New California Privacy Rights and Enforcement Act (CalPREA) Ballot Initiative
Alastair Mactaggart, developer of the ballot initiative that led to the California Consumer Privacy Act (“CCPA”), has announced a “new experiment” – a November 2020 California ballot initiative to expand the scope of data privacy rights under the CCPA. In a released draft of the proposed initiative and an accompanying letter announcing his new California Privacy Rights and Enforcement Act (CalPREA) initiative, Mactaggart explained that his ballot initiative would seek to:
- Create a new California Privacy Protection Agency (“CPPA”) entity to enforce the CCPA, a responsibility that is largely now in the hands of the California Attorney General. The CPPA is intended to have five members, including the Chair. Within 90 days of the effective date of the Act, the state Governor may appoint the Chair and one member of the CPPA, and the Attorney General, Senate President Pro Tem, and Speaker of the Assembly shall each appoint one member;
- Require companies to disclose more detail regarding profiling algorithms used for purposes of determining eligibility for financial or lending services, housing, insurance, education admission, employment, or health care services;
- Increase penalties for violations of children’s privacy by tripling the amount companies are fined for collecting or selling the personal information of minors under 16 year of age without consent;
- Require companies to disclose whether, and how, they use personal information to influence elections;
- Add a category of “sensitive personal information” to carve out additional privacy rights such as opt-in before sale, and opt-out of its use for advertising altogether. Such “sensitive personal information” combines the categories that are specially protected under US and EU law and would include social security numbers, certain log-in credentials, precise geolocation, racial or ethnic origin, contents of privacy communications, biometrics and information about a person’s health or sexual orientation;
- Clarify the private right of action’s “cure” provision will not be satisfied merely by the implementation and maintenance of reasonable security procedures and practices following a breach;
- Allow the California State Legislature to make additional amendments to the CCPA with a simple majority vote only when those amendments further the CCPA.
- At present, companies are still awaiting release of regulations from the California Attorney General regarding the existing CCPA before its rights go into effect on January 1, 2020, with enforcement by the Attorney General starting no later than July 1, 2020.
The introduction of this second initiative has the potential to usher in another wave of amendments and legislative negotiations that may add further complexity and uncertainty to CCPA compliance. CalPREA may well be part of a larger effort to seek to have California recognized as having data protection deemed “adequate” by European standards. Covered companies will need to stay vigilant and continue to evaluate how to build compliance programs in light of the ever-evolving laws of California. Indeed the text of the CalPREA initiative can be changed for the next 30 days. With these revisions, Mactagggart would set California on a course to raise the international level of data protection programs; even companies that are fully compliant with Europe’s General Data Protection Regulation will need to take California compliance into special account.
Multiple other states are expecting to take up privacy laws in the new legislative sessions as well. Roughly two dozen other states and territories proposed new bills targeting consumers’ data privacy rights in their last legislative sessions. The interplay of these potentially inconsistent state laws will lead to complex choices of law and conflict of law issues that have to date largely been unnecessary to address.
Calls for federal legislation were already issued before Mactaggart’s latest announcement, and it will no doubt fuel these efforts. Prominent companies have been urging Congress to pass a comprehensive federal data privacy bill that would preempt state privacy laws in order to provide uniformity and concrete guidance. That said, federal privacy legislation seems to be an uphill push. Given other priorities on Capitol Hill, we do not currently expect a federal privacy law until 2021 at the earliest.