The California Privacy Rights Act officially cleared the threshold to make it into the November 2020 ballot last week. It was a bumpy road to certification, but Californians for Consumer Privacy ended up with significantly above the minimum required verified signature count. This, despite most of California being in COVID-19 lock-down since April and an unexpected administrative delay by Riverside County that threatened to derail the initiative just a few weeks ago.
It will be now up to California voters to decide whether the most radical change in US privacy laws in recent history gets enacted or not. The CPRA is structured as an amendment to the current California Consumer Privacy Act and key proposed changes include:
- More regulations: The CPRA initially requires the California Attorney General to update and amend the CCPA regulations with a significant number of new provisions. The baton will then pass to the newly created California Privacy Protection Agency on the later of July 1, 2021 or six months after the new CalPPA notifies the attorney general that it is ready to take over. The final regulations arising from the CPRA must be adopted by July 1, 2022.
- Special treatment for sensitive personal information: The CPRA defines a new category of sensitive personal information and affords it heighted protections.
- Additional rights: Consumers will have additional rights such as the ability to correct their personal information, opt-out of advertisers using precise geolocation, and restrict usage of sensitive personal information.
- Risk assessments and audits: The CalPPA will have the authority to audit a business’s privacy practices and issue regulations requiring annual audits and regular risk assessments for organizations that meet certain thresholds.
- Immediate extension of personnel and B2B exemptions: The current exemptions for personnel/applicants and B2B communications will remain in place through Jan. 1, 2023, extending the current expiration date of Jan.1, 2021. However, it is virtually certain that they will expire in 2023, as the California Legislature will be precluded from amending CPRA to decrease the rights of personnel or business contacts under the limitation mentioned above.
- Self-certification: Entities that do not qualify as a “business” by the thresholds established in the CPRA will have the option to self-certify to the CalPPA that they are compliant with and agree to be bound by the CPRA.
The seismic shift is not only about the new rights and additional requirements, it is also about higher fines and enforcement. At the state level, we have never experienced a steady, thoughtful enforcement by a well-funded privacy regulator in the U.S. whose mission includes not only maintaining compliance by imposing fines and corrective actions on infringers, but also educating the public and developing guidelines for the industry.
CPRA would create such an enforcer: the CalPPA. The CalPPA will be vested with full administrative power, authority and jurisdiction to implement and enforce CPRA. It will be funded initially with $5 million dollars (for 2020-2021) and $10 million in each following year. The CPRA provides for a progressive transfer of authority from the current regulator (the California Attorney General) to the CalPPA over time. The new agency will have the authority to audit business’s privacy practices and further develop CPRA by issuing regulations on a wide range of areas, including requiring annual audits and regular risk assessments for organizations that meet certain thresholds.
In the words of Alastair Mactaggart:
"Establishing a new authority to protect California privacy rights, was a key goal of CPRA. In order to ensure its independence, we modeled the structure of the agency after the California Fair Political Practices Commission. The agency will be governed by a five-member board (with the Chair and one member appointed by the Governor and the remaining members appointed by the attorney general, Senate Rules Committee and speaker of the Assembly.) We expect the new agency to not only vigorously pursue enforcement that ensures consumers get back control over their data, but also engage with the industry and provide guidelines and regulations in furtherance of CPRA.”
The key question that remains: What will California voters do come November?
It is always difficult to predict the outcome of an election. It is nearly impossible when the only available polls pre-date an unprecedented health crisis that has forced the California governor to declare a budget emergency and tap into the California rainy day fund. California anticipates a $54.3-billion budget deficit this year. Last month, the California governor laid out a grim revised budget plan that would slash state funding for education and other popular programs to make up for the yawning shortfall. Will Californians be ready to put $5 then $10 million dollars towards this agency? How will California residents feel about increased compliance costs for the thousands of medium and small businesses still fighting to survive after months of lock-down?
The proponents believe that the current crisis could work in their favor.
“Although it is true that the difficult economic situation we are in could raise concerns about investing in a new agency among California voters, it is also true that the pandemic is fueling voter concerns about intrusive data collection and unethical use of personal information leading to discrimination," said Mactaggart. "Also, we know from prior polls that Californians overwhelmingly support stronger protections with regards to children's data, which CPRA provides. Therefore, we are confident that come November, Californians will vote yes on CPRA.”
Photo by Vital Sinkevich on Unsplash