Although it feels just like yesterday that the California Consumer Privacy Act (“CCPA”) went into effect (it was January 1, 2020), California may be at it again. After securing 931,000 signatures from California State residents, the privacy-right activist group, Californians for Consumer Privacy, has qualified yet another privacy bill for the November 3, 2020 ballot. The California Privacy Rights Act (“CPRA”), which some are calling CCPA 2.0, would expand the privacy rights of Californians with enforcement set to begin on January 1, 2023.
What is CCPA 2.0?
The Current CCPA
In 2018, the California Legislature passed the CCPA in order to protect consumers’ privacy rights by imposing obligations on how businesses collect, use and share California State resident personal information. The CCPA was hastily drafted and, up until the July 1, 2020 enforcement date, the California State Attorney General was scrambling to finalize CCPA regulations. To this day, there are still holes in the CCPA that remain unfilled.
Proposed provisions of CCPA 2.0 would: 1) establish the California Privacy Protection Agency (“CPPA”), which would turn over enforcement of the CCPA from the California State Attorney General to a five-member consumer privacy-dedicated governmental agency; 2) increase protection of certain sensitive personal information, including consumer health, finance, race, ethnicity and precise location information; 3) triple fines for children’s privacy violations; and 4) expand the private right of action to include the unauthorized access to, or disclosure of, a California resident email address combined with an associated password or security question.
CCPA 2.0 also proposes adding new consumer rights. Currently, businesses that meet the CCPA’s thresholds must provide California consumers with the opportunity to: 1) opt-out of the sale of their personal information to third parties; 2) request to know what personal information businesses have collected about them and how businesses have sold or disclosed that information to third parties; and 3) request that businesses delete personal information that has been collected from/about them. If CCPA 2.0 passes, consumers will also have the right to: 1) correct personal information; 2) learn the length of time that companies retain their data; 3) opt-out of businesses using their precise geolocation information; and 4) restrict usage of their sensitive personal information.
Entities doing business in Europe may recognize that CCPA 2.0 would bring California privacy law closer to the General Data Protection Regulation (“GDPR”) model. Businesses that have struggled to meet the standards imposed by the current CCPA regulations will be frustrated by the news that increased compliance obligations are potentially on the horizon. We will continue to monitor the progress of CCPA 2.0 and will update our readership with relevant developments.
If you require assistance with consumer data privacy compliance for your business, please email us at firstname.lastname@example.org, or call us at (212) 246-0900.
The material contained herein is provided for informational purposes only and is not legal advice, nor is it a substitute for obtaining legal advice from an attorney. Each situation is unique, and you should not act or rely on any information contained herein without seeking the advice of an experienced attorney.
Related Blog Posts: