Next Tuesday is election day, and this year, California voters are deciding whether to support another statewide privacy initiative – the California Privacy Rights Act (CPRA) (Proposition 24).
This measure would expand on the California Consumer Privacy Act (CCPA), which went into effect earlier this year, in several important ways, including (among others):
- It would create a state administrative agency – the first of its kind in the country – which would be responsible for implementing the CCPA (implementation of which is currently overseen primarily by the California Attorney General). The California Privacy Protection Agency could levy administrative fines of up to $2,500 per violation of the act, or up to $7,500 for each intentional violation, or violation involving a minor. It would also obtain the rulemaking authority that is currently granted to the Attorney General’s office, under the CCPA.
- Like the GDPR, the CPRA would create protections for “sensitive personal information,” in addition to those provided for “personal information” under the CCPA. The measure would establish notice requirements related to the use of this “sensitive” information, and consumers would be given the right to limit its processing. Information in this category would include social security, driver’s license, passport, and financial account data; geolocation data; information about race, ethnicity, or religion; contents of personal communications; biometric, genetic, or health data; genetic data; information about sexual orientation; and other items. The CPRA would allow users to opt out of the sale or sharing of such information (in contrast with the GDPR, which requires users to opt in), and to direct companies to use sensitive personal information only for the express purpose for which it was collected.
- It would restrict sharing, not just selling of personal data. The measure defines “sharing” personal information as disclosing it to a third party for “cross-context behavioral advertising,” which is the practice of creating a consumer profile based on data collected across multiple platforms, in order to target advertising. It would also restrict the use of artificial intelligence or programmed logic to analyze personal data, by allowing people to opt out of automated processing of their personal information to evaluate or make predictions about their professional performance, economic situation, health, preferences, interests, reliability, behavior, location or movements. The CPRA also empowers consumers to request meaningful information about the logic used in automated decision-making processes.
- It would allow consumers more control over their data, granting them the right to correct it, delete it, or limit its use, and to prevent companies from collecting more data than necessary, or storing it for longer than required. It also would make such data portable, so that consumers could request that one company share their data with another – even a competitor.
- It would increase protections for children’s data. Fines for violations of the act would be three times higher when the business has knowledge that the consumer is under 16 years old. It also would require that individuals under 16 “opt in,” before a business sells or shares their personal data.
- It would expand the private right of action. While the CCPA currently allows private action for breaches of unencrypted, unredacted personal information, the CPRA would also grant a right of action where an email address and password or security question would permit access to an account, and that information is disclosed or otherwise accessed due to a business’ failure to maintain reasonable security procedures and practices.
- It would modify the group of businesses subject to the CCPA. Specifically, the CCPA currently applies to all businesses that (a) have gross annual revenues greater than $25 million, (b) buy, receive, or sell the personal information of 50,000 or more consumers, or (c) derive 50% or more annual revenue from selling consumers’ personal information. Under the CPRA, these thresholds would change, so that businesses would only be subject if they (a) have $25 million in gross annual revenues, (b) buy, sell or share personal information of 100,000 or more consumers or households, or (c) derive at least 50% of their annual revenue from selling or sharing consumers’ personal information. The statute would also apply to third party “service providers” who contract to process personal information on behalf of a company subject to the CCPA, even if the service providers themselves would not otherwise fall under its ambit.
- It would extend the CCPA’s exemptions for employment and business-to-business data until January 1, 2023. These exemptions – which largely exclude individuals’ data from CCPA protections if the individuals are in an employment relationship with the data holder, or if their personal information was obtained while they were acting on behalf of a business – have already been extended once, and are currently set to expire on January 1, 2022. The CPRA would therefore allow an extra year, before these types of data become subject to the law.
Importantly, unlike the CCPA, which was put into place by the state legislature, Proposition 24 would be implemented by California voters, and would therefore be subject to additional constitutional protections. Specifically, the California State Constitution states that an initiative approved by the voters may not be amended or repealed by the legislature without first obtaining direct voter approval. Cal. Const., Art. II, §10. Indeed, restricting lawmakers’ ability to remove or reduce the initiative’s privacy protections was a major impetus for its placement on the ballot. Thus, unlike the CCPA, this measure would supersede any potentially conflicting legislation going forward and would be very difficult to limit or repeal. This would be compounded by the language of the initiative itself, which requires that any amendments that legislators do implement be “consistent with and further the purpose and intent of [the CPRA].”
Notably, the CPRA would not go into effect until January 2023. However, if passes (which it is likely to do), companies would be wise to start making plans early regarding how they will comply.
 This could affect advertisers’ ability to use Google Ads, or other cookie-based advertising algorithms to determine ad placement.
 Given that the CCPA has already gone into effect, businesses that transact personal information of between 50-100,000 consumers will likely need to continue complying with its requirements in the intervening period, until contrary guidance is issued by the Attorney General’s office.