The California Privacy Rights Act (CPRA) recently qualified for the November 2020 ballot, and if California voters approve this initiative, the CPRA will expand the rights of California residents under the current (stringent) California Consumer Privacy Act (CCPA), beginning on January 1, 2023.
So what will change under the CPRA?
- Creation of the California Privacy Protection Agency (CPPA): If the CPPA is created, it would be the first of its kind in the United States. The CPPA would be governed by a five-member board that would have full administrative power, authority and jurisdiction to implement and enforce the CCPA (instead of the California Attorney General).
- Stricter Definitions: CPRA defines “sensitive personal information” more strictly than “personal information;” “sensitive personal information” includes government-issued identifiers (i.e., Social Security numbers, driver’s license numbers, passport numbers), account credentials, financial information, precise geolocation, race or ethnic origin, religious beliefs, contents of certain types of messages (i.e., mail, e-mail, text), genetic data, biometric information, and other types of information.
The CPRA also would create new obligations for companies and organizations processing sensitive personal information. It also would allow consumers to limit the use and disclosure of their sensitive personal information.
The CPRA would also expand consumer rights under the CCPA. Specifically, under the CPRA, consumers would have the right to:
- Correct personal information;
- Know the length of data retention;
- Opt-out of advertisers using precise geolocation; and,
- Restrict usage of sensitive personal information.
The CPRA also would extend the moratorium related to employee data until January 1, 2023; currently, under the CCPA, employee data are not covered until January 1, 2021. Note that California AB-1281, which was enrolled on September 1, 2020, extends the current exemption for employee data to January 1, 2022 in the event that the CPRA is not voted into law.
Lastly, in addition to the private right of action for data breaches under the CCPA, the CPRA would expand this private right of action to include the unauthorized access or disclosure of an email address and password or security question that would permit access to an account if the business failed to maintain reasonable security safeguards.
While many companies are still grappling with the nuances of the CCPA, if the CPRA gets the green light from voters in November, it will bring yet another wave of compliance issues and implementation of new policies, procedures and processes for many businesses in and outside of the California. We will watch this ballot question closely as we near the November election.