Ending widespread speculation, Californians for Consumer Privacy announced it is submitting signatures to counties across the state today to qualify the proposed California Privacy Rights Act (CPRA) initiative for the state’s November 2020 ballot. “Stay at home” public health orders and social distancing requirements prevented continued signature-gathering efforts in front of major retail stores, in parks and at public events from farmers markets to professional sports games, leading to speculation—and optimism in some quarters—that the new privacy initiative could not qualify for the statewide ballot this fall. Today’s announcement suggests that that optimism may have been misplaced.
The intent behind the CPRA, sometimes colloquially referred to as “CCPA 2.0,” is to solidify and expand upon the privacy protections introduced in the California Consumer Privacy Act (CCPA), only months after the CCPA itself took effect and before its implementing regulations have yet been finalized. While the CPRA would introduce a slew of new requirements, its biggest impact would be its ability to protect the CCPA from legislative amendments that privacy rights groups view as an existential threat to the CCPA.
Among the new requirements proposed in the CPRA is the creation of a new category of “sensitive personal information” and a new category of “data sharing” activity that would be intended to be regulated similarly to the CCPA’s current treatment of “data sales.” The CPRA would also introduce a new “right to correct,” expands the time period for current “right to know” disclosures, and adds opt-in requirements for certain activities. And it takes a cue from proposed privacy legislation in other states by including requirements for businesses to disclose profiling algorithms. These, and most of the CCPA’s existing protections, would be enforced by a new agency called the California Privacy Protection Agency.
Especially notable are the ramifications for the CCPA’s important exemptions for employment-related and business-to-business (B2B) data, which are set to expire on December 31, 2020. The state legislature approved these limited exemptions with the understanding that negotiations would continue among interested parties to come up with a long-term fix in 2020. However, lawmakers to date have shown little interest in pursuing those fixes, appearing content to defer to the CPRA’s proposed extension of those exemptions to January 2023 if passed in November. There has not been momentum for new efforts to address the problem and now the limited legislative calendar due to COVID-19 makes that prospect more difficult. As a result, businesses may be forced to immediately begin preparing contingency plans for a “no pass” scenario in which the CPRA does not pass in November and employment and B2B data become fully subject to extensive privacy protections—including the right to delete and access information—on New Year’s Day.
Why It Matters: Businesses should begin working with stakeholders and outside counsel now to anticipate the CPRA’s new requirements as well as the impact of a “no pass” scenario on employment-related and B2B data. These developments would only add to a lengthening list of uncertainties as covered businesses continue to refine their CCPA readiness posture in the midst of near-constant change. The CCPA has forced businesses and their service providers into a shotgun start since it was passed only relatively recently in June 2018. Since that time, the nation’s most comprehensive privacy law has seen several amendments, three rounds of proposed regulations, a staggered implementation and enforcement deadline, and a spate of recent lawsuits that promise to test major precepts of the law.