Voters in California will decide in November on the California Privacy Rights Act of 2020 (CPRA), a law that would become effective 1 January 2023 and expand the California Consumer Privacy Act of 2018 (CCPA), a law that was also originally introduced as a ballot initiative but ultimately enacted by the California Legislature.
Consumer Privacy Rights Act – Key Provisions
Funding for privacy advocacy groups: Businesses face significant penalties under CCPA that, once paid, are to be deposited in a Consumer Privacy Fund earmarked to offset government enforcement costs. CPRA contemplates that non-profit organizations would receive 3% of proceeds from such penalties to promote and protect consumer privacy (See active initiative 19-0021A1, p. 39 proposing Cal. Civ. Code). The proponent of the ballot measure is the Board Chair and Founder of Californians for Consumer Privacy, a Section 501(c)(4) social welfare organization.
Data protection authority for California: Voters rarely demand that states expand existing bureaucracies, leave alone create new authorities. But, CPRA would do just this and mandate the creation of a California Privacy Protection Agency (CPPA) to enforce CPRA against businesses with fines and cease-and-desist orders. The new agency would also assume from the California Attorney General the mandate to issue regulations on an expanded list of topics without further input from voters or the legislature. These topics include establishing restrictions on health-related research (CPRA, §1798.185(a)(19)(C)(ii); more generally see pp. 46-51, Cal. Civ. Code §1798.199.10-95), which could clash with present-time and future health and safety priorities.
CPRA contemplates a number of statutory safeguards to protect the prescribed mission of the new agency from influence by consumers, businesses or other government agencies, to drive independent and single-purpose-focused data processing regulation. The agency is incentivized to impose penalties on businesses to secure funding and growth for itself via the Consumer Privacy Fund.
Error corrections and new mistakes: CPRA corrects a number of remaining clerical errors in CCPA and recognizes trade secret rights of businesses as a limitation on data access rights of consumers. The proponents of CPRA framed the statute as an amendment and restatement of CCPA. This approach is preferable over a new stand-alone statute. With amendments, drafters tend to remain more mindful of existing law and avoid creating inconsistencies and duplications, as CCPA did with respect to other California and federal privacy laws. Unfortunately, CPRA also duplicates requirements and fails to repeal existing laws that would largely become obsolete if the broader CPRA takes effect. Whether or not CPRA passes, the California Legislature should urgently work on streamlining California privacy laws, which have become unbearably complex and convoluted (Regarding trade secrets, see Cal. Civ. Code §1798.100(h). For error corrections, see, e.g., Cal. Civ. Code §1798.110(c)(1) and (5). For duplication, see, e.g., the proposed new Cal. Civ. Code §1798.100(f) and the existing Cal. Civ. Code §1798.81.5(b) or the definitions of “contractor” and “service provider” in Cal. Civ. Code §1798.140, which are similar and unnecessarily complex. Regarding the need to repeal and streamline existing law, see here and here.
Tighter restrictions on information sharing: Effective 1 January 2023, businesses would have to comply with various new or changed requirements regarding information collected after 1 January 2022. For example, a business that receives a deletion request would have to not only comply itself and instruct its service providers, but also notify other businesses to which it sold or with which it shared information to also delete the information (Cal. Civ. Code §1798.105(c)(1)). Unlike currently, the business would not be permitted to continue to use the information for internal purposes compatible with the context in which the consumer provided the information (Cal. Civ. Code §1798.105(d)(9)). Businesses would have to add prescribed clauses to contracts with service providers and contractors (Cal. Civ. Code §1798.100(d)), which many businesses will loathe having to re-open again after updating contracts for GDPR by May 2018 and for CCPA by January 2020. Service providers may also want to re-open existing agreements, as they would be required by statute to assist their customers (Cal. Civ. Code §1798.105(c)(3); §1798.130(a)(3)(A)), which would inevitably create additional compliance costs.
