New California Privacy Rights Act on the 2020 Ballot

Robinson+Cole Data Privacy + Security Insider

The California Privacy Rights Act (CPRA) recently qualified for the November 2020 ballot, and if California voters approve this initiative, the CPRA will expand the rights of California residents under the current (stringent) California Consumer Privacy Act (CCPA), beginning on January 1, 2023.

So what will change under the CPRA?

  1. Creation of the California Privacy Protection Agency (CPPA): If the CPPA is created, it would be the first of its kind in the United States. The CPPA would be governed by a five-member board that would have full administrative power, authority and jurisdiction to implement and enforce the CCPA (instead of the California Attorney General).
  2. Stricter Definitions: CPRA defines “sensitive personal information” more strictly than “personal information;” “sensitive personal information” includes government-issued identifiers (i.e., Social Security numbers, driver’s license numbers, passport numbers), account credentials, financial information, precise geolocation, race or ethnic origin, religious beliefs, contents of certain types of messages (i.e., mail, e-mail, text), genetic data, biometric information, and other types of information.

The CPRA also would create new obligations for companies and organizations processing sensitive personal information. It also would allow consumers to limit the use and disclosure of their sensitive personal information.

The CPRA would also expand consumer rights under the CCPA. Specifically, under the CPRA, consumers would have the right to:

  1. Correct personal information;
  2. Know the length of data retention;
  3. Opt-out of advertisers using precise geolocation; and,
  4. Restrict usage of sensitive personal information.

The CPRA also would extend the moratorium related to employee data until January 1, 2023; currently, under the CCPA, employee data are not covered until January 1, 2021. Note that California AB-1281, which was enrolled on September 1, 2020, extends the current exemption for employee data to January 1, 2022 in the event that the CPRA is not voted into law.

Lastly, in addition to the private right of action for data breaches under the CCPA, the CPRA would expand this private right of action to include the unauthorized access or disclosure of an email address and password or security question that would permit access to an account if the business failed to maintain reasonable security safeguards.

While many companies are still grappling with the nuances of the CCPA, if the CPRA gets the green light from voters in November, it will bring yet another wave of compliance issues and implementation of new policies, procedures and processes for many businesses in and outside of the California. We will watch this ballot question closely as we near the November election.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Robinson+Cole Data Privacy + Security Insider | Attorney Advertising

Written by:

Robinson+Cole Data Privacy + Security Insider

Robinson+Cole Data Privacy + Security Insider on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.