Nearly a year after the California Consumer Privacy Act (CCPA) went into effect, Californians now have a chance to weigh in on the California Privacy Rights Act of 2020 (CPRA), which is on the November 3, 2020, ballot as Proposition 24. The CPRA is designed to strengthen consumer privacy protections by amending the CCPA to close certain loopholes, heighten enforcement through the creation of a California Privacy Protection Agency, and prevent the California legislature from weakening the law. While many applaud the CPRA’s efforts, several groups—including the American Civil Liberties Union—have raised concerns that the CCPA is confusingly drafted, could worsen some of the CCPA’s loopholes, and may have the opposite effect of creating a ceiling on privacy legislation.
Below are a few highlights from Prop 24.
Data Retention: Section 1798.100(a)(3) specifies that a business that controls the collection of a consumer’s personal information shall, at or before the point of collection, inform consumers as to “the length of time the business intends to retain each category of personal information” or, if that is not possible, “the criteria used to determine such period.” “[A] business shall not retain a consumer’s personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose.” Data retention was not fully addressed in the original CCPA, and it is a good common sense measure from both a privacy and data security perspective.
Sharing of Data: In response to covered entities narrowly interpreting the “sale” of personal information under the CCPA, the CPRA amends Section 1798.115 to provide that a customer shall have the right to know what personal information is sold or shared, and the categories of parties to whom the personal information was sold or shared. Section 1798.120 is also amended to reflect that consumers have a right to opt-out of sale or sharing of personal information. The business must also provide a clear and conspicuous link titled “Do Not Sell or Share My Personal Information.” See Section 1798.134(a)(1).
Global Opt-Out of Sale or Sharing of Personal Data: The CPRA calls for regulations to define a universal “opt-out preference signal sent by a platform, technology, or mechanism, to indicate a consumer’s intent to opt-out of the sale or sharing of the consumers personal information and to limit the use or disclosure of the consumer’s sensitive personal information.” The global opt-out mechanism is a response to the tedious, and sometimes opaque, task of having to opt-out of the sale of personal information individually with each covered entity. (n.b. The California Attorney General’s final CCPA rules require companies to honor a global “Do Not Sell” user-enabled privacy control, such as a browser plug-in or privacy setting, device setting, or other mechanism.)
Sensitive Information: Sensitive personal information is expressly defined, and includes information such as social security, driver’s license, state identification and passport number; a customer’s account log-in, financial account, debit card or credit card number in combination with any required security or access code or other credentials; precise geolocation; racial or ethnic origin; religious or philosophical beliefs; union membership; the contents of mail, email and text messages; genetic data; biometric information; health information; and sex life or sexual orientation, among others. Section 1798.140(ae). Section 1798.121 is added to provide that a consumer has the right to limit use and disclosure of sensitive personal information. Businesses must also provide a clear and conspicuous link on the business’s internet homepage titled “Limit the Use of My Sensitive Personal Information.” Section 1798.135(a)(2)
Consent: Defined as “any freely given, specific, informed and unambiguous indication of the consumer’s wishes by which he or she . . . such as by a statement or by a clear affirmative action, signifies agreement to the processing of personal information relating to him or her for a narrowly defined particular purpose.” Section 1798.140(h).
Enforcement: The CPRA establishes a California Privacy Protection Agency with full power, authority, and jurisdiction to implement and enforce the CCPA, and removes the “right to cure” language in the attorney general enforcement section.
Floor: The CPRA can be amended by the legislature only if it is with consistent with and furthers the initiative’s purposes and intent to “further protect consumers’ rights, including the constitutional right to privacy.”
With the uncertain prospect of a Federal privacy bill, and California and the CCPA setting the de facto data privacy standard in the US, perhaps other states are waiting to see what happens with Prop 24 before rolling out their own initiatives. Some recent polling suggests that voters overwhelmingly support Prop 24, with 77% of likely voters saying they will vote YES on the ballot measure.