Many businesses would also have to revise the link required by CCPA for every web and mobile site to “Do Not Sell or Share My Personal Information” and add a link with the words “Limit the Use of My Sensitive Personal Information” or a combined link addressing both topics (Cal. Civ. Code §1798.135(a)(1)-(3)). If more states and countries follow this approach with their own prescriptive link and text requirements, consumers will have to search much harder for valuable information on the Internet between the many conspicuous links and warnings required by law. The CPRA’s additional restrictions on information sharing would probably capture only a few more types of information exchanges given the counter-intuitively broad current definition of “selling” in CCPA (any disclosure for any valuable consideration), and the counter-intuitively narrow new definition of “sharing” in CPRA (any disclosure for cross-context behavioral advertising whether or not for consideration) (Cal. Civ. Code §1798.135(a)(1), §1798.140(ah)). Some businesses may become less concerned about the adverse brand impact of warnings that they are selling personal information with a “Do Not Sell My Personal Information” link if more businesses have to place more of these types of warnings on their online properties, which consumers can be expected to notice less and less.
Businesses would have to provide more detail in “at collection notices” (Cal. Civ. Code §1798.100(a)) which would make such notices longer and more difficult to read and comprehend. The CPRA would define “advertising” to include inducing a consumer to obtain employment, and expand restrictions on information sharing for hiring purposes and job advertisements (Cal. Civ. Code §1798.140(a)). These types of restrictions seem counter-productive in light of current unemployment statistics.
CPRA maintains and tweaks various complex and wordy exceptions, exemptions and delayed implementation dates, including for employee and business representative data that should never have been – and probably were not originally considered or intended to be – covered by a ‘consumer’ privacy law (Cal. Civ. Code §1798.145).
Data Minimization, Corrections, Sensitive Information Opt-in. CPRA adds data minimization requirements and data retention limits. These have been a fundamental principle of European Union and Canadian data protection laws, but largely absent from U.S. laws due to regard for freedom of speech and information in the United States (Cal. Civ. Code §1798.100(c); Determann, Adequacy of data protection in the USA: myths and facts, International Data Privacy Law 2016; doi: 10.1093/idpl/ipw011). California residents would receive a right to demand that businesses correct inaccurate information concerning them (Cal. Civ. Code §1798.106).
Businesses would have to comply with directions and objections from California residents regarding the use and disclosure of sensitive personal information, defined by CPRA to include credit card numbers, religion and various other categories from existing California security breach notification laws and Art. 9(1) of the EU General Data Protection Regulation (Cal. Civ. Code §1798.121, §1798.140(ae)).
Businesses face a rapidly moving target: The California Legislature enacted CCPA after an unusually short legislative process on 28 June 2018 to take effect on 1 January 2020 with requirements to disclose data processing practices after 1 January 2019. CCPA was already amended twice, in September 2018 and October 2019. Dozens of bills to further amend CCPA have been floating in Sacramento. Meanwhile, the California Attorney General published draft regulations on 10 October 2019 (based on the then-current, but since-amended version of CCPA) and significantly revised drafts on 10 February and 11 March 2020. Even though the regulations are still not final by 18 May 2020, the California Attorney General has confirmed that enforcement will on start 1 July 2020.
The text of the CCPA is long and complex, with more than 10,000 words and many counter-intuitive definitions, including “consumer” defined to mean any resident, “selling” defined to mean any sharing for any valuable consideration, and “homepage” to mean any web page. The draft regulations of the Attorney General are even more complex. When businesses read the requirement in the draft CCPA regulations, multiple times repeated verbatim (See, e.g., § 999.306(a)(2)(a)), that they shall “[u]se plain, straightforward language and avoid technical or legal jargon” in their privacy notices, they might perceive this a cynical rendition of “do as we say, not as we do.”
The CPRA is even longer and more complex than the CCPA, and the list of topics its regulations are supposed to address is more than twice as long as that in the CCPA. If the CPRA is passed in its current form this November, one can expect businesses to continue to have to deal with shifting compliance targets for the foreseeable future. Meanwhile, litigation pertaining to CCPA is in full swing.