While it would appear that the California Consumer Privacy Act of 2018 (CCPA) (effective January 1, 2020, and considered one of the most comprehensive privacy regulatory schemes in the United States) would suffice to protect consumers’ privacy rights, some California voters apparently want more. The group, Californians for Consumer Privacy, who sponsored an initiative on the November 2018 ballot that eventually led to legislation creating the CCPA, wants additional privacy rights. This group has just announced that it is submitting over 900,000 signatures to qualify a new initiative called the California Privacy Rights Act (CPRA) for inclusion on the November 2020 ballot.1This initiative emphasizes the need for businesses to concentrate efforts on understanding all types of personal information being maintained about its customers and adequately protecting that information, which would include, at a minimum, compliance with current CCPA requirements.
The California Privacy Rights Act (CPRA)
The CPRA is proposing the following:
- The creation of additional rights related to personal information;
- Enhanced penalties related to the collection and sale of children’s information; and
- Establishment of an enforcement agency to enforce these rights.
The details of the CPRA are yet to be finalized, but the act proposes to create additional rights related to the use by businesses of consumer’s personal information without consent - including a consumer’s physical location, as well as its health or financial information. The CPRA is also proposing to triple penalties for violations related to children’s private information. The current penalties under the CCPA provide for $2,500 for each violation or $7,500 for each intentional violation.2This would substantially increase penalties to $7,500 for each violation, or $22,500 for each intentional violation. Keep in mind that penalties are imposed based upon each piece of personal information and businesses may collect numerous pieces of personal information, such as name, mailing address, email address and account name.
Lastly, the CPRA plans to establish a new agency or authority to enforce rights under its umbrella. It is not clear if this would also include enforcement of consumer rights under the CCPA. Although enforcement of the CCPA is not scheduled to commence until July 1, 2020, it has been structured for enforcement actions to be brought by the Attorney General. Further, the state has created a special fund, the Consumer Privacy Fund, for use to offset the costs of enforcement actions pursuant to the CCPA.3
Why Does This Matter For Businesses
§ Privacy regulation in California is not going away. The proposed CPRA further shows that California consumers want to protect their personal information, and that the CCPA, along with related regulation, is likely to evolve and grow stronger over the next several years.
§ Businesses should already be prepared for compliance with all aspects of the CCPA as of January 1, 2020. If not already in compliance, now is the time to act, as the July 1, 2020 date for enforcement action quickly approaches. If the CPRA does become law, companies which conduct business in California will face an even greater burden related to consumer privacy.
§ All businesses subject to the CCPA have an affirmative obligation to establish security procedures and practices to protect any personal information maintained. Even during the current COVID-19 pandemic, a compliance program must be implemented.