Data privacy compliance emerged as a top-tier issue for businesses across the globe with the implementation of new laws with broad scope and sweeping coverage, including the EU’s General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA) and the European Court of Justice’s invalidation of the US-EU Privacy Shield. Next up is a possible set of amendments to the CCPA on the ballot in California this November. What would those changes mean for your organization?
A proposal to bolster the CCPA has received enough signatures to qualify for November’s general election ballot. The news surprised some political observers, because of both the large number of signatures required for the measure to qualify and the difficulty of obtaining those signatures due to social distancing measures. While 675,000 valid signatures were required, the group Californians for Consumer Privacy — the nonprofit that proposed the measure — collected 900,000.
If adopted, this amendment to the CCPA — dubbed the California Privacy Rights Act of 2020 (CPRA) — would give consumers the right to limit the use and disclosure of sensitive personal information, to opt out of the sale and sharing of that data, and to correct inaccuracies in the data.
The Attorney General’s official title and summary of the measure is as follows:
Permits consumers to: (1) prevent businesses from sharing personal information; (2) correct inaccurate personal information; and (3) limit businesses’ use of “sensitive personal information” — such as precise geolocation; race; ethnicity; religion; genetic data; union membership; private communications; and certain sexual orientation, health, and biometric information. Changes criteria for which businesses must comply with these laws. Prohibits businesses’ retention of personal information for longer than reasonably necessary. Triples maximum penalties for violations concerning consumers under age 16. Establishes California Privacy Protection Agency to enforce and implement consumer privacy laws, and impose administrative fines. Requires adoption of substantive regulations.
The text of the CPRA is available on the website of the California Department of Justice.
If adopted, the CPRA would bring California law closer to many of the collection, processing and data subject rights enshrined in Europe’s GDPR.
Here are some of the ways it would expand the CCPA or change its enforcement mechanism.
The CPRA contains other amendments that differ from European law as it relates to enforcement. For example, under California law, fines are deposited in a Consumer Privacy Fund that is used to offset the government’s expenses in administering the act. Under the proposed CPRA, 3% of those funds would be assigned to nonprofit organizations that promote and protect consumer privacy. In Europe, GDPR enforcement varies from one country to the next, as the law is administered by local “data protection authorities.” Although the European Commission itself is a standard-setting entity, the GDPR enforcement fines are collected by these data protection authorities.
Even though the existing law — the CCPA — was just recently implemented, with enforcement commencing this past month, on July 1, businesses subject to the CCPA will want to follow the progress of the CPRA. If the ballot measure passes in November, a series of legislative events will be triggered, including the automatic extension, five days after the Secretary of State records the vote, of an exemption under the CCPA for personal information collected in business-to-business and employee contexts. The final CPRA legislation would not become effective until January 1, 2023, applying to data collected on or after January 1, 2022. Some aspects of the CPRA would require additional rulemaking once the legislation takes effect.
For the moment, companies with ties to California or that collect, process or use data of California residents should ensure they comply with existing rules under the CCPA, and should watch for any potential enforcement cases that might involve additional guidance. Companies should also maintain strong internal governance to ensure that personal information is adequately collected and safely stored. We’ve previously written about heightened cyber-risks during the COVID-19 pandemic and about what the CCPA means for your company.