The Bottom Line
- With CCPA regulations yet to be finalized and the possibility of further changes on the horizon, CCPA compliance remains a moving target. The CPRA — which has been dubbed “CCPA 2.0” — may be headed for the November 2020 ballot in California. Businesses that collect personal information from California residents must ensure that they are prepared for CCPA enforcement to begin on July 1, 2020.
With the July 1, 2020 California Consumer Privacy Act (CCPA) enforcement date quickly approaching, the California Attorney General has yet to finalize the implementing regulations, leaving businesses uncertain about their compliance obligations under the new law. Additionally, according to the California Office of Administrative Law (OAL), regulations normally need to be filed with the OAL between March 1 and May 31 in order for approved regulations to become effective on July 1.
As the end of May nears without the CCPA regulations appearing on the OAL’s long list of Proposed Regulations Under Review, the possibility that CCPA regulations will become effective on July 1, 2020 (as originally expected) is fading. If the regulations are submitted sometime between June 1 and August 31, the actual effective date would likely be October 1, according to the OAL’s timelines. Therefore, businesses should continue to look at the most recent version of the draft CCPA regulations.
The California Privacy Rights Act
As businesses work on CCPA compliance and await final CCPA regulations, they also need to keep an eye on the California Privacy Rights Act (CPRA), a new California ballot initiative that aims to amend and expand upon the CCPA. The initiative is being spearheaded by the Californians for Consumer Privacy organization, the same group that drove the initiative that resulted in the CCPA.
The organization has described the CPRA as an effort to address concerns that large companies are trying to weaken and undermine the CCPA and to ensure that the law is keeping pace with changes in technology.
With over 930,000 signatures submitted in support of the CPRA, the initiative has a strong chance of appearing on the 2020 November ballot in California. Before that can happen, the signatures need to go through a verification process to validate that at least 623,212 signatures have been collected from registered voters. County elections officials are now in the midst of a random sampling process to verify the signatures. Early reports from several counties show that nearly 78% of the signatures are valid. If that percentage holds and the signatures are certified by the Secretary of State by June 25, 2020, the CPRA will qualify for the ballot.
The CPRA Effects on the CCPA
If California voters pass the CPRA into law, it would significantly make over the CCPA. The CPRA would effectively change the following:
- Create a new definition for “sensitive personal information” (defined to include government identifiers; account and login information; precise geolocation data; race; ethnicity; religion; genetic data; union membership; contents of private communications; and certain sexual orientation, health and biometric information) and a requirement to include a link allowing consumers to limit the use of such data.
- Establish new consumer rights, including the right to correct inaccurate personal information and the right to limit a business’ use of sensitive personal information.
- Differentiate the “sharing” of personal information for “cross- context behavioral advertising” from “sales” of personal information and provide consumers the right to opt-out of such sharing. These changes suggest that a disclosure of personal information related to behavioral advertising may not necessarily be a “sale” of personal information, but must, in any event, be subject to a right for consumers to opt-out, regardless of whether a sale has occurred.
- Prohibit retaining personal information for longer than reasonably necessary.
- Require businesses to enter into contracts with third parties, service providers and contractors.
- Add direct obligations on service providers, including to assist businesses with compliance and to enter into contracts with their sub-processors.
Increased Fines and Higher Thresholds
- Increases maximum fines for privacy violations regarding minors under 16 from $2,500 to $7,500.
- Increase the number for consumers or households from 50,000 to 100,000 for the key threshold to meet the definition of a “business” under the CCPA, while removing “devices” from that calculation.
- Establish a state regulatory agency called the “California Privacy Protection Agency” for purposes of enforcing and implementing the law.
- Require the Attorney General to adopt additional regulations.
It’s worth mentioning that the CCPA was borne out of negotiations between the Californians for Consumer Privacy and state lawmakers, with the organization agreeing to withdraw its ballot initiative and concede certain items (e.g., private right of action for privacy violations but not data breaches) in exchange for lawmakers promising to pass consumer privacy legislation. Unless a similar compromise occurs, the CPRA appears likely to land on the November ballot.