By: Linda L. Goodman
A proposal to bolster the CCPA has received enough signatures to qualify for November’s general election ballot. While 675,000 valid signatures were required, Californians for Consumer Privacy — the nonprofit that proposed the measure — collected 900,000. If adopted, this measure would effectively amend the CCPA. Now identified as the California Privacy Rights Act of 2020 (“CPRA”) would give consumers the right to limit the use and disclosure of sensitive personal information, to opt out of the sale and sharing of that data, and to correct inaccuracies in the data.
The Attorney General’s official summary of the measure is concerning in the following ways:
NEW RIGHTS TO CONSUMERS. Permits consumers to: (1) prevent businesses from sharing personal information; (2) correct inaccurate personal information; and (3) limit businesses’ use of “sensitive personal information” with a definition of generally adopted non-personal information like geolocation; race; ethnicity; religion; and sexual orientation. It also changes criteria for which businesses must comply with these laws. Prohibits businesses’ retention of personal information for longer than reasonably necessary. Triples maximum penalties for violations concerning consumers under age 16. More importantly – it establishes yet another bureaucracy “California Privacy Protection Agency” to enforce and implement consumer privacy laws and gives this agency broad discretion to impose administrative fines. As a result, yet more substantive regulations will be forthcoming.
Here are some of the concerning changes which would essentially expand the CCPA and change its enforcement mechanism.
NEW ENFORCEMENT AGENCY. The CPRA creates the California Privacy Protection Agency who will fully administer, implement, and enforce the legislation instead of letting that role fall to the California Attorney General. This is similar to the GDPR in the EU, where independent public authorities are granted broad investigative and enforcement authority. Moreover, this new enforcement agency will develop and adopt their own rules to implement the both the CCPA and the CPRA and that will be done by 2022. A year later, they will begin enforcement action.
EXPANDED SCOPE OF PROTECTED PERSONAL INFORMATION. CPRA creates new categories of personal information called “sensitive personal information,” and adds protections roader than those afforded to the already broadly defined “personal information.” The definition of “sensitive personal information” includes government identifiers; account and login information; precise geolocation data; racial or ethnic origin; religious or philosophical beliefs; union membership; contents of mail, email, and text messages; genetic data; and certain sexual orientation, health and biometric information. Again, this approach is similar to GDPR, which identifies “special categories of personal data” that likewise receive more protection than the general category of personal information already broadly defined and protected under the GDPR.
LIMITS “SHARING’ OF INFORMATION. CPRA fully empowers consumers to direct businesses not to sell or share their personal information, so businesses would again need to update their links and backend systems to comply. In this aspect, it goes beyond the GDPR restrictions which does not include an opt-out on data sale.
NO MORE STORING INFORMATION. The CPRA adds a new requirement that consumers be notified of the length of time a business intends to retain each category of personal information, and the agency may investigate it to ensure that business not store information “for longer than is reasonably necessary for that disclosed purpose.” This is also in line with the GDPR, which prohibits retention of data for “longer than necessary.”
ENFORCEMENT HAS AN INCENTIVE. CPRA enforcement is a new bank for California. Under California law, fines are deposited in a Consumer Privacy Fund that is used to offset the government’s expenses in administering the act. Under the proposed CPRA, 3% of those funds would be assigned to nonprofit organizations that promote and protect consumer privacy. That is a considerable incentive for enforcement actions.
PREPARE COMPLIANCE PROCESSES NOW! Despite the fact that the CCPA was only recently implemented, with enforcement actions beginning July, businesses subject to the CCPA will want to follow the progress of the CPRA. The timing on the passage will short cut any time to prepare for certain enforcement actions. The final CPRA legislation could become effective on January 1, 2023, but will apply to data collected on or after January 1, 2022. Thus, it will appear that the CPRA is being retroactively applied. This is not true – it is the difference between when the law is adopted, and enforcement begins. For now, businesses with ties to California or that collect, process, or use data of California residents should ensure they comply with existing proposed regulations under the CCPA, but should watch for any potential enforcement cases that might involve additional guidance. Businesses should also maintain strong internal programs to ensure that personal information is properly collected and safely stored. Technical changes or adjustments should keep in mind the soon to be adopted expansion of the definition of “personal information” and “sensitive personal information.”
______________________________________________________________________
This article is a publication of The Goodman Law Firm and is intended to provide information on recent legal developments. This article does not create an attorney-client relationship, nor should it be construed as legal advice or an opinion on specific situations. This may constitute “Attorney Advertising” under the Rules of Professional Conduct and under the law of other jurisdictions.
Linda L. Goodman is the founder of The Goodman Law Firm, concentrating its practice in internet business and law. Her firm’s clients include Advertisers, Affiliates, Affiliate Networks, and ISP’s.
© 2020 TGLF, A.P.C.