Despite a day of election uncertainty, November 3, 2020 produced an important moment for privacy legislation: California voters approved Proposition 24 (the California Privacy Rights Act) (CPRA) (full text here). Garnering 56.1% of the vote so far, the initiative will almost certainly meet the majority threshold to become the new law of the land in California.
The CPRA amends key portions of the 2018 California Consumer Privacy Act (CCPA), which went into effect earlier this year. The CPRA gives additional rights to consumers and places additional obligations on businesses. The new law provides additional protections for sensitive personal information, expands CCPA’s opt out rights to include new types of information sharing, and requires businesses to provide additional mechanisms for individuals to access, correct, or delete data, with a particular focus on information used by automated decision-making systems.
What’s next? The new law is scheduled to become operative in 2023, but preparations will occur over the next two years: a new California Privacy Protection Agency will be established, funded, and tasked with taking over rulemaking from the California Attorney General; and businesses will need to interpret (and build systems to comply with) the law’s additional consumer privacy rights. The establishment of a dedicated Privacy Protection Agency is a major milestone for privacy in the US, and we expect the passage of the CPRA to energize efforts to pass comprehensive federal privacy legislation.
NEXT STEPS FOR THE NEW CA AGENCY: FUNDING, RULEMAKING, AND ENFORCEMENT
The CPRA transfers all funding, rulemaking, and enforcement authority from the Attorney General to the new California Privacy Protection Agency (PPA). Primary enforcement responsibilities remain vested with the state agency (rather than in a private right of action), with minor but significant changes. Specifically, the CPRA triples penalties for violations regarding minors under the age of 16 and removes the 30-day cure period that businesses can currently utilize under the CCPA. CCPA’s narrow private right of action for security breaches remains intact.
Absent amendment by the California legislature, the timeline for funding, rulemaking, and enforcement for the PPA will be:
- Certification that Proposition 24 Passed – Votes may continue to be received and counted as late as November 20, which is the deadline for the state to receive mail-in ballots postmarked by November 3rd. Analysts do not expect mail-in ballots to impact CPRA’s passage.
- Funding and Establishment of the Agency (2020) – In accordance with Section 31 of the CPRA and Article II, Section 10(a) of the California Constitution, the Act becomes effective five days after the Secretary of State “files the statement of the vote for the election.” This timeline means that the funding and establishment of the new California PPA is likely to begin soon, as early as December 2020.
- Adopting Regulations (2021-22) – According to Section 21 of the CPRA (amending Section 1798.185 of the Civil Code), the new PPA may begin exercising its rulemaking authority as early as July 1, 2021, or six months after the Agency provides notice to the Attorney General that it is prepared to begin rulemaking. The timeline for adopting final regulations required by the Act is set for July 1, 2022.
- Obligations Become Operative (January 1, 2023) – Substantive obligations for businesses are scheduled to become operative on January 1, 2023. Obligations will apply to personal information collected by a business on or after January 1, 2022.
- Enforcement (July 1, 2023) – The CPRA provides that all civil and administrative enforcement by the new Agency of the provisions in the CPRA shall not commence until July 1, 2023, and shall only apply to violations occurring on or after that date. Notably, there will be no gap between CCPA and CPRA enforcement – CPRA states that enforcement of CCPA provisions will continue “and shall be enforceable until the same provisions of [the CPRA] become enforceable.”
In the meantime, the California Attorney General has solicited broad public comments for the CCPA throughout 2019 and 2020, including as recently as October 2020 (in a third modified rulemaking). These rules will continue in effect and be supplemented by rules adopted by the new Agency.
ADDITIONAL CONSUMER PRIVACY RIGHTS AND BUSINESS OBLIGATIONS
In substance, the most significant changes in the CPRA are that the law expands the right to opt-out of sharing of information, and establishes new rights to limit businesses’ uses of “sensitive personal information,” a new term defined broadly to include, among other things: information about sexual orientation, race and ethnicity, precise geolocation, and health conditions.
- Expanded Right to Opt-Out of Data “Sharing” (in Addition to Sale) — Under existing law, California residents can request to opt-out of the “sale” of their personal information. The CPRA expands this opt-out right to include both “sale” and “sharing,” including disclosing personal information to third parties “for cross-context behavioral advertising,” a clarification that brings greater certainty regarding how California law regulates online ad networks. Subject to interpretation and rulemaking by the new Privacy Protection Agency, businesses will likely be required to respect a global opt-out mechanism, or “opt-out preference signal sent with the consumer’s consent by a platform, technology, or mechanism, based on technical specifications set forth in regulations . . .” (1798.135). So far, at least one draft technical specification has emerged, the Global Privacy Control introduced by privacy-focused tech companies, nonprofits, and publishers.
- Expanded Right to Access — Under the existing CCPA right to access, California consumers can request access to all categories of personal information collected by companies over the previous 12 months. The CPRA will extend that 12-month window indefinitely (beginning January 1, 2022), requiring that businesses provide access to all categories of personal information collected “unless doing so proves impossible or would involve a disproportionate effort.”
- Right to Correct Inaccurate Information – Under the CPRA, a consumer has the right to request a business to correct inaccurate personal information that a business maintains. Further, the business collecting this personal information must (1) disclose the consumer’s right to request a correction, and (2) “use commercially reasonable efforts” to correct the inaccurate personal information upon request.
- Right to…
Privacy Isn’t Dead. Far From It.
Welcome! The fact that you’re reading this means that you probably care deeply about…