Businesses with operations in California should expect their data privacy compliance obligations to get a lot more complicated next year.
That’s because voters may choose to replace the California Consumer Privacy Act (CCPA)—the country’s only currently enacted data privacy law, which took effect Jan. 1—with the California Privacy Rights Act (CPRA). The Nov. 3 California state ballot asks voters to approve Proposition 24 and enact the CPRA. The law would expand the definition of sensitive personal information and add a host of new data collection, use, and storage compliance requirements for businesses, many of which are still struggling to comply with the CCPA.
In addition, Proposition 24 proposes to take regulation and enforcement of the CCPA away from the California Attorney General’s Office and place those functions in the hands of a new independent entity, the California Privacy Protection Agency (PPA).
While the CPRA would take effect Jan. 1, 2023, the new agency could begin work as soon as July 1, 2021, supported with $10 million a year in state funds. And that new agency would enforce the CCPA until the CPRA takes effect.
This is a key point. With $10 million in annual funds, the PPA can hire between 46-50 full-time employees dedicated to making rules, pursuing investigations, and handing down enforcement actions for the state’s data privacy law, be it the CCPA or CPRA. Compare that headcount to the Federal Trade Commission (FTC), which has 61 employees dedicated to enforcing the entire country’s privacy and identity protection laws, according to its 2020-21 budget.
One of the new California agency’s employees would be a chief auditor, whose primary function would be to audit state businesses’ data practices. Under the CPRA, relevant businesses would be required to submit an annual cyber-security audit, as well as risk assessments as often as the agency deems necessary.
“This agency’s entire existence will be completely focused on enforcing privacy law,” said Dan Clarke, president of IntraEdge, an Arizona-based software firm that helps companies’ compliance with data privacy regulations like the CCPA and the EU’s General Data Protection Regulation (GDPR). “This will be a massive change in the enforcement landscape.”
Originally, the CCPA was the state legislature’s attempt to thwart a data privacy law ballot question pushed by Alastair Mactaggart, a wealthy real estate developer. Mactaggart says the CCPA represents a version of his bill that was weakened by legislators, lobbyists, and Big Tech. This time around, Mactaggart says he has spent $5 million to promote the CPRA, a law he says will provide California residents with “the fundamental right of data privacy and be able to control their own personal information.”
Should Proposition 24 pass, the CPRA would contain elements of what is currently considered the gold standard of data privacy protection law, the GDPR. Following the GDPR’s lead, the CPRA would expand on what data is considered “sensitive personal information” and would create new rules for how to handle that data. While the CCPA only regulates personally identifiable information (PII) that is sold, the CPRA extends those rules to sensitive data that is shared, say with partners or third parties. In addition to being able to opt out of having personal information sold under the CCPA, consumers would also have the right to correct their personal data under the CPRA, as well as limit how long it is being stored, and to limit how much personal data companies can collect. The CPRA would allow consumers to request companies obscure their geolocation data by up to one-third of a mile.
Some of these provisions “will bake in the GDPR’s best practices into the new law, which will be beneficial,” said Bob Swanson, a compliance research consultant with Swimlane, a Colorado-based cyber-security solutions provider.
Both the CCPA and the CPRA include a private right of action, which allows consumers to sue companies that mishandle their data. (Other states leave the right to sue for a data breach with their state attorney general). Under the CCPA, there is a 30-day “cure period” in which companies can repair the damage in the aftermath of a breach before being sued, according to a National Law Review blog post. The CPRA drops the cure period.
Will Proposition 24 pass?
There’s only been one poll—released in early August and paid for by the bill’s proponents—that found 81 percent of 605 likely voters support the measure. Proposition 24 has the support of some consumer advocacy groups, labor unions, and the California State Conference NAACP.
And Proposition 24 supporters collected signatures of over 900,000 voters to get it placed on the ballot.
There is an organized opposition group, No on Prop 24, but it doesn’t seem particularly aggressive, Clarke said.
“It’s pretty clear to me it’s going to pass,” he said. Proposition 24 “is basically asking people if they want their personal data protected. Who doesn’t want their data protected?”
However, some groups that one might expect would support a data privacy measure have indicated their opposition, like the American Civil Liberties Union of California and tech groups like the Electronic Frontier Foundation, the Internet Association, TechNet, and the Computing Technology Industry Association.