If passed by voters in November 2020, CPRA will add additional provisions designed to strengthen the state’s data privacy program. The initiative will likely have broad-ranging commerce effects given California’s large consumer population and position as the largest state economy within the US. Some of the key elements include:
California Privacy Protection Agency
The California Privacy Protection Agency would take over responsibility for enforcing privacy regulations in the state. The manpower allocated would equate to about the same number of privacy-specialist enforcement staff that the Federal Trade Commission (FTC) currently allocates to monitor the entire country.
Amending the law by simple majority
CPRA would give the California Legislature the power to amend the law by simple majority, but only if the amendment would be ‘in furtherance of the purpose and intent’ of CPRA, which is to enhance consumer privacy. The intent of this is to prevent a gradual reversal on consumer privacy rights that may be driven through the influence of business interests in the state legislative process. Under these rules, weakening of existing privacy rights would require a new ballot initiative to be voted on by the public.
Extending consumers’ control over personal data
Building upon CCPA’s existing consumer rights to access personal data and request deletion of personal data that was collected directly from them, CPRA would grant consumers the right to correct or rectify inaccurate personal information, much like the rights bestowed in the EU’s General Data Protection Regulation (GDPR). Extended rights for data deletion or erasure would also be included. The law would additionally extend consumers’ rights to restrict the use and disclosure of personal information categorized as ‘sensitive.’
Establishment of sensitive personal information (SPI)
In another move mirroring a component of GDPR, CPRA would recognize certain types of personal data as having heightened sensitivity and protections. SSN, driver’s license, passport and financial account information would all be considered SPI, as would be personal communications, precise geolocation and information about ethnicity, race, religion, sexual life or orientation, union membership, genetic and biometric data, and health.
Distinguishing between ‘selling’ and ‘sharing’ of consumer data
Under CCPA, consumers have the right to opt out of downstream sale of their data to third parties. One of the inherent problems with this is that many prevalent commercial models for data use, such as in the advertising industry, don’t always involve literal sale of data assets; they involve sharing, transfer or bidding arrangements. CPRA would give consumers the right to opt out of ‘sharing’ of personal information.
Consumer power to restrict precise geolocation tracking
Precise geolocation monitoring can help infer an enormous amount of information about a person. CPRA would give consumers the option to restrict the granularity of that tracking to a much broader geographic area, preventing the monetization of highly sensitive inferred information.
Accounting for emails and passwords under ‘negligent data breach’ rules
To further curb identity theft, passwords and emails would be counted as sensitive information in the event of a data breach or loss. The classification would allow right to private action, without the consumer burden of actually having to prove a material financial loss due to exposure of the data.
Extending the employee data exemption period
Under CCPA, certain privacy exemptions are made for employee and job applicant data through January 1, 2021. With CPRA, this date would be extended to January 1, 2023. The exemption would likely be especially relevant as organizations adjust to the new operational realities in the wake of COVID-19, which in many cases has meant dealing with new sources of employee-generated data.
Clear definition of a ‘covered’ business under CCPA
In a move that would likely alleviate some pressure on small and local businesses, CPRA would change the threshold for the number of consumers a business must annually buy, sell, or share data on. Thresholds for inclusion would be annual gross revenue in excess of $25,000,000 in the preceding calendar year, derivation of 50% or more of annual revenue from sharing or selling of personal data, and/or annually buying, selling, or sharing the personal information of 100,000 or more consumers or households. This number is double that of the 50,000 figure originally in CCPA.
The only certainty is uncertainty, with the US’s current economic climate and general politization of societal issues. California legislature and voters have historically acted favorably toward matters of consumer protections and early polling has shown favorable reception among potential voters.
Distrust in major consumer tech companies may further nudge voters toward galvanized data privacy rights. Advertising boycotts are becoming common, with major consumer brands pulling marketing campaigns from social media platforms, further increasing the public visibility of such platforms’ influence and perceived business model flaws.
Many states are affixing their gaze toward California’s CPRA ballot measure with regard to their own draft legislation. Much as the EU used its heft as an economic bloc to pressure other regions into adopting similar standards, California will likely nudge other states toward policies that mirror its own. Deviation would likely mean much more difficulty in conducting interstate digital business.