The California Privacy Rights Act of 2020 (“CPRA”) has officially qualified for this November’s ballot. If passed, some provisions of the law would take effect five days after the California Secretary of State files the statement of vote, but the CPRA would be effective January 1, 2023 with a July 1, 2023 enforcement date.
The CPRA is a ballot initiative sponsored by Californians for Consumer Privacy, a group headed by Alastair Mactaggart, and the same group whose prior ballot initiative led the California Legislature to hastily pass the California Consumer Privacy Act (“CCPA”). The CPRA would supplement privacy protections for Californians that the existing CCPA imposes on companies that collect personal information from consumers.
Although Californians for Consumer Privacy reported several months ago that it had obtained a sufficient number of signature for the initiative to qualify, the group was forced to take legal action to ensure the signatures would be accepted in time. On June 8, 2020, Mactaggart and two other plaintiffs filed a Petition for Writ of Mandate against Secretary of State Alex Padilla requesting that the Secretary of State report the results of the random sample of signatures submitted in order to qualify the CPRA for the November 3, 2020 ballot. The California court granted the petition on June 19, 2020, and ordered the Secretary of State to direct counties to report the results of random-sample signature verification on or before June 25, 2020, the last day for the initiative to qualify for the ballot. On June 24, 2020, the California Secretary of State announced it would certify the initiative as qualified for the November 3, 2020 election ballot, unless withdrawn by its proponents prior to certification.
The initiative includes several provisions that its proponents contend strengthen the state’s existing privacy regime. Among other things, CPRA would:
- Make it more difficult for the California legislature to weaken privacy protections in the future because it would require that any amendment be “in furtherance of the purpose and intent” of the CPRA.
- Establish a new category of sensitive personal information and give consumers the ability to limit use of this data. Information in this new category would include social security number; driver’s license number; passport; consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password or credentials allowing access to an account; consumer’s precise geolocation; consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership; contents of a consumer’s mail, email and text messages, unless the business is the intended recipient; consumer’s generic data; the processing of biometric information for the purpose of uniquely identifying a customer; personal information collected and analyzed concerning a consumer’s health; and personal information collected and analyzed concerning a consumer’s sex life or sexual orientation.
- Prohibit precise geolocation tracking to a location within roughly 250 acres.
- Add e-mail addresses and passwords to the list of personal information that, if lost or breach, would give the affected consumers the right to bring private lawsuits.
- Increase the maximum penalties threefold for violations concerning consumers under age 16.
- Establish the California Privacy Protection Agency, funded with $10,000,000 from California’s General Fund, to implement and enforce the new law, as well as impose administrative fines.
Californians for Consumer Privacy has posted a fact sheet, titled “Why CPRA,” on its website.
Confirmation that CPRA will appear on this fall’s ballot comes just as the Attorney General is scheduled to begin enforcing the CCPA. CCPA enforcement, which the Attorney General has maintained would begin on July 1, has begun despite the fact that the final regulations are not in place. As we previously covered, the Office of Administrative Law is currently reviewing the final CCPA regulations that the Attorney General submitted on June 1 for review. The result is that companies need to continue to monitor the CPRA and simultaneously prepare for enforcement of the CCPA.
Jim Shreve is the chair of Thompson Coburn's Cybersecurity group and has advised clients on cybersecurity and privacy issues for over 20 years. Luke Sosnicki is a Los Angeles partner in Thompson Coburn’s Business Litigation group who has written and spoken extensively about data privacy litigation and regulatory risks. Libby Casale is an associate in Thompson Coburn’s Business Litigation group.