United States: The Group Behind The CCPA Aims To Strengthen It With A New Ballot Initiative

On September 25, 2019, Californians for Consumer Privacy, the nonprofit group behind what became the California Consumer Privacy Act enacted last year, filed a new ballot initiative, “The California Privacy Rights and Enforcement Act of 2020” (CPREA). The CPREA is intended to significantly revamp and strengthen the CCPA. If passed, the law would require California to establish a new data protection agency responsible for enforcing privacy violations and issuing new regulations. Specifically, it would add new restrictions or obligations, including opt-out rights regarding targeted advertising, opt-in requirements for the sale of sensitive information and duties for sensitive information, disclosure requirements for use of sensitive information for political purposes, an expanded definition of public information and a clarification of de-identified information, a new right of rectification, and greater protection of minors.

To be placed on the ballot for the November elections, the group will need to collect more than 620,000 signatures of registered California voters.

The CCPA, which the legislature extensively amended earlier this month and is not yet effective, is itself a significant expansion of privacy law, granting California consumers broad rights to control their personal information. Once effective, California’s law will be the strictest in the nation and will impose significant new obligations on companies with respect to personal information of California residents. The final step is for the California Attorney General to issue regulations relating to the CCPA. The law takes effect on January 1, 2020, with enforcement delayed until six months after issuance of the Attorney General’s regulations, or July 1, 2020, whichever is sooner.

Establishing the California Privacy Protection Agency

To strengthen enforcement of California’s privacy laws, the CPREA proposes to establish a new regulatory body called the California Privacy Protection Agency (CPPA) (similar to data protection authorities under the GDPR). The CPPA would implement and enforce the CCPA and the CPREA through a variety of means, such as:

  • Initiating administrative and civil enforcement actions;
  • Adopting, amending, and rescinding California privacy regulations;
  • Guiding companies on privacy compliance issues;
  • Guiding consumers on their privacy rights; and
  • Provide technical assistance and advice to the legislature regarding privacy-related legislation.

The Agency would have five members appointed by California’s Attorney General, Senate President Pro Tem, Speaker of the Assembly, and the Governor. Members may not serve for longer than eight consecutive years. The Agency would then appoint an executive director, officers, counsel, and employees.

Additional Rights and Duties Regarding the Collection and Management of Sensitive Personal Information

The CPREA introduces the concept of “Sensitive Personal Information,” defined as:

“a consumer’s social security, driver’s license, state identification card, or passport number; a consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; a consumer’s precise geolocation; personal information revealing a consumer’s racial or ethnic origin, religion, or union membership; the contents of a consumer’s private communications, unless the business is the intended recipient of the communication; a consumer’s biometric information; data concerning a consumer’s health; data concerning a consumer’s sexual orientation; or other data collected and analyzed for the purpose of identifying such information.”

The CPREA would create new rights regarding Sensitive Personal Information, including:

  • Opt-in for sale: requiring consumers to expressly opt-in to the sale of Sensitive Personal Information. This differs from the opt-out approach for other personal information defined in the CCPA.
  • Opt-out for sale: requiring businesses to (1) provide notice to consumers that their sensitive personal information may be used or disclosed to a service provider or contractor for advertising and marketing and that consumers have the right to opt-out of such use or disclosure; and (2) provide easily accessible tools for consumers to obtain their personal information, delete it, correct it, and opt-out of the sale of their personal information.
  • Transparency: the CPREA would require new disclosures regarding the collection and use of Sensitive Personal Information, and limit businesses’ use of the information to what was in disclosure.

Additionally, the CPREA would require transparency regarding automated decision-making processes that use Sensitive Personal Information.

New Right of Rectification

The CPREA would create a new right to require, upon request by a consumer, that a business use commercially reasonable efforts to correct inaccurate personal information the business maintains.

Businesses also would need to disclose to consumers their right to request correction of inaccurate personal information.

User of Personal Information for Political Purposes—New Rights to Know

Consumers will now have a right to request from a business the categories of person to whom that customer’s personal information was disclosed for a business purpose. CPREA also gives consumers the right to request from a business details about information shared for political purposes, including names of candidates or organizations and uses to which the information was put.

Expanded Definition of Public Information

The term “personal information” still would exclude “publicly available” information as it does under the CCPA, but it now also would exclude de-identified information. The CPREA expands the definition of “publicly available” to include “information that a business has a reasonable basis to believe is lawfully made available to the general public from widely distributed media, or by the consumer, or by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience.”

Clarification of What Is De-identified Data

The CPREA would clarify the definition of “de-identified” to mean information that cannot reasonably be used to infer information about, or otherwise be linked to, an identifiable consumer, provided that the business that possesses the information:

(A) takes reasonable measures to ensure that the information cannot be associated with a consumer or household;

(B) publicly commits to maintain and use the information in de-identified form and not to attempt to re-identify the information, except as necessary to ensure compliance with this subdivision; and

(C) contractually obligates any recipients of the information to comply with all provisions of this subdivision.

New Definitions of Contractor and Service Provider

The CPREA would define the term “contractor” to mean a person to whom the business discloses a consumer’s personal information for a business purpose pursuant to a written contract, so long as the contract contains (1) some outlined prohibitions relating to consumers’ personal information and (2) a certification of the contractor’s compliance with the prohibitions.

The term “service provider” would be expanded to now include:

  • Retaining, using, or disclosing the information outside of the direct business relationship between the service provider and the business; and
  • Combining the personal information that the service provider receives from or on behalf of the business, with personal information from other sources.

Importantly, if a service provider engages another person to assist in performing a business purpose on behalf of the business, the service provider must notify the business and contract with the other person to observe all the requirements in the definition of a “service provider.”

Clarification of Business Purposes

“Business Purpose” is clarified to mean the use of personal information for the business’s or service provider’s operational purposes, or other notified purposes, provided that the use of personal information shall be reasonably necessary and proportionate to achieve the operational purpose for which the personal information was collected or processed.

Specific business purposes are enumerated, such as auditing relating to the interaction with the user, debugging, verification, quality or safety assessment, short-term transient use, performance of services on behalf of the business or service provider, and internal research for technological development and demonstration.

Greater Protection of Minors

Among a few increased privacy protections for minors, the CPREA triples CCPA’s fines for violations governing the collection and sale of children’s private information. It also requires opt-in consent to collect data from consumers under the age of 16.

Amending Process

California is one of 24 states that have ballot initiatives. In California, for an initiative to appear on the ballot, the sponsors need to obtain the signatures of five percent of the total gubernatorial vote in the most recent election. Under California law, ballot initiatives can only be amended through a separate popular vote and not through the legislative process—a drawback of the initiative process.

The CPREA is designed to be amended through a majority vote in the California Legislature, however, so long as the amendments are consistent with and further the purpose and intent of the CPREA.

Next Steps

The goal of Californians for Consumer Privacy is to obtain enough signatures for the CPREA to be put on the November 2020 ballot. If passed, the CPREA will become effective on January 1, 2021, but will only be applicable to personal information collected by a business on or after January 1, 2020, the date the CCPA will become effective.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
Weintraub Tobin Chediak Coleman Grodin Law Corporation
 
In association with
Practice Guides
by Mondaq Advice Centers
Relevancy Powered by MondaqAI
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Weintraub Tobin Chediak Coleman Grodin Law Corporation
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions