California citizens will most likely be asked to vote this November on a new privacy protection ballot initiative—the California Privacy Rights Act (“CPRA,” aka “CCPA 2.0”).  This latest measure aims to more closely mirror the EU’s General Data Protection Regulation (“GDPR”) by establishing broader consumer privacy rights than the current California Consumer Privacy Act (“CCPA”) and putting teeth into enforcement with the creation of the California Privacy Protection Agency.

On May 4, 2020, privacy activist Alastair Mactaggart and his Californians for Consumer Privacy organization, announced the collection of 900,000 signatures in support of the CPRA ballot initiative. California officials are currently verifying signatures through a random sampling process described in California’s Statewide Initiative Guide. If enough signatures are verified, the initiative will automatically go on the Nov. 3 ballot. According to an October 2019 poll conducted by Goodwin Simon for CFCP, “9 out of 10 California voters would vote Yes to support a ballot measure expanding privacy protections for consumers’ personal information.” If passed on Nov. 3, the CPRA could only be amended with the subsequent approval of voters at the ballot box, unlike the CCPA, which was hastily passed by the California legislature.

The CPRA would establish broader obligations for organizations conducting business in California – the largest state economy in the United States and the sixth largest economy in the world.  For example, the CPRA would: (1) give consumers new rights around the use of their sensitive personal information; (2) grant consumers the right to correct their inaccurate personal information; (3) enhance children’s privacy rights; (4) clarify data breach liability provisions; (5) restrict data-driven targeted advertising and marketing; (6) eliminate the right of a business to cure an alleged violation before being penalized; and (7) establish the California Privacy Protection Agency to enforce the CPRA.  There is some breathing room because, if passed, most CPRA provisions would not become effective until January 1, 2023.

The CPRA also includes a few business-friendly provisions. For example, under the CPRA: (1) the current CCPA Business-to-Business and Employee Exemptions would be extended until January 1, 2023; (2) businesses would not be required to disclose trade secret information in response to consumer rights requests; and (3) the threshold for covered businesses would be doubled (from 50,000 to 100,00  consumers or households) for the personal information that a covered business can buy, sell, or share, which could result in more small business exemptions.

Fey LLC will continue to closely monitor CPRA ballot initiative developments.  To ensure you don’t miss out on any articles and alerts we prepare on this or other significant data protection laws and developments, you can follow our LinkedIn page here.

Rebecca Terry

Rebecca Terry is counsel with Fey, LLC.

Keith Geekie , an information analyst with Fey LLC, contributed to this post.