Purvi G. Patel, Joseph Roth Rosner, and Robert N. Famigletti
Consumer Litigation and Privacy + Data Security
Businesses have been tirelessly preparing for the California Consumer Privacy Act of 2018 (CCPA), which becomes operative on January 1, 2020. But Californians for Consumer Privacy, the nonprofit behind the 2018 ballot initiative that was withdrawn with the passage of the CCPA, has been busy too. It recently announced a new ballot initiative that would significantly amend the CCPA and, if successful, once again radically shift the privacy landscape in California. If it obtains sufficient signatures, Initiative 19-0019, the California Privacy Rights and Enforcement Act of 2020 (CPREA), will appear on the November 2020 California ballot.
In announcing the Initiative, Californians for Consumer Privacy indicated that the CPREA is intended to prevent changes to the CCPA that would undermine its consumer protections, noting in the Initiative’s preamble that businesses have tried to “weaken” the CCPA through amendments. Nonetheless, the CPREA would preserve certain aspects of the recently passed, business-friendly CCPA amendments, including retaining a partial exception for certain personal information (PI) relating to employees.
What’s different and what’s the same?
The CCPA was a first-of-its-kind U.S. consumer privacy law. The CPREA, while similarly novel, would amplify the privacy rights of California residents and the corresponding obligations imposed on businesses and their vendors. The CCPA created five “core” consumer rights:
The CPREA would expand the scope of the notice, access, and deletion rights, as well as add new privacy rights. For example, under the CPREA, California residents would have the right to request that businesses correct inaccurate PI and the right to opt out of the use of “sensitive PI” for marketing. The CPREA would also require businesses to maintain the accuracy and security of the PI they collect, as well as disclose their political activities and their automated profiling practices involving PI. Finally, under the CPREA, businesses would be subject to a new administrative enforcement regime.
In light of the many uncertainties regarding the future of the CPREA, including whether it will be certified for the ballot and, if so, whether it will pass, companies should continue to focus on their CCPA compliance planning in advance of the CCPA’s January 1, 2020 operative date. If voters approve the Initiative, the CPREA would become operative on January 1, 2021. Nonetheless, the obligations imposed by the CPREA would apply to PI that a business collects after January 1, 2020.
The CPREA is as complex as the CCPA. Many of the Initiative’s proposed changes to the CCPA require further study, particularly with respect to new and revised definitions and interactions with other laws. Below is a high-level overview of certain key provisions of the CPREA.
CPREA’s EXPANSIONS OF THE CCPA
a) Disclosures and notices
The CCPA will require businesses to disclose the categories of PI collected and the purposes of their collection or use. Under the CPREA, businesses would be required to disclose their PI retention periods, as well as the types of sensitive PI they collect, the specific purposes of such collection or use, and whether they sell sensitive PI. Furthermore, consumers would be permitted to request disclosures regarding their PI beyond CCPA’s 12-month “lookback” period, and businesses would be required to provide that information unless doing so would involve a “disproportionate amount of information or would be unduly burdensome.”
The CPREA would also require disclosures of the “logic” behind automated profiling practices that may have a significant adverse impact on consumers in certain contexts (decisions impacting access to lending, insurance, health care, housing, education, or employment opportunities). In addition, the CPREA would mandate disclosures regarding the use of PI for political purposes (including the specific candidates or causes being supported).
b) Expanded consent and opt-out rights for “sensitive” personal information and opt-in rights for collection of minors’ personal information
The CCPA will provide California residents with the right to opt out of the sale of their PI. In this regard, the CPREA would expand the CCPA’s definition of “sale” to include disclosures for a “commercial purpose,” including “cross-context behavioral advertising.” In addition, the CPREA would introduce heightened protections for “sensitive” PI, prohibiting businesses from selling sensitive PI unless a consumer has provided opt-in consent. The CPREA would also create a new right for consumers to opt out of the use or disclosure of sensitive PI for marketing or advertising purposes.
The CPREA’s definition of “sensitive PI” includes many of the types of PI that are currently covered under California and other state breach-notification and data-safeguards laws, such as medical records, biometric information, Social Security numbers, and government-issued identification numbers, as well as some that are not, such as precise geolocation. The definition also includes PI concerning race or ethnicity, union membership, and “the contents of a consumer’s private communications.”
CPREA would also require opt-in consent for the collection of PI from consumers younger than 16 years old, and parental or guardian consent for the collection of PI from minors under 13.
c) Service-provider and third-party obligations
The CCPA will require businesses to direct service providers to delete the PI of consumers who submit a deletion request to the business. Under CPREA, a business must direct “all third parties” and contractors who have accessed a consumer’s PI from or through the business to delete the consumer’s PI, not just service providers. The CPREA would also mandate that businesses include specific data protection obligations in contracts with (i) third parties to whom businesses sell PI and (ii) service providers or contractors to whom businesses disclose PI.
d) Additional enforcement capabilities
While the scope of the private right to action for data security incidents remains largely unchanged, the CPREA would establish a new California Privacy Protection Agency to administer and enforce the new law. 
Upon a finding of probable cause that a business has violated the law, the Agency would be permitted to commence an administrative hearing, at the end of which it may impose injunctive relief, or administrative fines of (i) $2,500 per violation or (ii) $7,500 per intentional violation or any violation involving a minor. The Agency would be required to pause any action or investigation to permit the California attorney general (AG) to bring its own civil action against a business to seek injunctive relief and/or civil penalties of the same amount per violation. If, however, the Agency has issued an order against the violator, the AG would not be permitted to bring a civil action for the same violation.
