Understanding New Consumer Rights and Business Obligations in California’s Privacy Ballot Initiative
Data Privacy & Security Alert 06/30/20 Linda C. Emery, Hilary Lane
The California Privacy Rights Act (CPRA) - a ballot initiative that amends the California Consumer Privacy Act (CCPA) to give consumers additional rights and impose additional obligations on businesses - has qualified for the November 3, 2020 ballot. If voters approve the ballot initiative, it will become law, and will be operative on January 1, 2023.
It's likely that the CPRA will be approved. According to Californians for Consumer Privacy, the group responsible for launching CPRA as well as the CCPA, 88 percent of California voters would vote in favor of a "measure expanding privacy protections for personal information."
Here are some of the key provisions:
New Enforcement Agency Establishes the California Privacy Protection Agency with authority to implement and enforce the law.
Consumer Rights Grants new and expanded consumer rights and requires businesses to adopt mechanisms for submitting and responding to requests to exercise those rights.
- Provides new right to request correction of inaccurate personal information
- Establishes a new category of "sensitive personal information" and gives consumers the right to restrict its use and disclosure. Sensitive information includes:
- social security, driver's license, state ID or passport numbers
- financial account, debit or credit card numbers in combination with information required to access account
- precise geolocation
- racial or ethnic origin, religious or philosophical beliefs, or union membership
- contents of personal communications such as emails and texts
- genetic information
- biometric information
- health information
- information about sex life or sexual orientation
- Broadens consumer's right to know if a business:
- uses automated processes to profile consumer
- uses consumer's personal information "for their own political purposes"
- Expands right to opt out of sale of personal information to include any sharing of data with third parties for cross context behavioral advertising
Data Retention and Notice Requires businesses to establish and disclose retention periods for personal and sensitive information.
- Prohibits businesses from retaining personal and sensitive information for longer than reasonably necessary for the purpose of collection
- Requires businesses to provide notice at or before the point of collection of the length of time it retains each category of personal and sensitive information or, if that is not possible, the criteria used to determine such period
Data Breaches and Security Imposes a "reasonable security obligation" for all personal information and expands the private right of action for data breaches to include the compromise of email addresses in combination with passwords or security questions that allow access to an account if the business failed to maintain reasonable security procedures and practices.
Employee and B2B Information Extends current exemptions for employee and business to business personal information from January 1, 2021 to January 1, 2023.
For more information on the CPRA, how it may impact your business, and what you can do to prepare, contact your local Quarles & Brady attorney or reach out to the Data Privacy & Security Team: