As we noted just earlier this week, the California Privacy Rights Act (CPRA), first introduced in May 2020, is poised to push consumer privacy protections well past the protections found in the not yet fully enforced California Consumer Privacy Act (CCPA). The CPRA grants California consumers a number of privacy rights in their personal information and requires businesses collecting that information to better protect that information without consumer consent. With support for these protections polling near 90% in California, the CPRA was well on its way in the process of becoming new law.
But, one hurdle remained. Before the CPRA ballot measure could be added to the November ballot, the required number of signatures in support of that measure needed to be verified and the number certified by the Secretary of State. With that process, when a ballot initiative is introduced with its submitted signatures, each county registrar of voters first receives the signatures obtained in their county. County officials then send a “raw count” of the total number of signatures gathered in that county to the Secretary of State. The Secretary of State then determines if the number submitted meets the threshold to be added to the ballot. If so, the Secretary of State notifies the county registrars that the threshold is met, which begins each county’s work verifying that the submitted signatures are valid. Once verified, the Secretary of State can then place the ballot initiative on the November ballot.
Here, the CPRA ballot initiative was introduced on a schedule that would have seen each of the steps above occur when each of the statutory deadlines was considered, in time to have the final Secretary of State determination occur on June 25, 2020, the constitutional deadline for the qualification of all ballot measures to appear on the November 3, 2020, ballot. But, during the submission process, the California Secretary of State delayed notifying the county registrars that the requisite threshold of signatures had been met—triggering the verification of those signatures one day later than planned. Had the county registrars taken the full time they were allowed under the election code to verify signatures, the CPRA ballot initiative would have been deemed sufficient to qualify for placement on the ballot one day after the constitutional deadline.
The Californians for Consumer Privacy group that introduced both the CCPA and the CPRA ballot initiative was so concerned about this delay they sued the California Secretary of State for failure to adhere to the California election code’s requirement that the Secretary of State immediately notify county officials to begin the signature verification process.
This concern, however, was unnecessary. Today, the California Secretary of State confirmed that the CPRA ballot initiative had submitted more than enough verified signatures to qualify for placement on the November 3, 2020, ballot. This means that the CPRA will be up for voter approval in November. With overwhelming support from California consumers, the CPRA is poised to pass—which would cause the provisions of the CPRA to take effect, January 1, 2023.
The CPRA proposes a number of revisions to the CCPA, set to take full effect on July 1, 2020, to resolve the ambiguities and some of the burdensome requirements, while at the same time introducing new privacy and security obligations to businesses. So, if you and your business are only now focusing on compliance with the CCPA, your work on the path of compliance has only just begun.