As California employers continue to grapple with compliance with employee-related portions of the California Consumer Privacy Act, it is worth keeping an eye on a follow-on law, the California Privacy Rights Act (CPRA), which now has enough signatures to be on California’s November 3, 2020 ballot. Of particular concern to employers should be the fact that if passed as a ballot measure, it will make provisions of the law virtually impossible to amend or alter through the normal legislative and regulatory process. It also means that employers will have a final deadline for compliance which will likely not be extendable for any reason absent another statewide ballot measure. Our colleagues at Squire Patton Boggs’ Security & Privacy//Bytes blog have the details.
The number of verified signatures necessary to put the CPRA on the November ballot cleared its final hurdle on June 24, 2020. This means November 3, 2020 will be a pivotal day for privacy law in California, and will also impact the US more broadly.
Recap: the Road to Certification
The CPRA process began in the fall of 2019 with the filing of a ballot initiative by Alastair Mactaggart on behalf of the group Californians for Consumer Privacy. By mid-March 2020, the group had collected roughly 930,000 signatures in support. The following developments then ensued:
- May 4: The signatures were submitted to the counties in which they were collected to be counted. (See our prior post for more details.)
- May 13/14: Riverside County reported its 56,346 signatures at 5:27pm on May 13th, after the Office of the Secretary of State of California had closed for the day. The Secretary of State ordered the counties to begin the random sample count at 4:14pm on May 14, which pushed the deadline for counties to report on validated signatures to June 26, 2020. This one-day delay threatened to derail CPRA as a viable initiative for the November 2020 ballot.
- June 8: Californians for Consumer Privacy representatives filed a motion for writ of mandate to order the Secretary of State to direct counties to complete their random sampling counts by June 25, the deadline for the measure to be certified. (See our prior post for more details.)
- June 19: The hearing on the writ of mandate was held at the Sacramento Superior Court, and Judge Chang ruled in favor of the proponents to ensure that the procedural delay would not prevent CPRA from being on the ballot in November. The order moved the deadline for counties to report to June 25, in time for the measure to be certified subject to meeting the automatic qualification threshold. (See our prior post for more details.)
- June 24: Two of the final three counties reported their random sample counts, resulting in 718,233 verified signatures. This is 32,699 signatures more than the required number of 685,534 to qualify for automatic certification for the November 2020 ballot. The Secretary of State made this official and certified the measure as eligible for the ballot.
Key Provisions and Details
The CPRA builds on and amends the California Consumer Privacy Act (“CCPA.”) If the referendum passes, the new law will go into effect on January 1, 2023, with the exception of certain provisions that will have immediate effect. Unlike the CCPA, the CPRA limits future amendments to those that further consumer privacy, which means the CA Legislature will not be able to amend the law to reduce consumer rights or water-down requirements.
Some of the key and likely impactful elements are highlighted below. We will be following up with detailed posts on the various changes and considerations in the coming days and weeks.
- Creation of a New Privacy Protection Agency: The CPRA creates the California Privacy Protection Agency which will be initially funded with $5 million dollars in 2020-2021, and $10 million in each following year.
- More Regulations: The CPRA initially requires the Attorney General to update and amend the CCPA regulations with a significant number of new provisions. The baton will then pass to the newly created California Privacy Protection Agency on the later of July 1, 2021 or six months after the new Agency notifies the AG that it is ready to take over. The final regulations arising from the CPRA must be adopted by July 1, 2022.
- Special Treatment for Sensitive Personal Information: The CPRA defines a new category of sensitive personal information and affords it heightened protections.
- Additional Rights: Consumers will have additional rights such as the ability to correct their personal information, opt-out of advertisers using precise geolocation, and restrict usage of sensitive personal information.
- Risk Assessments and Audits: The new Agency will have the authority to audit a business’s privacy practices and issue regulations requiring annual audits and regular risk assessments for organizations that meet certain thresholds.
- Immediate Extension of Personnel and B2B Exemptions: The current exemptions for personnel/applicants and B2B communications will remain in place through January 1, 2023, extending the current expiration date of January 1, 2021. However, it is virtually certain that they will expire in 2023, as the California Legislature will be precluded from amending CPRA to decrease the rights of personnel or business contacts under the limitation mentioned above.
All of this is happening just as the CCPA is about to become enforceable on July 1, 2020, with the final regulations having been submitted for approval by the California Office of Administrative Law only a few weeks ago.
The next few months will undoubtedly generate many new questions about how businesses should approach CCPA compliance in the face of these impending and potential changes. The Data Privacy and Cybersecurity Team at Squire Patton Boggs is here to help clients evaluate their regulatory requirements and risks, and determine the best approach for their businesses. Please reach out to the authors of this article or your usual SPB contact if you require assistance or have any questions.