On November 3, 2020, Californians will vote on Proposition 24, a ballot measure that would create the California Privacy Rights Act (CPRA). If passed, the CPRA would expand the recently operative California Consumer Privacy Act (CCPA) and move California’s privacy regime toward that of the EU General Data Protection Regulation (GDPR). If you are left wondering what it all means for privacy regulation in California and beyond, you are not alone. Below we summarize the CPRA and Proposition 24.

1. How will the CPRA become law?

If Proposition 24 gets more “yes” than “no” votes from Californians in this fall’s General Election, CPRA will become law. California is notorious for its ballot proposition system, which is unique for its breadth and the costs involved with supporting an initiative in the nation’s most populous state. The system allows advocates to bypass traditional stakeholders in government and industry and, if successful, can result in laws more insulated from legislative revision without subsequent voter approval.

This is not the first time the group behind the CPRA has proposed a privacy measure for the California ballot. In June 2018, Californians for Consumer Privacy had initially gathered enough signatures to qualify the Consumer Right to Privacy Act of 2018 for the November 2018 ballot. In response, the California Legislature negotiated the withdrawal of the initiative from the ballot in exchange for passage of the CCPA, which is a slightly less restrictive version of its predecessor initiative.

The group spearheading the original initiative, however, has not been satisfied with the CCPA, which is now the nation’s most comprehensive consumer privacy law. The group’s founder, Alastair Mactaggart, has expressed frustration over what he perceived were industry efforts to weaken the CCPA through amendments and concluded that a ballot measure was required.

On June 24, 2020, the California Secretary of State announced that Californians for Consumer Privacy had collected the required number of valid signatures to qualify the CPRA for the November 2020 ballot. If passed, as early polling indicates, the CPRA would both expand upon and amend the CCPA, creating new consumer privacy rights, privacy requirements and enforcement mechanisms. Mr. Mactaggart has publicly stated that a similar legislative compromise will not be pursued this time around, and indeed, the time for such a compromise has now passed.

2. What are the effects of the CPRA’s passage?

If passed, the CPRA may become a near-permanent baseline for California privacy law absent a subsequent ballot measure to repeal it, because it requires that any amendments be “consistent with and further the purpose and intent of this Act.” In other words, if Sacramento lawmakers ever passed a CPRA amendment that is even arguably privacy restrictive, privacy advocates and other Californians may sue to attempt to repeal that amendment. Other ways to modify the CPRA would be through a subsequent ballot measure or if the federal government invalidates the law via a pre-emptive federal privacy law or a Supreme Court ruling of unconstitutionality.

3. When would the CPRA become effective?

Most of the CPRA’s substantive provisions will not take effect until January 1, 2023, providing covered businesses with two years of valuable ramp-up time. The CPRA authorizes the rulemaking process to begin during that same period. Notably, however, the CPRA’s expansion of the “Right to Know” impacts personal information (PI) collected during the ramp-up period, on or after January 1, 2022. Businesses would have to comply with the CCPA and any regulations in the meantime.

The CPRA’s extension of the current limited CCPA exceptions for employment and business-to-business data, however, would become effective immediately.

4. How does the CPRA compare with the CCPA?

The CPRA would augment and expand the CCPA in many ways. We break down notable changes by topic below.

a. New criteria for which businesses are regulated

The CPRA modifies the definition of a covered “business” in notable ways that both increase and decrease the number of businesses currently subject to the CCPA:

  • Doubles the CCPA’s threshold number of consumers or households from 50,000 to 100,000, resulting in reduced applicability to small and midsize businesses.
  • Expands applicability to businesses that generate most of their revenue from sharing PI, not just selling it, which is defined as sharing with third parties for purposes of cross-context behavioral advertising.
  • Extends the definition to joint ventures or partnerships composed of businesses that each have at least a 40% interest.

b. New category of ‘sensitive personal information’

The CPRA introduces “sensitive personal information” as a new regulated dataset in California. The category is subject to new disclosure and purpose limitation requirements, and consumers would have new rights designed to limit businesses’ use of their sensitive PI.

Sensitive PI includes government identifiers (such as Social Security numbers and driver’s licenses); financial account and login information (such as credit or debit card number together with login credentials); precise geolocation; race, ethnicity, religious or philosophical beliefs, or union membership; content of nonpublic communications (mail, email and text messages); genetic data; biometric or health information; and sex life or sexual orientation information.

The CPRA provides for new rights and amends existing rights:c. New and expanded consumer privacy rights

Brand-new rights

  • Right to Correction. Consumers may request any correction of their PI held by a business if that information is inaccurate.
  • Right to Opt Out of Automated Decision Making Technology. The CPRA authorizes regulations allowing consumers to opt out of the use of automated decision making technology, including “profiling,” in connection with decisions related to a consumer’s work performance, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
  • Right to Access Information About Automated Decision Making. The CPRA authorizes regulations allowing consumers to make access requests seeking meaningful information about the logic involved in the decision-making processes and a description of the likely outcome based on that process.
  • Right to Restrict Sensitive PI. Consumers may limit the use and disclosure of sensitive PI for certain “secondary” purposes, including prohibiting businesses from disclosing sensitive PI to third parties subject to certain exemptions.

