CCPA Ballot Initiative Submits Signatures to Appear on November 2020 Ballot

This week, the California initiative designed to amend and expand the California Consumer Privacy Act of 2018 (CCPA) has reached a notable milestone. On May 4, 2020, Californians for Consumer Privacy (the nonprofit group behind the original CCPA initiative in 2018) began submitting the required signatures to state election officials in support of Initiative 19-0021A1. This means the California Privacy Rights Act of 2020 (CPRA) is one step closer to appearing on the November 3, 2020 ballot.

If voters approve the CPRA in November 2020, it would significantly expand the scope of the CCPA as summarized below. The regulations under the CPRA would then be required to be finalized by July 1, 2022. With some exceptions, the CPRA would become operative on January 1, 2023, and enforcement powers would begin on July 1, 2023. Generally, the CPRA would only apply to personal information (PI) that is collected after January 1, 2022 (except with respect to consumer requests for access to their PI, which would apply regardless of when the PI was collected).

The CPRA would introduce new requirements that extend above and beyond those included in the CCPA and the California Attorney General’s (AG) draft regulations under the CCPA, including:

1. Scope and Applicability

• Adding a new category of PI that includes “sensitive information,” and giving consumers rights to opt out of a business’s use and disclosure of their sensitive information
• Altering the scope of the CCPA’s small business exception
• Altering the CCPA’s definition of “business purpose,” including with respect to its applicability to online advertising
• Bolstering the CCPA’s definition of “deidentified” PI
• Broadening the CCPA’s definition of “publicly available” PI, which is excluded from the definition of PI
• Extending the CCPA’s partial exception for employees, independent contractors, business representatives, etc., through January 1, 2023
• Adding account credentials to the list of data to which the CCPA’s private right of action applies following a data breach

2. Organizational Requirements 

• Requiring that the collection, use, retention, and sharing of PI be proportionate to its purpose
• Adding provisions that must be included in contracts with third parties with whom PI is shared
• Requiring reasonable security procedures and practices
• Adding a process for law enforcement to require that businesses not delete PI
• Requiring the AG to promulgate a cybersecurity regulation, a regulation regarding automated decision-making, and other regulations related to the CCPA

3. Individual Rights

• Expanding the scope of consumers’ deletion rights
• Adding a consumer right to have inaccurate PI about them corrected
• Imposing direct obligations on service providers regarding responses to consumers’ access, correction, and deletion requests
• Changing some of the exceptions to the CCPA’s deletion right
• Adding a consumer right to opt out of a business’s sharing of his or her PI for cross-site behavioral advertising purposes
• Prohibiting a business from sharing the PI of a child under 16 for cross-site behavioral advertising purposes without consent
• Adding a right for consumers to make “requests to know” that extend earlier than the 12 months preceding the request
• Specifying additional format and portability requirements to which a business must adhere when satisfying a consumer’s right to access “specific pieces” of his or her PI

4. Notices and Disclosures

• Requiring additional disclosures to consumers regarding a business’s disclosure and sharing of their PI
• Requiring that the CCPA privacy notice include retention periods for each category of PI

5. Enforcement

• Creating a California Privacy Protection Agency to implement and enforce the law, in addition to the AG’s enforcement powers
• Removing the 30-day cure period from the enforcement process, and broadening the circumstances in which the higher fine—$7,500 per violation—is applicable
• Adding provisions regarding the purposes for which revenues from fines under the CCPA may be used
• Specifying that implementing and maintaining reasonable security procedures and practices pursuant to California Civil Code Section 1798.81.5 following a data breach does not constitute a cure with respect to that data breach

Next Steps

At this time, it appears likely that the CPRA will become eligible for the ballot. Californians for Consumer Privacy needed to obtain 623,212 signatures, but the group announced that it is submitting over 900,000. The group is also familiar with gathering verifiable signatures, as it previously achieved ballot eligibility in 2018, with the initiative that paved the way for the CCPA. If the signature verification process is successfully completed, the California Secretary of State will announce that the CPRA is eligible for the November ballot, at which point it will automatically appear on the ballot unless it is withdrawn by its proponents prior to June 25, 2020. 

While Californians for Consumer Privacy withdrew its 2018 CCPA ballot initiative following an eleventh-hour legislative compromise that resulted in the CCPA’s passage, the group has made it clear that it believes the CCPA was “weakened” through legislative amendments thereafter—a belief that contributed to its introduction of this second ballot initiative. This may make it less likely that Californians for Consumer Privacy will accept a legislative compromise in 2020.

Further details on the CPRA initiative can be found in our previous client alerts dated October 8, 2019 and December 12, 2019.

The full text of the latest version of the CPRA can be found online here.