Data privacy compliance emerged as a top-tier issue for businesses across the globe with the implementation of new laws with broad scope and sweeping coverage, including the EU’s General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA) and the European Court of Justice’s invalidation of the US-EU Privacy Shield. Next up is a possible set of amendments to the CCPA on the ballot in California this November. What would those changes mean for your organization?

California advocacy group proposes CCPA expansion as ballot initiative

A proposal to bolster the  CCPA has received enough signatures to qualify for November’s general election ballot. The news surprised some political observers, because of both the large number of signatures required for the measure to qualify and the difficulty of obtaining those signatures due to social distancing measures. While 675,000 valid signatures were required, the group Californians for Consumer Privacy — the nonprofit that proposed the measure — collected 900,000.

If adopted, this amendment to the CCPA — dubbed the California Privacy Rights Act of 2020 (CPRA) — would give consumers the right to limit the use and disclosure of sensitive personal information, to opt out of the sale and sharing of that data, and to correct inaccuracies in the data.

The Attorney General’s official title and summary of the measure is as follows:

AMENDS CONSUMER PRIVACY LAWS. INITIATIVE STATUTE.

Permits consumers to: (1) prevent businesses from sharing personal information; (2) correct inaccurate personal information; and (3) limit businesses’ use of “sensitive personal information” — such as precise geolocation; race; ethnicity; religion; genetic data; union membership; private communications; and certain sexual orientation, health, and biometric information. Changes criteria for which businesses must comply with these laws. Prohibits businesses’ retention of personal information for longer than reasonably necessary. Triples maximum penalties for violations concerning consumers under age 16. Establishes California Privacy Protection Agency to enforce and implement consumer privacy laws, and impose administrative fines. Requires adoption of substantive regulations.

The text of the CPRA is available on the website of the California Department of Justice.

Amendments would bring legislation more in line with EU standards

If adopted, the CPRA would bring California law closer to many of the collection, processing and data subject rights enshrined in Europe’s GDPR.

Here are some of the ways it would expand the CCPA or change its enforcement mechanism.

  • Dedicated government agency. The CPRA would create a California Privacy Protection Agency charged with administering, implementing and enforcing the legislation instead of letting that role fall to the California Attorney General. This would bring the CPRA in line with the model implemented in the EU, where independent public authorities (often referred to as “supervisory authorities” or “data protection authorities”) investigate and enforce compliance with the GDPR. The agency would be responsible for developing and adopting rules to implement the CPRA no later than July 1, 2022. The agency could begin investigating and enforcing those rules a year later, on July 1, 2023. The agency would also be charged with informing consumers of their rights and guiding businesses on their responsibilities under the CPRA.

  • Scope of protected information. The measure would create a new sub-category of personal information called “sensitive personal information,” with more protections than those afforded to the broadly defined “personal information.” The definition of “sensitive personal information” includes government identifiers; account and login information; precise geolocation data; racial or ethnic origin; religious or philosophical beliefs; union membership; contents of mail, email and text messages; genetic data; and certain sexual orientation, health and biometric information. This approach is in line with the GDPR, which identifies “special categories of personal data” that are similar to the CPRA’s sensitive personal information, and likewise receive more protection than the general category of “personal data” that is broadly defined and protected under the GDPR.

  • Restrictions on information sharing. Consumers would have the option to direct businesses not to sell or share their personal information, so companies would have to update their links accordingly. This is similar in scope to the GDPR, which applies to both data collection and sharing, but does not include an opt-out on data sale.

  • Error correction. Consumers would have the right to correct inaccurate personal information, which is similar to the right to rectification under the GDPR.

  • Retention periods. The CPRA would also add a new requirement that consumers be notified of the length of time a business intends to retain each category of personal information, and that it may not be held “for longer than is reasonably necessary for that disclosed purpose.” This is also in line with the GDPR, which prohibits retention of data for longer than necessary.

The CPRA contains other amendments that differ from European law as it relates to enforcement. For example, under California law, fines are deposited in a Consumer Privacy Fund that is used to offset the government’s expenses in administering the act. Under the proposed CPRA, 3% of those funds would be assigned to nonprofit organizations that promote and protect consumer privacy. In Europe, GDPR enforcement varies from one country to the next, as the law is administered by local “data protection authorities.” Although the European Commission itself is a standard-setting entity, the GDPR enforcement fines are collected by these data protection authorities.

Prepare for potential new compliance processes

Even though the existing law — the CCPA — was just recently implemented, with enforcement commencing this past month, on July 1, businesses subject to the CCPA will want to follow the progress of the CPRA. If the ballot measure passes in November, a series of legislative events will be triggered, including the automatic extension, five days after the Secretary of State records the vote, of an exemption under the CCPA for personal information collected in business-to-business and employee contexts. The final CPRA legislation would not become effective until January 1, 2023, applying to data collected on or after January 1, 2022. Some aspects of the CPRA would require additional rulemaking once the legislation takes effect.

For the moment, companies with ties to California or that collect, process or use data of California residents should ensure they comply with existing rules under the CCPA, and should watch for any potential enforcement cases that might involve additional guidance. Companies should also maintain strong internal governance to ensure that personal information is adequately collected and safely stored. We’ve previously written about heightened cyber-risks during the COVID-19 pandemic and about what the CCPA means for your company, and our privacy experts are here to help as well.