Modified rights

  • Modified Right to Delete. Businesses are now required to notify third parties to delete any consumer PI bought or received, subject to some exceptions.
  • Expanded Right to Opt Out. The CCPA already grants consumers the right to opt out of the sale of their PI to third parties, which implicitly includes sensitive PI; however, the opt-out right now covers “sharing” of PI for cross-context behavioral advertising as outlined below.
  • Strengthened Opt-In Rights for Minors. Extends the opt-in right to explicitly include the sharing of PI for behavioral advertising purposes. As with the opt-out right, businesses must wait 12 months before asking a minor for consent to sell or share his or her PI after the minor has declined to provide it.
  • Expanded Right to Data Portability. Consumers may request that the business transmit specific pieces of PI to another entity, to the extent it is technically feasible for the business to provide the PI in a structured, commonly used and machine-readable format.

d. Directly regulates the sharing of PI for cross-context behavioral advertising

In an attempt to explicitly regulate digital advertising, the CPRA distinguishes between two types of advertising: “cross-context behavioral advertising” and “non-personalized advertising.” The sharing of PI for cross-context behavioral advertising is subject to the Right to Opt Out, whereas the use of PI (apart from precise geolocation) for non-personalized, first-party advertising is not and is instead designated as internal “business purpose.” These newly defined terms solidify a current interpretation of the CCPA that the Right to Opt Out extends to certain behavioral advertising practices. Business that were already operating under this interpretation likely do not need to heavily modify their compliance programs.

e. Creates a new privacy enforcement authority

The GDPR utilizes a network of Data Protection Authorities for each member state to enforce the law. Similar authorities dedicated to the enforcement of privacy law are absent from the federal and California governments; instead, the CCPA is currently enforced by the California Office of the Attorney General (OAG). The CPRA would establish the California Privacy Protection Agency (CPPA), which would be granted investigative power and be tasked with bringing enforcement actions and promulgating regulations. Most notably, the CPRA would remove the 30-day cure period that businesses currently enjoy under the CCPA after being formally notified by the OAG of an alleged violation. The CPRA also triples the maximum penalties to $7,500 for violations concerning minors.

f. Adopts certain GDPR principles

The CPRA codifies the concepts of data minimization, purpose limitation and storage limitation—all principles currently enforced in Europe through the GDPR:

  • Data minimization. A business’s collection, use, retention and sharing of PI must be minimized to what is reasonably necessary and proportionate to achieve the purpose of collection or processing or for another disclosed purpose that is compatible with the context of collection; the processing must not be subject to processing for incompatible, undisclosed purposes.
  • Purpose limitation. Businesses must not collect or use PI for a new purpose that is incompatible with previously disclosed purposes without first providing consumer notice.
  • Storage limitation. Businesses must disclose, at the time of collection, their retention periods for each category of PI (or if that is not possible, the criteria used to determine such period). Businesses are further prohibited from retaining PI for longer than is “reasonably necessary” for each disclosed purpose.

Most consequentially, the CPRA brings data minimization and data retention requirements into the realm of direct liability by appearing to authorize the state regulator to enforce the failure to reasonably minimize data or retain PI for no longer than reasonably necessary, even if such failure does not lead to further CPRA violations. The CPRA’s purpose and storage limitation, by contrast, appears to be more indirectly enforceable as a failure to properly disclose such practices in a privacy policy or notice at collection.

g. Service providers and contractors

The CPRA amends the definition of “service provider” and introduces “contractors,” a new category of recipients of PI who process PI made available to them by businesses pursuant to a written contract. The CPRA imposes the same contractual and direct obligations on contractors that it otherwise imposes on service providers, and also requires contractors to certify that they understand and will comply with such contractual obligations.

Here are the materially new obligations and prohibitions the CPRA imposes on service providers and contractors:

  • Requires service providers and contractors to notify businesses of any engagement with a sub-service provider or subcontractor and to bind those parties to the same written contract that is otherwise arranged between businesses and service providers.
  • Directly obligates service providers and contractors to cooperate and assist businesses in response to privacy rights requests.
  • Clarifies that businesses must contractually prohibit service providers and contractors from combining any PI received from the business with PI from other sources or collected on its own behalf (subject to exceptions).

h. Employee and B2B exemptions

The CPRA extends the employee and business-to-business (B2B) exemption to January 1, 2023, allowing two years for the California Legislature to address employee and B2B privacy questions in a separate bill. It is possible, however, that the California Legislature will not be able to subsequently extend the exemptions beyond 2023 if consumer advocates are successful in blocking such an amendment as not “consistent with and further[ing] the purpose and intent of [the CPRA].”

i. New consent standard

The CPRA also fleshes out the “consent” standard, bringing it closer to the strict standard utilized in Europe. The consent standard, however, is used only in the following relatively marginal scenarios, some of which already required consent under the CCPA:

  • Consenting to the sale or sharing of PI after an opt-out
  • Minor opt-in consent for sales and sharing of PI
  • Consenting to secondary use and disclosure of sensitive PI after an opt-out
  • The research exemptions
  • Opt-in consent for financial incentive programs

j. Data breaches and private right of action

The CPRA does not explicitly attempt to alter the CCPA’s existing private right of action for data breaches; however, the CPRA does add consumer login credentials to the list of data types that can be actionable under the law if breached.

5. Timeline

If passed, the CPRA’s timeline over the next three years is complex, with several dates fixed on contingent events. Here are the basics:

  • May 4, 2020 – Signatures submitted
  • November 3, 2020 – General Election
  • November Certification Date – Secretary of State certifies election results
  • November Certification Date + 5 days – Employment and B2B exemptions extended; certain provisions authorizing the CPPA go into effect
  • January 1, 2021 – CPRA becomes operative, effectively blocking any subsequent and conflicting privacy legislation
  • On or about July 1, 2021 – Rulemaking process commences (or later if it has not yet been six months since CPPA formally notified OAG)
  • January 1, 2022 – 12-month lookback period for collected data commences
  • July 1, 2022 – Deadline for CPPA to adopt final regulations
  • January 1, 2023 – CPRA becomes fully operative and enforceable; employment and B2B exemptions expire, and those datasets become fully regulated by the CPRA