Most companies continue to grapple with compliance with the California Consumer Privacy Act (“CCPA”), which went into effect in January. Companies have overhauled their privacy programs and policies and designed new systems to comply with the CCPA.
Now, the privacy-right activist group that sponsored the CCPA – Californians for Consumer Privacy – is pushing for an even more stringent privacy bill, the California Privacy Rights Act (“CPRA”). The group recently announced it secured the 900,000 signatures needed to qualify for a place on the state’s November 2020 ballot.
If this appears on the ballot and passes, companies will have to once again review their privacy programs and likely amend further to comply. Many other states are also attempting to pass new legislation, so this could all create a complex regime of multiple states with different laws.
The CPRA, as drafted, would amend the CCPA, which has been criticized for over broad definitions and ambiguous language. It would expand the privacy rights of California residents and increase compliance obligations for companies. The CPRA would, as written and among other things:
- New data category. Add a new category of information, known as “sensitive personal information”, which would include health, financial, and geolocation collected, and allow California consumers to block businesses from using this information. Much of this information is covered by federal privacy laws, like HIPAA and GLBA.
- Privacy for children’s data. Enhance children’s privacy rights and triple fines for collecting and selling information of minors under 16 years of age.
- Enforcement Arm. Establish new enforcement authority to protect data privacy rights.
- Correction of data. Give Californians the right to ask businesses to correct inaccurate personal information.
- More breach liability. Update data breach liability, specifically for breaches of a consumer’s email with password or security question. In such cases, hackers would be able to access the consumer’s account, and the CPRA would result in liability for the company experiencing the breach.
However, one thing the CPRA does that may help businesses is provide an additional two-year extension to exemptions for employee and business-to-business data. The current exemption is set to expire at the end of 2020. It is important to note that under the current exemption, while employees are temporarily excluded from most of the CCPA’s protections, two areas of compliance remain: (i) providing a notice at collection, and (ii) maintaining reasonable safeguards for personal information driven by a private right of action now permissible for individuals affected by a data breach caused by a business’s failure to do so.
While the CPRA may have enough signatures to qualify it for the upcoming ballot, the California Secretary of State and local election officials will have to certify the signatures by June 25, 2020. Of the 900,000 signatures submitted, 675,000 must be certified as valid for the CPRA to be included on the November ballot.
We will continue to monitor CPRA developments and provide guidance on compliance with CCPA and new regulations and guidance from the California Attorney General.