Apart from implementing compliance measures to meet the California Consumer Privacy Act (CCPA), employers need to keep an eye on a follow-on law, the California Privacy Rights Act (CPRA), which has enough signatures to be on California’s November 3, 2020, ballot. It is particularly important to note that, if passed as a ballot measure, it will make provisions of the law virtually impossible to amend or alter through the normal legislative and regulatory process. This also means that employers will have a final deadline for compliance which will probably not be extendable for any reason except in the case of another statewide ballot measure.
What Is the California Privacy Rights Act?
The California Privacy Rights Act is a consumer privacy ballot initiative from Californians for Consumer Privacy, a non-profit privacy advocacy organization that introduced the enactment of the CCPA in 2018. Given the California legislature’s efforts to amend the CCPA in 2019 on the behalf of the business community, this organization responded with an even more comprehensive privacy law that will align California closely with the European Union’s General Data Protection Regulation (GDPR). On June 25, the California Privacy Rights Act qualified to be on California’s ballot in the upcoming general election.
If California voters approve the measure, the CPRA would establish and fund the California Privacy Protection Agency, a state agency dedicated to enforcement and promulgation of regulations. CPRA’s additional substantive obligations would take effect on January 1, 2023, while enforcement of CPRA-related obligations would begin on July 1, 2023.
Key Provisions of the California Privacy Rights Act
The California Privacy Rights Act significantly broadens and expands the California Consumer Privacy Act, imposes new obligations on businesses, grants consumers new rights, and modifies the CCPA’s enforcement provisions. Here are some of the notable changes the CPRA introduces:
New criteria for covered businesses
The California Privacy Rights Act modifies the definition of a covered business in ways that both increase and decrease the number of businesses currently subject to the CCPA since it:
- Doubles the CCPA’s threshold number of consumers or households from 50,000 to 100,000, resulting in reduced applicability to small and midsize businesses,
- Expands applicability to businesses that generate most of their revenue from sharing PI, not just selling it, which is defined as sharing with third parties for purposes of cross-context behavioral advertising,
- Extends the definition to joint ventures or partnerships composed of businesses that each have at least a 40% interest.
A new definition of sensitive personal information
The California Privacy Rights Act introduces sensitive personal information as a new regulated dataset in California. Sensitive personal information includes government identifiers, financial account and login information, precise geolocation, race, ethnicity, religious or philosophical beliefs, the content of nonpublic communications, genetic data, biometric or health information, and sex life or sexual orientation information.
Expanded consumer privacy rights
- Consumers will have the right to request that businesses correct inaccurate information about the consumer,
- Consumers can limit a business’s ability to collect and use geolocation data that has a level of precision within 1,850 feet,
- Businesses need to inform consumers of their data retention policies, and are not allowed to keep data longer than is reasonably necessary,
- Consumers have the ability to prohibit businesses from sharing data with others for the purposes of cross-context behavioral advertising,
- Consumers may request that the business transmit specific pieces of PI to another entity, to the extent it is technically feasible for the business to provide the PI in a structured, commonly used, and machine-readable format.
- The CCPA’s 30-day cure period is eliminated for government enforcement actions, replaced with a provision allowing the government the discretion to abstain from enforcement actions depending on the circumstances.
- The penalties for mishandling children’s information are tripled from $2,500 per incident to $7,500, dramatically increasing the consequences of violating the statute.
- The scope of potential data breach claims is increased by the CPRA’s clarification that leaks of email accounts combined with a password or security question information can support a cause of action for statutory damages.
Adoption of certain GDPR principles
The California Privacy Rights Act codifies the concepts of data minimization, purpose limitation, and storage limitation, principles currently enforced in Europe through the GDPR:
- A business’s collection, use, retention, and sharing of PI has to be minimized to what is reasonably necessary and proportionate to achieve the purpose of collection or processing or for another disclosed purpose that is compatible with the context of the collection,
- Businesses cannot collect or use PI for a new purpose that is incompatible with previously disclosed purposes without first providing consumer notice,
- Businesses need to disclose, at the time of collection, their retention periods for each category of PI.
How to Prepare for the California Privacy Rights Act
The California Privacy Rights Act cannot make immediate changes, even if approved by voters. However, businesses should continue with their CCPA compliance efforts as CCPA’s requirements will remain enforceable. Furthermore, the same compliance infrastructure can be used in preparation for the California Privacy Rights Act. So, businesses should pay attention to tracking data flows, refining privacy practices and policies, establishing business-to-business security and privacy obligations through contracts, and promptly responding to consumer requests.
Businesses should also closely monitor privacy developments in California, in other states as well as at the federal level. Taking into consideration both CCPA and CPRA, the introduction of comprehensive federal privacy legislation is possible, especially if other states enact privacy legislation with differing requirements. Also, integrating proper programs and technologies can help businesses assess existing technology, upgrade or adapt it in response to the California Privacy Rights Act. This step can be critical in preparing for stricter privacy regulations and preventing potential non-compliance penalties.Ensure constant data protection and stay ahead of evolving data regulations while preventing potential non-compliance issues and costly mistakes.