It would appear that nothing can stop the momentum that is the California Consumer Privacy Act (CCPA) and the privacy advocates who want the people to decide, directly, how their data is used. The privacy advocacy group Californians for Consumer Privacy, headed by Alastair Mactaggart, is moving ahead with plans for an omnibus privacy regulation through a ballot initiative which will add a virtual lead barrier around certain amendments to the CCPA, making them impenetrable by amendment, repeal or replacement without another voter initiative unless the original initiative specifically allows for legislative altering.
The California Privacy Rights Act of 2020 (“CPRA”) is a ballot initiative, which, if enough support is garnered, will be included on the ballot for the presidential election on November 3, 2020. If it passes, it will take effect on January 1, 2023. Similarly, in 2018, the CCPA was initially intended to be a ballot initiative. However, under pressure from panicked technology companies, the CCPA ballot initiative was withdrawn and instead, put through the normal California legislative process. The CCPA then underwent a series of legislative lobbying and negotiations which has led to amendments and modified regulations, even as it has only just gone into effect.
Companies are still in the process of implementing the CCPA, including waiting on the final regulations (yet to be announced) which will supplement the CCPA and incorporating the CCPA into their response to COVID-19 while trying to reopen their businesses. Privacy advocates are, yet again, one step ahead.
The CPRA would add several provisions which would significantly update the CCPA, the most comprehensive and strict data privacy legislation in the nation. Not all of the proposals in the CPRA are negative for companies, however, some have the merit to clarify and even lighten the CCPA burden, on its face. Many will require updated privacy policies, disclosures and procedures for companies.
The CPRA would alter the CCPA by:
- Creating a new category of sensitive personal information (“SPI”). This new category would consist of precise geolocation, race, ethnicity, religion, genetic data, union membership, contents of mail, email and text messages and certain sexual orientation, health, and biometric information. The addition of SPI would give Californians even greater privacy protections on more the intimate types of information that businesses collect. This is also more in line with current protections given to Europeans under the GDPR.
- Requiring businesses to notify consumers at or before the point of collection of SPI as to the categories being collected, whether the information is being sold, and the intended retention period. Under the CPRA, businesses must provide a separate link titled “limit the use of my sensitive personal information” to allow consumers to limit SPI use. The separate link will increase consumers awareness that their SPI is being collected in the first place. Additionally, the link will allow a consumer to easily opt out of such collection.
- Allowing California residents to request correction to inaccurate personal information and requiring businesses to inform consumers of this right. This is a completely new privacy right that is noticeably absent from the CCPA and again, in line with the GDPR.
- Tripling the maximum penalty for privacy violations affecting children and teenagers under age 16—$7,500 per intentional violation.
- Establishing the California Privacy Protection Agency (“Agency”). The Agency will implement privacy laws as well as impose fines for privacy violations. The Agency will also have the authority to investigate possible violations of the CPRA brought to its attention by any person’s sworn complaint or its own initiative.
- Doubling the business eligibility threshold from 50,000 to 100,000—the law would now cover any entity that “alone or in combination, annually buys or sells or shares the personal information of 100,000 or more consumer or households.” Other ways an entity can be covered under the CPRA are (1) if “as of January 1 of the calendar year, [the entity] had annual gross revenues in excess of twenty-five million dollars ($25,000,000) in the preceding calendar year” or (2) if the entity “derives 50 percent or more of its annual revenues from selling, or sharing consumers’ personal information.”
- Obligating service providers to assist businesses with CCPA compliance activities. Obligations on service providers are somewhat unclear under the CCPA and this will assist businesses in complying with the CCPA and enforcing agreements with service providers.
- Limiting businesses’ liability for violations of the law by “third-party” businesses.
- Clarifying the definition of “sale,” differentiating and exempting from the "Do Not Sell" right and the CCPA “selling” notice requirements, the “sharing” of personal information for cross-context behavioral advertising in some instances.
- Clarifying that businesses may offer loyalty, rewards, premium features, discounts or club card programs.
- Exempting businesses from disclosing trade secrets in response to rights requests or cybersecurity audits or risk assessments. This has been a concern for businesses especially with respect to the disclosure of the financial value of personal information to a business which may lead to a disclosure of business practices and revenue models that are protectable and protected.
- Changing the applicability of the “30-day cure period.” Under the CPRA, the 30-day cure period is reserved only as a means of preventing individual or class-wide statutory damages as part of a private right of action for security violations, not for general violations of the law. Under the CCPA, the cure period applies generally: “a business shall be in violation of this title if it fails to cure any alleged violation within 30 days after being notified of alleged noncompliance.” Reducing the applicability of the cure period will also increase compliance. More businesses will likely comply without this guaranteed “fix-it” period because the stakes will be higher.
For the CPRA to appear on the November 3, 2020 general election ballot, it must receive 623,212 signatures by June 25, 2020. As of May 4, 2020, Californians for Consumer Privacy has begun submitting over 900,000 signatures to qualify the CPRA for the November 2020 ballot.
Under the California Constitution, the California Legislature cannot amend, repeal or replace a passed ballot initiative without voter input unless the initiative specifically allows for legislative tampering. In 2018, Californians for Consumer Privacy’s success in getting the CCPA on the ballot forced the California Legislature to agree to pass a revised version of the CCPA in exchange for withdrawal of the initiative from the ballot. Given the Californians for Consumer Privacy’s progress toward getting the CPRA on the ballot, the California Legislature may have their hand forced again.
ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm of approximately 725 lawyers practicing throughout a network of 13 offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy and technology sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.