Skip to main content

New California Privacy Initiative to Appear on November Ballot – Get Ready for CCPA 2.0

Just as businesses are gearing up for the start of enforcement of the California Consumer Privacy Act (“CCPA”), California cleared the way for the California Privacy Rights Act (“CPRA”). The CPRA is an initiative imposing greater privacy restrictions on businesses holding consumer data, to be voted on as part of California’s November 2020 ballot. The certification came following a Sacramento County Superior Court order compelling all 58 California counties to complete their verification of signatures in time so that the CPRA would be included on the 2020 ballot as well as an announcement by the Secretary of State affirming that it had received more than 623,212 valid signatures and that the CPRA was eligible for the 2020 ballot.

At its basic level, the CPRA strengthens the CCPA by creating new privacy rights, obligations, and enforcement mechanisms. Among these changes, the CPRA mandates the following:

  • Businesses must limit the use and disclosure of an expanded list of sensitive personal information (including data related to race, ethnicity, religion, personal communications, health information, and sexual orientation).
  • Businesses must give consumer notice that the consumer’s information may be sold and that the consumer has a right to opt-out of such sale.
  • Businesses will need to defend against private consumer litigation as the CPRA explicitly grants consumers a right to bring a private civil action for certain CPRA breaches.
  • Businesses will be subject to enforcement actions from, and regulations promulgated by, a newly created California Privacy Protection Agency.

The CPRA and the creation of the California Privacy Protection Agency would undoubtedly expand privacy regulations and enforcement actions. There has been little polling on the CPRA, but a survey commissioned by the Californians for Consumer Privacy (the sponsors of the ballot initiative) shows strong support for enhanced privacy legislation.  While the CPRA, if passed, would not go into effect until January 1, 2023, businesses will want to keep a close watch on developments in order to have as much time as possible to prepare if the measure is approved.   Watch this space.

Subscribe To Viewpoints


Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.

Kevin Hiraki