Even More Stringent Consumer Privacy Restrictions May Be Imposed on Businesses Operating in California
By Procopio Associate Nicholas Kawuka
It is now official. Come November 2020, Californians will vote on a privacy ballot initiative – the California Privacy Rights Act (CPRA). With administrative enforcement of the already sweeping California Consumer Privacy Act (CCPA) barely underway, the proponents of the new ballot measure believe more changes to consumer privacy rights are warranted.
Californians for Consumer Privacy, the nonprofit led by CPRA proponent Alastair Mactaggart, believes that the law is warranted because the world’s largest companies have already weakened existing consumer privacy laws, and technology has evolved to exploit consumer data in ways not contemplated by existing laws.
The ballot measure, aptly described as CCPA 2.0, amends various provisions of the CCPA. While we cannot know if the measure will pass until the final ballots are tallied in November 2020, early polls by proponents suggest that nearly 90% of Californians support the measure.
The CPRA imposes new obligations on businesses and clarifies existing obligations required under the CCPA. If it becomes law, it will:
- Establish a new agency—the California Privacy Protection Agency—to protect consumer privacy and regulate businesses’ use of personal information. The agency will take over rulemaking and enforcement of privacy rights from the state Attorney General.
- Add a new category of protected information known as “sensitive personal information” that includes, among other things, information revealing a person’s identification documents or details, financial or bank account information, precise geolocation, race, or ethnicity, genetic data, health, and biometric information, religion, and information about sex life or sexual orientation.
- Amend the requirement under the CCPA that companies display a link stating “Do Not Sell My Personal Information” to include a prohibition on “sharing” information. Businesses will have to revise the CCPA’s required conspicuous link on their internet homepage to state, “Do Not Sell or Share My Personal Information.”
- Establish rights for consumers to opt out of businesses’ use of “sensitive personal information” and other information used for “cross-context behavioral advertising” (advertising based on consumer behavior across different businesses, websites, applications, or services). Together with the “Do Not Sell or Share My Personal Information” notice and link, businesses will need to provide conspicuous links on their internet homepages so that consumers can easily limit the use of “sensitive personal information” and preclude the sale of personal information for “cross-context behavioral advertising.”
- Require businesses to obtain parental consent before they can collect personal information of children under 16 years of age, and triple the CCPA penalties for violating children’s privacy.
- Establish rights for consumers to correct inaccurate personal information.
- Require business to collect only the minimum amount of personal information necessary to achieve the purpose for which the business seeks that information, and prohibit retention of information by business for longer than necessary.
- Require businesses to enter into contracts with service provides, contractors or third parties obligating that the third parties provide the minimum level of privacy required by the CCPA, and that the third parties will submit to an audit upon any unauthorized use of any information. Relatedly, the law limits businesses’ liability for violations by such third parties.
- Require businesses to be transparent to consumers about the use of automated decision-making technologies including profiling of consumers and establishing consumers’ right to know the logic businesses use and the likely outcome of the automated decision making processes as it pertains to the consumer.
If your company does business in California and is already subject to the CCPA, these are just a handful of the changes you will have to consider if the ballot measure passes. But there is ample time for businesses to prepare. If approved by California voters in November, the law will come into force on January 1, 2023. Administrative enforcement of the new provisions will begin on or after July 1, 2023, and will apply only to violations after that date. While that seems like a considerable time away, we encourage you to contact our Privacy and Cybersecurity team to discuss your exposure to the new legislation should it become law.
Nicholas Kawuka is an Associate in Procopio’s Privacy and Cybersecurity practice group. He advises clients in privacy and cybersecurity matters, as well as counseling and litigation on intellectual property, trade secrets, and trademarks and copyrights. Nicholas’s practice focuses on a variety of technologies including chemical, manufacturing, software application, digital signal processing and electronic circuit fields. He also has experience in commercial litigation involving breach of contract, fraud and unfair business practices, breach of fiduciary duty, misappropriation of trade secrets and financial trade institutions.