The organization known as Californians for Consumer Privacy announced yesterday that it successfully secured enough signatures to qualify adding the California Privacy Rights Act (“CPRA”) to the state’s November 2020 ballot. The group’s founder Alastair Mactaggart is a well-know public figure who was the driving force behind the infamous California Consumer Privacy Act of 2018 (the “CCPA”), which just went into effect in January. We previously reported on the latest CCPA developments and litigation trends at length here.
As of yesterday, over 900,000 signatures were secured from Californians, and still counting. Reportedly, California consumers are “overwhelmingly supportive of being in control of their most sensitive personal information, and they also want control over how their children’s data is used.” In fact, the organization expects to obtain over 1,000,000 signatures in the near future, and the CPRA will likely appear on the ballot in counties across California this fall.
According to Mactaggart’s public statement, while the group actively worked to strengthen privacy laws in California, they soon realized that the “laws need to keep pace with the ever-changing landscape of constant corporate surveillance, information gathering and distribution.” He added that he believes that “Californians deserve to participate in and shape the conversation about how, when and with whom our most personal information is shared.”
The CPRA was introduced in order to amend the CCPA—the law, which has been widely criticized for its overbroad definitions, ambiguous language, and overall lack of clarity. The CPRA, therefore, aims to expand the privacy rights of California residents and to further increase the companies’ compliance obligations.
The CPRA seeks to do the following:
- Sensitive Personal Information. The law will add a new category of information known as “sensitive personal information” and provide new rights for California consumers, allowing them to stop businesses from using their sensitive personal information.
- Definitions. The CPRA may further aim to clarify that sensitive personal information includes the person’s health, financial information, and geolocation data for collection of which there was no consent.
- Right of Correction. The law will give Californians the right to ask businesses to make corrections of any personal information that is inaccurate.
- Data Breach Liability. The law seeks to revise and clarify the CCPA as it relates to data breach liability. Specifically, it states that any breaches in which a consumer’s email is compromised along with (1) their password or (2) a security question and answer—which would essentially provide hackers with unfettered access to the consumer’s account—can result in liability for the company.
- Children’s privacy. The law seeks to enhance children’s’ privacy rights and to triple CCPA’s fines for collecting and selling private information of minors under 16 years of age.
- New Enforcement Arm. The CPRA seeks to establish a new enforcement authority to help protect consumers’ rights, called “the California Privacy Protection Agency.”
- Increased Transparency. With the help of this new agency and redefined legal requirements, the goal is to increase transparency and to give consumers greater control over their data.
We previously reported on a prior version of the CPRA when it was first introduced by Alastair Mactaggart here. We will continue to monitor the CPRA ballot-measure developments as they evolve. If you have questions as to how this proposed law could affect your company, reach out to the team at Mintz.