Client Alert

2020 CCPA Ballot Initiative Gets a Makeover

12 Dec 2019

Businesses have been finalizing their plans to comply with the California Consumer Privacy Act of 2018 (CCPA) by January 1, 2020, when the law becomes operative, but the ultimate trajectory of California’s post-2020 privacy regime remains in flux. As we detailed last month, the California Privacy Rights and Enforcement Act (CPREA), a proposed ballot initiative introduced by Californians for Consumer Privacy (the nonprofit behind the original CCPA initiative in 2018), would amend and expand the CCPA if it obtains enough signatures to appear on the 2020 California ballot and is approved by voters. In November, the nonprofit filed an amended version of the initiative—renamed Initiative 19-0021A1, “The California Privacy Rights Act of 2020” (CPRA)—that narrows some of the CPREA’s obligations and expands others.  

Most notably, the CPRA would not become operative until January 1, 2023 (as opposed to January 1, 2021, under the CPREA), and its new obligations would only apply to personal information (PI) collected after January 1, 2022 (rather than PI collected after January 1, 2020, under the CPREA). If the measure is enacted in its current form, this will grant businesses much-needed time to prepare for the compliance challenges that the CPRA will introduce. 

Other areas in which the CPRA diverges from the CPREA include (but are not limited to):

  • Extending Employee and B-to-B Exceptions. The CPRA would extend the CCPA’s employee and business-to-business exceptions through January 1, 2023.  The CCPA currently contains sunset provisions under which these exceptions will become inoperative on January 1, 2021. The CPRA would also extend non-retaliation protections to employees, applicants, contractors, and consumers alike.
  • Redefining “Business.” The CPRA would expand the types of businesses subject to CCPA, including those that derive 50% or more of their annual revenues from simply storing PI. 
  • Aligning with Global Privacy Laws. The CPRA would expand the circumstances in which businesses must minimize their activities involving of PI and protect PI, drawing in many respects from existing global privacy laws such as the EU’s General Data Protection Regulation (GDPR).
  • Modifying Privacy and Security Impact Assessment Requirements. The CPRA would require the California Attorney General (AG) to adopt regulations requiring businesses whose “processing of consumers’ personal information presents significant risk to consumers’ privacy or security” to perform annual privacy and data security audits. This marks a departure from the CPREA, which required such audits based solely on the volume of records processed.
  • Eliminating Political Disclosures. The CPRA eliminates multiple CPREA provisions that would give consumers the right to request disclosures regarding businesses’ collection of PI for political purposes.  
  • Overhauling the Enforcement Regime. The CPRA prevents a business from incurring duplicative fines by clarifying that a business will not be required to pay both an administrative fine and a civil penalty for the same violation. It also revamps the funding structure of the California Privacy Protection Agency, the new enforcement agency established under the CPRA/CPREA, which would no longer be directly funded by regulatory fines. 

The full text of the CPRA can be found at the AG’s website, here.

It appears that stakeholders will not have an opportunity to comment on the amendments; the comment period for the initiative was unchanged and ended in November—a short period after the amended version was published. 

The ballot initiative serves as a stark reminder that the data privacy regulatory landscape in the U.S. will not stop changing on January 1, 2020. Our team will continue to track the initiative, the AG’s CCPA rulemaking activity, and the introduction of similar legislation in other states, and report on important developments. For more information, be sure to visit our CCPA Resource Center.



Unsolicited e-mails and information sent to Morrison & Foerster will not be considered confidential, may be disclosed to others pursuant to our Privacy Policy, may not receive a response, and do not create an attorney-client relationship with Morrison & Foerster. If you are not already a client of Morrison & Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.