On May 4, 2020, Californians for Consumer Privacy announced that it had collected more than 900,000 signatures to qualify the CPRA (California Privacy Rights Act) for the November 2020 ballot.
Also known as ‘CCPA 2.0’, the CPRA enhances privacy protections established by the CCPA (California Consumer Privacy Act) and builds on consumer rights.
The CPRA
Alastair Mactaggart, founder of Californians for Consumer Privacy and the initial proponent of legislation that led to the CCPA, said: “Even as we’ve worked to strengthen privacy laws here in California, we’ve realized that our laws need to keep pace with the ever-changing landscape of constant corporate surveillance, information gathering and distribution […] That’s why we’ve introduced this new ballot measure, signed by nearly one million California voters.”
California law allows for proposed initiatives to be placed on the ballot if they receive 675,000 valid signatures. With well over that number collected, it is likely that the CPRA will be put to vote in front of the wider electorate this fall. From there, the ballot initiative could become law if approved by a simple majority of California voters. According to Californians for Consumer Privacy:
Recent polling by Goodwin Simon Strategic Research shows that Californians are overwhelmingly supportive of being in control of their most sensitive personal information, and they also want control over how their children’s data is used. 88% would vote YES to support a ballot measure expanding privacy protections for personal information.
This sort of legislative uncertainty creates challenges for organizations looking to currently comply with the CCPA. The CCPA took effect on January 1, 2020, and enforcement begins on July 1, even in the face of COVID-19-related complexities. While many elements of the two laws are similar, there are some striking differences that could impact CCPA implementation plans.
CPRA Key Changes
The CPRA proposes the following key changes:
- Limiting deletion rights that apply to unstructured data
- Exempting more small businesses by raising the threshold for what defines a ‘business’ processing personal information
- Extending current one-year exemptions for certain employee and business-to-business data
- Carving out a separate, sub-definition of ‘sensitive data’, akin to what’s seen in the New York SHIELD Act; new, separate requirements would apply to this subset of data
- A new right to data minimization with retention requirements related to personal data
- A right to know, access, and receive personal information collected before the 12-month lookback period for data collected on or after January 1, 2022
- New definitions and obligations related to cross-context behavioral advertising
- Amending breach liability to include an email address in combination with a password or security question
- Establishing a new regulatory enforcement body: the California Privacy Protection Agency
IT Governance USA resources
Our CCPA implementation guide provides you with a comprehensive understanding of the current Act by explaining key terms and how your business can implement strategies to comply. As new regulatory guidance is released, we will update and revise the implementation guide to cover potential developments and help with further compliance.
To learn more about the CCPA, view our information page here.
