In June 2018, Alastair MacTaggart and Rick Arney of Californians for Consumer Privacy managed to get the California Legislature to pass the most sweeping privacy legislation in the country – the California Consumer Privacy Act of 2018 (“CCPA”). However, as we reported on September 27, 2019, it turns out that they were just getting started with CCPA. On September 25, 2019, the official proponents filed with the California Attorney General a new voter sponsored initiative that would drastically amend the CCPA, called the California Privacy Rights Act of 2020 (“CPRA”) (formerly called the “California Privacy Rights and Enforcement Act of 2020”). This week, the official proponents reached a major milestone in the process of getting CPRA in front of voters in November 2020 by submitting “well over” 900,000 signatures in support of the CPRA to county election officials.
The CPRA would amend the CCPA in a number of significant ways and would significantly expand the privacy protections that current law provides. For example, the CPRA would create a new category of “sensitive personal information,” and would provide consumers with more rights relating to the control of sensitive personal information than is provided by existing law. The CPRA would also require companies to provide consumers with information regarding the use of their personal information in automated decision-making, and require businesses to make disclosures regarding how they use personal information to influence elections. But perhaps most significant, the CPRA would create an entirely new California agency – the California Privacy Protection Agency – dedicated to enforcing the CPRA (enforcement of the CCPA is currently handled by the California Attorney General).
California law requires initiative proponents to submit petitions containing valid signatures of registered California voters. Under the California Elections Code, the number of signatures required for CPRA to reach the ballot is equal to 5% of the total number of votes cast for governor in the last California gubernatorial election in 2018. In 2020, that number is 623,212. On May 4, 2020, Californians for Consumer Privacy submitted “well over 900,000 signatures.” It is customary for initiative proponents to submit more signatures than required, as numerous signatures are often found to be invalid during the process of checking the petitions against lists of registered voters.
If the signatures are verified by county election officials using a random sampling method, the CPRA will be certified for the November 2020 ballot. That verification and subsequent announcement likely will take place within the next month.
The CPRA would significantly increase the burdens and expenses on businesses related to privacy compliance in California, a mere year after businesses struggled to achieve compliance with the CCPA. If qualified for the November 2020 ballot, the CPRA will likely result in an expensive electoral fight between business interests and privacy advocates. This week’s announcement by Californians for Consumer Privacy brings us one step closer to that electoral showdown.
Joseph W. Guzzetta is a privacy attorney in the San Francisco Office of Severson & Werson. He is the author of The Rutter Group’s California Practice Guide: Privacy Law, published by Thomson Reuters. For more information regarding CPRA, contact him at jwg@severson.com or 415-677-5622.