The CPREA would become operative on January 1, 2021. But, as with the CCPA, there is a disconnect between the operative date and the deadline for final regulations. The deadline for regulations governing the CPREA’s new provisions would be January 1, 2022, one year after the operative date. The CPREA is silent as to when the Agency or the AG would be permitted to begin enforcing the new provisions (unlike the CCPA, which imposed a six-month delay before the AG could bring an enforcement action). If the Initiative passes, the Agency would ultimately assume sole rulemaking authority over the CCPA and CPREA, beginning the earlier of July 1, 2021, or six months after the Agency provides notice to the AG that it is prepared to take over rulemaking.
CPREA’S NEW RIGHTS AND OBLIGATIONS
a) Right to correction
Under the CPREA, California residents would have a new right to require that a business correct any inaccurate PI that it maintains about them. Upon receipt of a verifiable consumer request, a business would be required to take “commercially reasonable efforts” to correct the inaccurate PI.
b) New privacy duties for businesses
The CPREA would require businesses to adhere to new general data protection principles. These include collecting only the minimum amount of PI necessary (“data minimization”), taking reasonable measures to ensure the accuracy of PI collected and shared (“data accuracy”), and implementing reasonable security procedures and practices to safeguard PI. Businesses would also be prohibited from retaining any PI, including sensitive PI, for longer than reasonably necessary for their disclosed purposes.
c) Security assessments and privacy audits
The CPREA would mandate the creation of special regulations for businesses that collect the PI of more than five million California residents. These businesses, referred to as “large data processors,” would be required to perform annual cybersecurity audits using a list of state-approved audit firms, and conduct and publish annual privacy impact risk assessments.
What’s next, and what can businesses do?
The Initiative is in its earliest stages. Signatures cannot be gathered until the AG publishes a summary of the Initiative, which is likely to happen by early December. To appear on the ballot, Californians for Consumer Privacy must obtain 620,000 signatures by the summer of 2020 (on an exact date to be determined after the AG publishes its summary and the secretary of state sets a deadline). Given the public’s continued awareness of, and concern about, consumer privacy issues, that goal may be easily achieved, particularly in light of Californians for Consumer Privacy’s demonstrated ability to obtain the signatures required for the privacy initiative in 2018. The group’s success in 2018 forced the Legislature to agree to pass a revised version of the CCPA in exchange for withdrawal of the prior initiative from the ballot.
It is too early to tell whether the California Legislature will strike another deal before or after the Initiative is certified to the ballot. It is also unclear whether other privacy-related ballot initiatives will be introduced. Regardless, the message is clear: The CCPA as we barely know it may change substantially in a year. Over the course of the next year, it will be critical to monitor privacy developments in California, as well as any activity in other states and at the federal level.
Our team will continue to track developments related to the Initiative, the full text of which is available here. In the meantime, comments on the CPREA can be submitted to the attorney general online through November 1, 2019.
 CPREA, Section 2(D).
 As of this publication, these CCPA amendments are awaiting Governor Newsom’s signature. In addition to excluding employee PI, the amendments would provide a partial exception for PI obtained in the context of certain business-to-business transactions or communications, and certain activity regulated by the Fair Credit Reporting Act. For more detail, see our prior alert, “CCPA Taking Shape,” September 16, 2019, available online here.
 See our prior alerts, “The 2018 California Consumer Privacy Act,” June 29, 2018, available online here and “Less is Less: California Legislature Amends Limited Aspects of California Consumer Privacy Act,” Sept. 4, 2018, available here.
 CPREA, Section 30.
 CCPA, §§ 1798.100(b), 1798.110, 1798.130(a).
 CPREA, § 1798.100(a)(2) – (3).
 CPREA, § 1798.130(a)(2)(B).
 CPREA, §§ 1798.110(c)(6); 1798.130(a)(5)(C); 1798.185(a)(16).
 CPREA, §§ 1798.110(a)(5), (c)(5).
 CCPA, § 1798.120. Note that CCPA and CPREA both require opt-in for the sale of information of minors under 16. See CCPA § 1798.120(c); CPREA § 1798.120(d).
 CPREA, §§ 1798.140(f), (ad).
 CPREA, §§ 1798.120(c), (d)(2).
 CPREA, § 1798.140(ae). Compare, e.g., the definitions of “personal information” under the California Data Safeguards Law (Cal. Civ. Proc. § 1798.81.5(d)(1)) or the California Data Breach Notification Law (Cal. Civ. Proc. § 1798.82(h)).
 CPREA, § 1798.140(ae).
 CPREA, § 1798.100(g).
 CCPA, § 1798.105(c).
 CPREA, §§ 1798.105(c)(1); (c)(3).
 CPREA, § 1798.100(d).
 CPREA, § 1798.150 (regarding data security incidents).
 CPREA §§ 1798.160; 1798.199.10 – 1798.199.40 (regarding the new California Privacy Protection Agency).
 CPREA, §§ 1798.155(a); 1798.199.45 – 1798.199.85.
 CPREA, § 1798.199.90(c).
 CPREA, § 1798.199.90(d).
 CPREA, § 1798.185(d). See also CPREA, Section 30 (“Operative Date”).
 CCPA, § 1798.185(c).
 CPREA, §§ 1798.185(d); 1798.199.40(b).
 CPREA, § 1798.105.5.
 CPREA §§ 1798.100(c), (e), (f). Many of the CPREA’s new general data protection obligations are similar to those found in the European Union’s General Data Protection Regulation (GDPR).
 CPREA, § 1798.100(a)(3).
 CPREA, §§ 1798.185(a)(14), (15); 1798.140(s).
©1996-2019 Morrison & Foerster LLP. All rights reserved.