24 and Me - Proposition 24 (CCPA 2.0) on November 3rd California Ballot
Our DNA changes as we age. Studies have shown that your DNA methylation can change as much as 20% over a 10 to 16 year period. The DNA of the California Consumer Privacy Act (CCPA) is on an even faster sequence of change. The CCPA was signed into law on June 28, 2018 and was further amended on September 23, 2019 and on October 11, 2019. The law went into effect on January 1, 2020 and enforcement of the statutory requirements began on July 1, 2020. After multiple public forums and comment periods, the CCPA regulations were effective on August 14, 2020. Another big change is in the works.
As if businesses do not already have enough to juggle as they try to comply with the CCPA while attempting to avoid receiving a notice of noncompliance, the first step in the enforcement process, from the California Attorney General (AG), businesses now need to become familiar with proposed changes to the CCPA. The California Privacy Rights Enforcement Act (CPRA or CCPA 2.0) is the latest ballot initiative spearheaded by Alastair Mactaggart and his group, the Californians for Consumer Privacy (Privacy Group). These are the same players that spearheaded the first privacy ballot initiative in 2018, which led to the state legislature taking a preemptive strike and passing the CCPA. It is unlikely that the California legislature will initiate a similar preemptive strike this time.
The CPRA would build on the CCPA’s existing framework and substantially amend and expand the CCPA to strengthen consumer privacy rights and move California’s consumer privacy law closer in alignment to its genetic cousin, the European Union’s General Data Protection Regulation (GDPR). The changes would also impose new compliance obligations on businesses.
After some drama in the process of counting and certifying the signatures on the ballot initiative, the California Secretary of State certified on June 24, 2020 that the ballot initiative qualified to be on the November 3, 2020 ballot. The ballot initiative will be identified on the ballot as Proposition 24.
- Creation of New State Privacy Protection Agency
The CPRA would, among other things, create a new state agency to implement and enforce consumer privacy laws and impose fines, the California Privacy Protection Agency (CPPA). This new agency would take over these duties from the AG’s office and be funded with $10M from the state’s general fund. The Privacy Group has noted that “[t]his funding would equate to roughly the same number of privacy enforcement staff as the FTC has to police the entire country (the FTC has 40 privacy professionals).”
- New Consumer Rights
The CPRA would add the following new consumer rights:
o Right to opt-out of personal information sharing - Consumers would be permitted to, at any time, direct a business that sells or shares personal information about the consumer to third parties to not to share the consumer’s personal information. This new right would allow consumers to opt-out of both the sale and sharing of their personal information to third parties.
o Right to correction of personal information - Consumers would be permitted to, at any time, request a business that maintains inaccurate personal Information about the consumer to correct such inaccurate personal information.
o Right to limit use of sensitive personal information - Consumers would be permitted to, at any time, direct a business that collects “sensitive personal information,” as that term is defined under the CPRA, about the consumer to limit its use of the consumer’s sensitive personal information. Businesses would need to add a “Limit the Use of My Sensitive Personal Information” link to their webpages similar to the current “Do Not Sell My Personal Information” link required under CCPA.
In addition, the CPRA expands on the CCPA’s existing right to know by requiring businesses to inform consumers if they have been “profiling” them using automated processes. This change and the added right of correction moves the CCPA closer to the GDPR.
- New Business Obligations
Businesses will need to retool their current CCPA compliance programs to provide these new consumer rights. This retooling would involve everything from revising existing privacy notices and consumer facing webpages to the back-end processing of these new rights requests. The CPRA also imposes the following new obligations and risks on businesses:
o Data retention limitations - Businesses would be prohibited from retaining personal information for longer than is reasonably necessary.
o Servicer provider and other relationships - Businesses would be required to include a number of new provisions in their contracts with service providers, third parties, and “contractors,” a new defined term under the CPRA, including provisions that requires these parties to notify the business if they make a determination that they can no longer meet their obligations under the CPRA and grants the business the right, upon notice, to take reasonable and appropriate steps to stop and remediate the unauthorized use of personal information.
o Elimination of the right to cure violations - Before a company may be penalized for violations, the CCPA affords businesses with the right to cure violations within 30 days of receipt of a notice of noncompliance. That 3- day cure period would be eliminated under the CPRA.
The CPRA directs the new CPPA to issuing regulations governing access and opt-out rights with respect to businesses’ use of automated decision-making technology, including profiling and requiring businesses’ response to access requests to include meaningful information about the logic involved In such decision making processes, as well as a description of the likely outcome of the process with respect to the consumer.
The CPRA includes some favorable changes for businesses. The CPRA would extend the current business-to business and employee data exemptions under the CCPA, which are set to expire on January 1, 2012, to January 1, 2023.
- Operative Dates
The new requirements under the CPRA would become operative on January 1, 2023, and with the exception of the right of access, would only apply to personal information collected by a business on or after January 1, 2022. The provisions of the CCPA, as amended or reenacted by the CPRA, would remain in full force and be effective and enforceable until the same provisions of the CPRA become operative and enforceable.
Human DNA is about five feet long. You may need a longer leap to move your current CCPA compliance program to a CPRA compliance program. This posting summarizes only some of the provisions of the CPRA. Businesses subject to the CCPA may want to take some time now to review the CPRA and begin sequencing the changes that will need to be made to their current CCPA compliance program to comply with these new requirements. Polling data can be suspect, but it is hard to bet against a poll showing that 81% of California voters support this measure.