Alastair Mactaggart, developer of the ballot initiative that led to the California Consumer Privacy Act (“CCPA”), has announced a “new experiment” – a November 2020 California ballot initiative to expand the scope of data privacy rights under the CCPA. In a letter announcing his new California Privacy Enforcement Act initiative, Mactaggart explained that his ballot initiative would seek to:
- Create a new California Privacy Protection Agency entity to enforce the CCPA, a responsibility that is largely now in the hands of the California Attorney General;
- Require companies to disclose more detail regarding profiling algorithms and personal information relative to employment, housing and credit;
- Increase penalties for violations of children’s privacy by tripling the amount companies are fined for collecting or selling the personal information of minor’s under 16 year of age without consent;
- Require companies to disclose whether, and how, they use personal information to influence elections;
- Allow the California State Legislature to make additional amendments to the CCPA with a simple majority vote only when those amendments further the CCPA.
At present, companies are still awaiting release of regulations from the California Attorney General regarding the existing CCPA before its rights go into effect on January 1, 2020, with enforcement by the Attorney General starting no later than July 1, 2020.
The introduction of this second initiative has the potential to usher in another wave of amendments and legislative negotiations that may add further complexity and uncertainty to CCPA compliance. Covered companies will need to stay vigilant and continue to evaluate how to build compliance programs in light of the ever-evolving statute. California is indeed set on a course to raise the international level of data protection programs; even companies that are fully compliant with Europe’s General Data Protection Regulation will need to take California compliance into account.
Multiple other states are expecting to take up privacy laws in the new legislative sessions as well. Roughly two dozen other states and territories proposed new bills targeting consumers’ data privacy rights in their last legislative sessions. The interplay of these potentially inconsistent state laws will lead to complex choices of law and conflict of law issues that have to date largely been unnecessary to address.
Calls for federal legislation were already issued before Mactaggart’s latest announcement, and it will no doubt fuel these efforts. Prominent companies have been urging Congress to pass a comprehensive federal data privacy bill that would preempt state privacy laws in order to provide uniformity and concrete guidance. That said, federal privacy legislation seems to be an uphill push. Given other priorities on Capitol Hill, we do not currently expect a federal privacy law until 2021 at the earliest.