On May 4, the Californians for Consumer Privacy, led by founder Alastair Mactaggart, announced its submission to qualify the California Privacy Rights Act for the November 2020 ballot. Because of COVID-19 social distancing measures in place in California and the huge number of signatures required, the announcement surprised many political observers.
However, the CPRA’s presence on the ballot is still not a “done deal.” County election officials and the secretary of state will now begin the process of reporting and verifying the signatures, which may last through June 25th. Californians for Consumer Privacy has announced that it has collected about 900,000 signatures. 675,000 valid signatures are required to place the Initiative on the ballot.[1]
Early polling strongly suggests that if the CPRA — aka CCPA 2.0 — is certified for the ballot, it will pass and become effective Jan. 1, 2023, and move California privacy law a bit further in the direction of the EU General Data Protection Regulation.
The CPRA would amend the language of the CCPA and require additional rulemakings, which would introduce new uncertainties. Here are highlights of how the CPRA would change the CCPA.
Some good news for CCPA-regulated ‘businesses’
The CPRA would:
- Limit businesses’ liability for violations of the law by “third-party” businesses.
- Create an operationally significant limited exception to deletion and access rights for many types of unstructured data.
- Clarify the definition of “sale” and differentiate and exempt from the “Do Not Sell” right and the CCPA “selling” notice requirements, the “sharing” of personal information for cross-context behavioral advertising in some instances.
- Clarify that businesses may offer loyalty, rewards, premium features, discounts or club card programs.
- Amend the second threshold of the definition of a “business” to remove “devices.” and increase the number of consumers or households from 50,000 to 100,000 or more, thereby exempting more small businesses.
- Exempt businesses from needing to provide access to “specific pieces of personal information” from data generated to help ensure security or integrity or as prescribed by regulation.
- Extend the employee and business-to-business moratoria to Jan. 1, 2023, allowing time to address employee privacy questions in a separate bill.
Some bad news for CCPA ‘businesses’ and ‘service providers’
Companies subject to the CPRA would need to update their California privacy programs to include a new:
California delays CPRA regulations
The California Privacy Protection Agency (CPPA) was supposed to finalize new pri…