Passed in 2018, the California Consumer Privacy Act (CCPA) took effect on January 1, 2020, although enforcement by the Attorney General was delayed until July 1, 2020. The CCPA embodied a significant move to provide consumers greater control of their information as well as protection of personal privacy rights in the United States. While the CCPA constituted a material substantive step towards European-style privacy protections, the next round in consumer-driven privacy protections is already pushing California towards greater protections for consumer privacy rights.
On May 4, 2020, Californians for Consumer Privacy (CCP), the same group responsible for the ballot initiative that led to the CCPA, launched a push for the adoption of the proposed California Privacy Rights and Enforcement Act (CPRA), a second round of more substantial privacy rights protections. CCP announced that it had collected over 900,000 signatures to place the CPRA on the November 2020 ballot. Moreover, current polling reflects that 88 percent of Californians support passage of the CPRA.
With robust enforcement provisions, increased penalties, and the likelihood of it passing in November, it is imperative that businesses be aware of the requirements under CPRA and begin working towards compliance with this law before it takes effect on January 1, 2023.
What does the CPRA do?
Angered by what they saw as a softening of the protections originally contemplated by the CCPA by large data collectors and other interest groups, the CCP sought to build on the protections found in the CCPA and further protect consumer privacy rights. To accomplish this goal, the CPRA proposes several new or expanded rights and protections.
- Similar to the protections offered under the GDPR, the CPRA would create a new category of Sensitive Personal Information that consumers can, at any time, direct businesses not to use beyond the use necessary to provide requested goods or services. This change would require businesses to establish further monitoring and tracking of the types of information collected to ensure that such Sensitive Personal Information later can be excluded from sales upon request. It also would affect geolocation data use. By defining “precise geolocation” data as Sensitive Personal Information, consumers would be able to prevent the use of geolocation data pinpointing a location to within less than 1/3 of a mile—rendering such data much less effective and valuable.
- The CPRA grants consumers the ability and right to correct inaccurate or erroneous personal information held by businesses and also strengthens children’s privacy rights by tripling fines for violating children’s rights under the CCPA.
- The CCPA defines the “sale” of personal information to include sharing of such information (i.e., exchanging information without any monetary compensation)—something that is currently not defined as a sale under the CCPA. This change would prevent any exchange of information with a third party where the consumer requests that sales be prevented.
- The CPRA also broadens the definition of a breach to include the compromise of a consumer’s email address in combination with a password or security question and answer that would allow access to that account.
- The CPRA prevents amendments to the CCPA made after January 1, 2020, that are inconsistent with the purpose and intent of the CPRA. This change would allow the California legislature to pass amendments adding to the protections afforded by the CPRA, but would not allow amendments to the CPRA that lessened those protections.
- To enforce privacy protections under California law, the CPRA creates a new administrative agency, funded by the fines collected from the law. The new California Privacy Protection Agency would be independent from the California Attorney General’s office and would be staffed with 40 attorneys—the same size as the Federal Trade Commission’s privacy arm directed to protecting consumer privacy across the entire country.
The ramifications of these changes are still being discussed and are likely to be more fully understood as the provisions of the CPRA are studied between now and November. Regardless, the CPRA is a monumental step towards GDPR-type legislative protection for consumer privacy rights. And with increased fines and enforcement tools at their disposal, California’s proposed new Agency likely will be enforcing the CPRA aggressively and looking for violations, all of which mandate making compliance a necessity as well as a wise business activity.