Businesses have been finalizing their plans to comply with the California Consumer Privacy Act of 2018 (CCPA) by January 1, 2020, when the law becomes operative, but the ultimate trajectory of California’s post-2020 privacy regime remains in flux. As we detailed last month, the California Privacy Rights and Enforcement Act (CPREA), a proposed ballot initiative introduced by Californians for Consumer Privacy (the nonprofit behind the original CCPA initiative in 2018), would amend and expand the CCPA if it obtains enough signatures to appear on the 2020 California ballot and is approved by voters. In November, the nonprofit filed an amended version of the initiative—renamed Initiative 19-0021A1, “The California Privacy Rights Act of 2020” (CPRA)—that narrows some of the CPREA’s obligations and expands others.
Most notably, the CPRA would not become operative until January 1, 2023 (as opposed to January 1, 2021, under the CPREA), and its new obligations would only apply to personal information (PI) collected after January 1, 2022 (rather than PI collected after January 1, 2020, under the CPREA). If the measure is enacted in its current form, this will grant businesses much-needed time to prepare for the compliance challenges that the CPRA will introduce.
Other areas in which the CPRA diverges from the CPREA include (but are not limited to):
The full text of the CPRA can be found at the AG’s website, here.
It appears that stakeholders will not have an opportunity to comment on the amendments; the comment period for the initiative was unchanged and ended in November—a short period after the amended version was published.
The ballot initiative serves as a stark reminder that the data privacy regulatory landscape in the U.S. will not stop changing on January 1, 2020. Our team will continue to track the initiative, the AG’s CCPA rulemaking activity, and the introduction of similar legislation in other states, and report on important developments. For more information, be sure to visit our CCPA Resource Center.