In May 2020, a new form of consumer protection was announced as an initiative for inclusion on the California ballot in November. The new legislation, called the California Privacy Rights Act (CPRA), was written by the same organization that helped craft CCPA. It was submitted with over 900,000 signatures, well above the 675,000 required for inclusion on the ballot.
Despite the new name, CPRA builds on CCPA and does not replace it. There are several significant changes and clarifications that CPRA makes. Below are the more relevant changes.
A new agency, called the California Privacy Protection Agency, would be created to administer and enforce CCPA. The agency will be run by a board of 5 appointed individuals. This takes enforcement away from the California Attorney General.
There are new categories of data, including things like the contents of an email and biometric data. The challenge with this new rule is that businesses need to provide disclosures specific to each category of data. Businesses are going to need technology to categorize and track data at a more granular level. With data retention, each type of data can only be retained for as long as it is needed for the stated business use.
CCPA created a host of new consumer privacy rights, including the right to access data, delete data, opt-out of selling data, and know disclosures of data. CPRA expands these consumer rights to include the right to correct personal data.
CPRA requires businesses to create new contractual terms with their service providers for the protection.
The CPRA updates two of the criteria for determining if your company needs to comply with CCPA. The criteria for the number of records on California residents increase from 50,000 to 100,000. The criteria that more than 50% of revenue comes from the sale of personal information is changed to more than 50% of revenue comes from the sale or sharing or personal information.
When CCPA was up for a vote, at the end of 2018, last-minute negotiating and deal-making softened the blow of CCPA for businesses. CPRA may follow a similar trajectory and end up being negotiated and settled from the current language.
Despite that possibility, what is clear is that consumer privacy rights are an active area even after initial versions of legislation are passed. Californians and businesses that serve Californians need to stay up to date as their rights and obligations evolve.