California’s CPRA Is Appearing on Next Month’s Election Ballot

Written by Brett Lawrence, Esq. 

Although the upcoming presidential election is currently dominating the political and media discourse, in the data privacy and security world, California’s 2020 ballot has been the recipient of much discussion. This is because the California Privacy Rights Act (“CPRA”) is on this year’s November ballot and can be potentially voted into law by its citizens. The CPRA seeks to substantially modify California’s recent 2018 data privacy and security law, the California Consumer Privacy Act (“CCPA”).

The California legislature enacted the CCPA in 2018 to provide its consumers more control over their personal information that business collect about them. The law established new privacy rights for the State’s consumers, including (1) the right to know what personal information businesses collected about them; (2) the right to opt out of allowing business to sell their collected personal information; and (3) the right to have the business delete their collected personal information. Enforcement of the CCPA has been ongoing since July 1, 2020, with proposed modifications to the regulations appearing as recent as October 12.

In seeking to amend large amounts of the CCPA, the CPRA intends to broaden consumer protections in a variety of areas and put new obligations on businesses that process personal data. If voted in, the CPRA would:

  • Create a new category of personal information called “sensitive personal information,” which would include a consumer’s social security number, racial or ethnic origin, and account log-in credentials;
  • Allow consumers to correct any potentially inaccurate data being stored by a business;
  • Create a new privacy enforcement agency titled, “The California Privacy Protection Agency,” that would not only enforce the CPRA, but allow it to promulgate new rules and regulations;
  • Remove the 30-day “cure” period for businesses to remedy any alleged privacy violations;
  • Allow consumers to sue for unauthorized access or disclosure of their email address and password or security question permitting access to an account;
  • Increase the penalties for mishandling children’s data;
  • Continue the employee data and business-to-business exceptions to January 1, 2023;
  • Make service providers directly responsible for complying with certain provisions of the CPRA, such as helping businesses with verifiable consumer requests to correct, limit, or delete personal information; and
  • Require businesses to have certain security safeguards in place to protect personal information

The CPRA would not take effect until January 1, 2023 and would only apply to personal information—with an exception to the right to access—collected by a business on or after January 1, 2022.

The CPRA and CCPA would further differ in one critical respect. Unlike the CCPA, which was enacted by the California legislature, the CPRA’ s enactment would be through a ballot initiative. As a result, the CPRA would become law as written and could only be fundamentally amended through subsequent voter action.

If preliminary polling is any indicator, it is likely that the CPRA will be voted in with considerable support.

Click here to read the CPRA.

Leave a comment