What would the CPRA do?
The CPRA would impose a number of novel obligations on businesses. We have summarized the CPRA’s key additions and modifications in this post. To name a few changes, the CPRA would:
- Modify existing consumer rights and grant new rights, including a right to correction, a right to limit use and disclosure of sensitive personal information, and a right to opt out of “sharing,” which the CPRA considers sharing of personal information for cross-context behavioral advertising regardless of whether consideration is exchanged
- Require businesses to enter into contracts with all entities to which the business discloses personal information
- Remove the CCPA’s 30-day “cure” period
These changes would come into effect January 1, 2023, and with the exception of the access right, would apply to only personal information collected after January 1, 2022. The CPRA would also extend the CCPA’s temporary exceptions for B2B and human resources data until January 1, 2023.
How did the CPRA come to be?
The CPRA is the latest consumer privacy ballot initiative from Californians for Consumer Privacy, a non-profit led by Celine and Alastair Mactaggart. Californians for Consumer Privacy was also behind the 2018 ballot initiative that, in a feat of last-minute deal-making, was pulled from the 2018 ballot in exchange for the enactment of the CCPA.
The organization introduced the CPRA ballot initiative in late 2019 given concerns that the CCPA did not sufficiently protect consumer privacy. The text of the proposed initiative went through several rounds of negotiations with interested parties. The final text of the CPRA was published on November 13, 2019. Californians for Consumer Privacy submitted over 900,000 signatures in support of the CPRA on May 4, 2020, and on June 24, 2020, the Secretary of State confirmed that the initiative had enough valid signatures to appear on the November 2020 ballot.
Can the CPRA be avoided through legislative revisions to the CCPA?
We will not see a repeat of 2018’s last-minute deal-making to avoid the CPRA. California’s Elections Code allows a proponent to remove only a “proposed” initiative. Initiatives are considered “proposed” until the Secretary of State issues a certificate of qualification on the 131st day before the next statewide general election. June 25, 2020, is the 131st day before the next statewide general election, and the Secretary of State has announced that his office will qualify the measure on June 25, 2020.
How likely are voters to approve the CPRA?
While we will not know the results until the ballots are counted in November, preliminary polling conducted in October 2019 suggests that approximately 9 of 10 California voters would vote “yes” to support a ballot measure expanding privacy protections for consumers’ personal information. If this holds true, then CPRA—which needs only a majority vote to pass—would have overwhelming support come November.
What happens if voters approve the CPRA?
The immediate impacts on businesses will be minimal, at least until the lead up to January 1, 2023, as the CCPA would continue to be governing law until January 1, 2023.
The provisions establishing the California Privacy Protection Agency would come into effect five days after the Secretary of State certifies the election results per Cal. Const. art II section 10(a). The Agency would assume enforcement and rulemaking authority currently delegated to the Attorney General under the CCPA. The CPRA would require final regulations implementing the provisions of the act to be promulgated by July 1, 2022. Enforcement of the provisions added or modified by the CPRA would commence July 1, 2023 and would apply to only violations of the law that occur after that date
Leah Issokson, a paralegal in our Washington, D.C. office, contributed to this entry.
Authored by Bret Cohen, Mark Brennan, Timothy Tobin and Filippo Raso.