While businesses are in the throes of interpreting and complying with the California Consumer Privacy Act that took effect Jan. 1, real estate developer and CCPA co-creator, Alastair Mactaggart, is gathering votes to get a new privacy initiative—the California Privacy Rights and Enforcement Act of 2020—on the November ballot.
The new initiative, dubbed “CCPA 2.0,” would amend the CCPA by imposing limitations on businesses’ use of “sensitive personal information” (such as sexual orientation, biometric, health and financial information, and precise geolocation), adding the right to correction, tripling the maximum penalties for privacy violations of children under 16, and establishing a government agency to implement and enforce the act, among other potential revisions.
The California attorney general’s office circulated the official title and summary of the proposed initiative on Dec. 17, 2019. Mactaggart has until late April to submit the requisite 623,212 verified signatures. Assuming enough signatures are gathered (over 629,000 signatures were gathered for the 2018 initiative), the deadline by which the secretary of state must certify initiatives for the November ballot, and by which Mactaggart may withdraw the initiative, is June 25.
Given this timeline, we will know whether the CCPA is likely to be rewritten before the AG’s office can even begin enforcing it (July 1). If the initiative proceeds to the ballot and is approved by a majority vote, the statute will take effect, and certain portions thereof (e.g., the extension of the business-to-business and employee-related exemptions) would be operative, the fifth day after the Secretary of State certifies the election results.
Certain other provisions would not be operative until 2023 and, in the interim, the current CCPA would govern.
Establishment of Government Agency
Perhaps the most notable potential change is that the act would establish a separate government agency—the California Privacy Protection Agency—to implement consumer privacy laws and monitor compliance. Having a state agency dedicated to enforcing state privacy laws would undoubtedly increase the risk of noncompliance.
In addition to protecting privacy rights, the agency would be responsible for promoting public awareness, providing guidance to both consumers and businesses regarding their rights and obligations, and, upon request, providing technical assistance and advice to the legislature. It also would be able to adopt, amend, and rescind regulations on and after the earlier of July 1, 2021, or within six months of the agency providing the attorney general with notice that it is prepared to assume rulemaking responsibilities.
The agency would be governed by a five-member board comprised of appointees who are “Californians with expertise in the areas of privacy, technology, and consumer rights.” Administrative actions would have to be brought within five years after the date on which the violation occurred.
Changes to Covered Businesses
Newly covered entities would include joint ventures or partnerships that are comprised of businesses which each hold at least 40% interest, and persons doing business in California that elect to be bound by the act by certifying compliance to the new government agency established by the act.
The definition of “business” is otherwise still limited to for-profit entities doing business in California that annually satisfy one of three thresholds, with minor revisions to such thresholds:
- gross revenues in excess of $25 million (clarifies assessment should be on each January 1 for the preceding calendar year);
- buys, sells, or shares the personal information of 100,000 (increase from 50,000) or more consumers or households (removes reference to devices); or
- derives 50% or more of its annual revenues from selling or sharing (new defined term) consumers’ personal information.
For entities that are controlled by, and share common branding with, a business, such entities would only be covered if the business shares consumers’ personal information with the entity.
Added to exemptions from the act is personal information collected, processed, sold or disclosed subject to the Federal Farm Credit Act of 1971. Additionally, the business-to-business and employee-related exemptions provided under the existing CCPA would be extended to Jan. 1, 2023.
New Obligations
1. Data Minimization
A business would not be able to process personal information in a manner incompatible with the disclosed purpose for which the information was collected. Businesses also could not retain personal information longer than is reasonably necessary to achieve said purpose.
2. Contracts with Third Parties
Whereas the CCPA delineates service providers from third parties by the existence of contractual relationships with certain provisions limiting the service provider’s use of the business’s personal information, the act would require all transfers of personal information, whether sales to third parties or disclosures for a business purpose to service providers, to be made pursuant to an agreement.
Contracts would have to specify, among other things, that the sale or disclosure of the personal information is only for limited and specified purposes and that the third party or service provider will comply with its obligations under the act, including providing the same level of privacy protection afforded under the act.
3. Expanded Notice of Deletion Requests
Should a consumer exercise their right to have their personal information deleted, a business would be required to notify not only service providers, but also all third parties, to delete the consumer’s personal information. The act, however, excuses compliance if such notice proves impossible or involves disproportionate effort.
4. Expanded Notices at Point of Collection
In addition to the categories of personal information and purposes of such collection or use, the notice at point of collection would need to state whether the information is sold or shared and how long the business intends to retain each category of personal information.
If sensitive personal information is collected, the same disclosures would be required for each category of sensitive personal information. Businesses that do not have a direct relationship with consumers (i.e., third parties) but that are controlling the collection of consumers’ personal information would also be obligated to provide notices at point of collection.
Complying With New Consumer Rights
Under the act, businesses would have to comply with additional consumer requests to correct inaccurate personal information and to limit the business’s use and disclosure of sensitive personal information.
Corresponding with such rights, businesses would need to, among other things, update privacy policy disclosures and either add a link titled “Limit the Use of My Sensitive Personal Information” or revise the “Do Not Sell My Info” link to also cover this new right (subject to certain alternatives).
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Author Information
Malia K. Rogers is an attorney in Husch Blackwell LLP’s Denver office and assists clients on emerging data privacy issues.