On June 24, the eve of the July 1 enforcement date for the California Consumer Privacy Act (CCPA), the California Secretary of State certified the California Privacy Rights Act (CPRA), the latest brainchild of privacy activist (and CCPA spiritual father) Alastair Mactaggart, to appear on the November 2020 ballot after it gained the requisite number of signatures. Mactaggart’s organization Californians for Consumer Privacy, along with other prominent consumer privacy advocates, had repeatedly expressed frustration with the California legislature’s efforts to amend the CCPA in 2019 at the behest of the business community, and they responded with an even more robust comprehensive privacy law that will align California closely with the European Union’s General Data Protection Regulation (GDPR). Pre-pandemic polling has shown the CPRA to be overwhelmingly popular (with support ranging as high as 90 percent), and it is heavily favored to be approved by the voters this fall.
CPRA has a bit of a delayed fuse, with the most of the law going into effect on January 1, 2023 and applying (with the exception of the right of data access) only to data collected after January 1, 2022; enforcement would begin on July 1, 2023. Thus, companies that scrambled to implement compliance measures to meet CCPA’s effective date of January 1, 2020 will have sufficient time to prepare for CPRA, which significantly broadens and expands CCPA. However, assuming CPRA is voted into law, it will likely spark a bandwagon effect among the many other states considering broad privacy legislation and increase the clamor for a comprehensive federal privacy law to preempt the growing patchwork of inconsistent state laws. Indeed, the extended runway for CPRA compliance seems to have been designed with this very possibility in mind.
Since there is a lot to unpack in CPRA, this post briefly summarizes its major innovations and modifications of CCPA. (More in-depth and comprehensive analysis will follow in further posts and client alerts.)
If California voters approve CPRA this November, as expected, companies should immediately start the work of upgrading their compliance and revisiting their privacy policies, whether they are covered businesses which determine the business purposes of processing personal information or act as service providers or contractors to businesses that do. In addition, since CPRA will bring California much closer to GDPR and other states will also likely strengthen their privacy and data protection laws, a major gating question for corporate policymakers is whether it is desirable to simply extend CPRA protections to all U.S. residents. The advantages of such an approach are: (i) greater scalability of compliance efforts (as opposed to maintaining an increasing number of divergent privacy frameworks across multiple jurisdictions), (ii) lower regulatory and legal risk, since it may not always be possible to determine with certainty where a consumer or online user resides, and (iii) better optics for both consumers and regulators in states outside California, who might not like being accorded a lower level of privacy than Californians. In addition, while GDPR and CPRA are not entirely co-extensive, their proximity might also dictate in favor of a more standardized approach across national borders. Of course, since every company’s business model and risk profile are different, companies should carefully analyze and weigh the options available. However, with the near-certainty of stricter regulation on the horizon, companies should not postpone strategic decision-making in the privacy area.