CPRA analysis: News for CCPA-regulated ‘businesses’
However, the CPRA’s presence on the ballot is still not a “done deal.” County election officials and the secretary of state will now begin the process of reporting and verifying the signatures, which may last through June 25th. Californians for Consumer Privacy has announced that it has collected about 900,000 signatures. 675,000 valid signatures are required to place the Initiative on the ballot.
Early polling strongly suggests that if the CPRA — aka CCPA 2.0 — is certified for the ballot, it will pass and become effective Jan. 1, 2023, and move California privacy law a bit further in the direction of the EU General Data Protection Regulation.
The CPRA would amend the language of the CCPA and require additional rulemakings, which would introduce new uncertainties. Here are highlights of how the CPRA would change the CCPA.
Some good news for CCPA-regulated ‘businesses’
Limit businesses’ liability for violations of the law by “third-party” businesses.
Create an operationally significant limited exception to deletion and access rights for many types of unstructured data.
Clarify the definition of “sale” and differentiate and exempt from the “Do Not Sell” right and the CCPA “selling” notice requirements, the “sharing” of personal information for cross-context behavioral advertising in some instances.
Clarify that businesses may offer loyalty, rewards, premium features, discounts or club card programs.
Amend the second threshold of the definition of a “business” to remove “devices.” and increase the number of consumers or households from 50,000 to 100,000 or more, thereby exempting more small businesses.
Exempt businesses from needing to provide access to “specific pieces of personal information” from data generated to help ensure security or integrity or as prescribed by regulation.
Extend the employee and business-to-business moratoria to Jan. 1, 2023, allowing time to address employee privacy questions in a separate bill.
The GDPR must also be applied where Cookies involve the processing of personal data relating to users and, in that event, the standard of consent required is the GDPR standard.
Some bad news for CCPA ‘businesses’ and ‘service providers’
Companies subject to the CPRA would need to update their California privacy programs to include a new:
Category of personal information, sensitive data, defined (somewhat differently than under the GDPR) as government identifiers, account and login information, precise geolocation data, racial or ethnic origin, religious or philosophical beliefs, union membership, contents of mail, email and text messages, genetic data, and certain sexual orientation, health and biometric information.
Set of requirements for this sensitive data, including a right to “Limit the Use of My Sensitive Personal Information” and special website link and additional data minimization requirements.
Right to limit the use of sensitive data for any secondary purpose and a new notice requirement to provide a separate link titled “Limit the Use of My Sensitive Personal Information” or accommodate an optional technical signal solution.
Right to data minimization, as well as providing notice to consumers about the length of time each category of personal information will be retained.
Right to correct inaccurate personal information.
Right to know, access and receive personal information collected before the 12-month lookback period for data collected on or after Jan. 1, 2022.
Direct obligations on service providers to assist businesses with CPRA compliance activities.
Definition of cross-context behavioural advertising and limitations that, as noted above, exempts certain analytics functions but clearly targets this activity to do-not-sell obligations.
Type of business covered under the CCPA — a joint venture or partnership composed of businesses in which each business has at least a 40% interest.
Inclusion of email account credentials in the categories of personal information potentially subject to the CCPA “reasonable security” private right of action under Section 1798.150(a).
Enforcement and fines
A new California Privacy Protection Agency would replace the attorney general’s office as the regulator implementing CPRA rules and enforcing its requirements against violators. Penalties would be tripled for violations regarding minors under the age of 16, and the private right of action for consumers is expanded to cover breach of an email address in combination with a password and security question and answer permitting access to the email account.
Also on the state privacy law horizon
The Washington Privacy Act failed the second year in a row, and COVID-19 stay-in-place orders cut short legislative sessions in most other states where omnibus privacy bills had some chance of passing. Stay tuned for further potential privacy legislation in California, which considered several privacy bills at an Assembly Privacy Committee hearing May 4, and in New Jersey, if that state’s legislature is able to reconvene in the fall. It is also worth watching the evolution of a U.S. Uniform Law Commission draft model uniform privacy law, which is likely to be finalized next summer and whose content remains highly unsettled as of now.
All this state activity may generate new interest in a federal privacy law.
CPRA full text
CCPA resource page
DLA client alert
 County election officials must report the number of raw (unverified) signatures to the secretary of state. If the raw count equals 100% or more of the necessary signatures, the secretary of state is required immediately to notify county election officials to conduct a random sample of signature validity. Within 30 business days of receipt of notice from the secretary of state, county election officials are charged with conducting the sampling verification of the validity of the signatures.