under the CCPA and other U.S. privacy laws, where vendor obligations likely flow only through contract)
  • provide that “the implementation and maintenance of reasonable security procedures and practices pursuant to Section 1798.81.5 following a breach does not constitute a cure with respect to that breach”
  • triple regulatory fines for any intentional violation of the CPRA’s requirements with respect to the collection or sale of the personal information of minors without consent
  • provide a right to limit the use of sensitive data for any secondary purpose and require businesses to provide a new, separate link titled “Limit the Use of My Sensitive Personal Information”
  • clarify that businesses may offer loyalty, rewards, premium features, discounts or club card programs
  • include email account credentials in the categories of personal information potentially subject to the CCPA’s “reasonable security” private right of action
  • require the California Attorney General to adopt regulations requiring businesses whose processing of consumers’ personal information presents significant risk to consumers’ privacy or security to perform annual privacy and data security audits (rather than requiring audits solely based on the volume of records processed)
  • prevent a business from incurring duplicative fines for both an administrative fine and a civil penalty for the same violation.

The amendments to the CPRA would further allow the to-be-created California Privacy Protection Agency to provide businesses with the opportunity to cure any alleged violations of the CCPA rather than pursuing a complaint and penalties. Additionally, the California Privacy Protection Agency would no longer be directly funded by regulatory fines.

While the CPRA may have enough signatures to qualify it for the November ballot, the California Secretary of State and county election officials will need to certify the signatures by June 25, 2020, which is also the deadline by which the initiative may be withdrawn, for its placement on the ballot to be official. Of the 900,000 signatures submitted by Californians for Consumer Privacy, 675,000 must be certified as valid for the CPRA to be included on the November ballot.

In the meantime, businesses should:

  • focus on being compliant with the CCPA and closely monitor all developments relating to the CCPA, including any regulations and guidance from the California Attorney General. As we have previously discussed, CCPA compliance will not only prepare organizations for the CPRA but may also establish a defense to other privacy-based claims that may be asserted today. For more information, see our article published by Law360, “Calif. Privacy Law Takeaways From 9th Cir. Facebook Case.”
  • monitor all developments relating to the CPRA initiative.

 

* Troutman Sanders

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Troutman Pepper | Attorney Advertising

Written by:

Troutman Pepper
Troutman Pepper
Contact
more
less

Troutman Pepper on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide