CCPA 2.0 Makes the Ballot! What’s Next for the California Privacy Rights Act?

On June 25, 2020, Californians for Consumer Privacy announced the California Privacy Rights Act of 2020 (“CPRA”) officially qualified for California’s November 2020 ballot. We previously provided guidance here about what the CPRA is and whether the CPRA will become law, but we have been receiving a lot of questions about the timeline associated with the recently qualified ballot initiative. If the CPRA becomes law, most of its provisions will become effective on January 1, 2023, but certain provisions would go into effect as soon as late this year. Below is a summary of the key dates to keep in mind for the CPRA:

June 25, 2020

CPRA Qualification & No Possibility for Withdrawal

On June 25, 2020, one day after the California Secretary of State confirmed the CPRA received enough valid signatures, the CPRA was certified for the November 3, 2020 Statewide General Election Ballot as Proposition 24.

As outlined in guidance by the California Secretary of State, the Californians for Consumer Privacy no longer have the right to withdraw the CPRA. This means the California Legislature will not be able to negotiate amendments to the California Consumer Privacy Act of 2018 (“CCPA”) in exchange for withdrawal of the initiative (which is what occurred to make the CCPA law). In fact, a proposed bill that would amend the CCPA to extend the employee and B2B exceptions to January 1, 2022, now includes language that it shall only become operative if voters do not approve the CPRA.


On July 1, 2020, the California Attorney General was statutorily permitted to begin enforcing the CCPA. The CCPA requirements remain in flux in part because the CCPA regulations have yet to be approved and finalized.

July 1, 2020

CCPA Enforcement Date


November 3, 2020

California Statewide General Election

The CPRA will be set to become law if it is approved by a majority vote at the Statewide General Election on November 3, 2020.

The Californians for Consumer Privacy currently predict 88 percent of California voters would vote YES to support a ballot measure expanding privacy protections for personal information, like the CPRA. As a result, there appears to be sufficient support for the CPRA to become law.


In accordance with Article II, § 10(a) of the California Constitution, a ballot initiative that is approved by a majority vote at the statewide general election takes effect the fifth day after the Secretary of State certifies the election results, unless the initiative measure provides otherwise.

On the fifth day after certification, the following provisions of the CPRA become law in accordance with Section 31(b) of the CPRA:

  • Section 1798.145(m)-(n): The extensions of the personnel/employee exception and B2B exception to January 1, 2023.
  • Section 1798.160: The creation of a “Consumer Privacy Fund.”
  • Section 1798.185: The direction for the Attorney General to adopt regulations and the mechanism to transfer regulatory authority to the new privacy agency.
  • Section 1798.199.10-40: The establishment of the California Privacy Protection Agency, the new privacy agency vested with full administrative power, authority and jurisdiction to implement and enforce the CCPA, as amended by the CPRA.
  • Section 1798.199.95: The designation of funds for the new California Privacy Protection Agency.

Likely Mid-December 2020

Preliminary CPRA

Effective Date


July 1, 2021

Transfer of Regulatory Authority to New Privacy Agency

In accordance with Section 21 of the CPRA, beginning the later of July 1, 2021, or six months after the new agency provides notice to the California Attorney General that it is prepared to begin rulemaking activity, the authority assigned to the California Attorney General to adopt regulations under the CPRA shall be exercised by the new California Privacy Protection Agency.

In accordance with Section 31(a) of the CPRA, the obligations under the CPRA, with the exception of the right of access, will only apply to personal information collected by the business on or after January 1, 2022.  

January 1, 2022 Look-Back Period

 


 

July 1, 2022 Deadline for Adopting Final Regulations

 

In accordance with Section 21 of the CPRA, the final regulations under the CPRA must be adopted by July 1, 2022.

In accordance with Section 31(a) of the CPRA, the remainder of the CPRA becomes operative on January 1, 2023, including the highlights from the CPRA we describe in more detail here:

  • Revision and expansion of the scope of covered “businesses” under Cal. Civ. Code § 1798.140(d).
  • Addition of a new category of personal information“sensitive personal information.”
  • Expansion of the requirements for the notice at collection.
  • Adoption of an explicit, overarching purpose-limitation obligation.
  • Addition of new consumer rights and revision of existing obligations.
  • Expansion of contracting requirements with third parties, service providers and “contractors.”
  • Modification of statutory exceptions.
  • Imposition of “reasonable security” obligations.
  • Expansion of the breach private right of action.
  • Revision of fine structure for violations involving children’s information.

January 1, 2023

Full Operative Date


July 1, 2023 Enforcement Date

In accordance with Section 21 of the CPRA, civil and administrative enforcement of the obligations added by the CPRA cannot begin until July 1, 2023, and can only apply to violations occurring on or after that date.

Conclusion

The CPRA will be on the ballot for the November 3 California Statewide General Election, and it appears to have garnered sufficient statewide support to become law. However, the CPRA includes a fairly reasonable two-year ramp-up period for businesses to adjust their practices to comply with the new and revised obligations. As a result, companies do not need to panic and scramble to address CPRA obligations immediately. Instead, we recommend a measured approach to assess the gap between a business’s current CCPA compliance program and develop a roadmap for addressing the obligations in a way that minimizes the strain on organizational resources and friction with other business objectives.

Privacy Shield Sunk – SCCs Treading Water: What Can Companies Do to Keep Their Head Above Water

Today the European Court of Justice (CJEU) published its highly anticipated judgement in the case of Data Protection Commissioner Ireland v Facebook Ireland Limited, Maximillian Schrems, colloquially known as “Schrems 2.0”. There were three key elements to the decision:

READ MORE

Schrems 2.0 – The Next Big Blow for EU-US Data Flows? – What to Expect on Thursday, July 16th

Whatever the outcome of Schrems 2.0, the key takeaway is, don’t panic.

Tomorrow, July 16, 2020, the European Court of Justice (CJEU) is expected to rule in the case of Data Protection Commissioner Ireland v Facebook Ireland Limited, Maximillian Schrems, colloquially known as “Schrems 2.0”.

The main ingredients haven’t changed much for this long-awaited sequel to the decision that invalidated the Safe Harbor regime in 2015: Austrian data protection activist Max Schrems, Facebook Ireland, Ltd, and another commonly used international personal data transfer mechanism on the chopping block for invalidation.

This time around the court is considering the validity of the Standard Contractual Clauses (SCC) adopted by the European Commission, which goes beyond EU-U.S. transfers and could affect most agreements governing data sharing between the EU and the rest of the world. Regardless of the outcome, tomorrow’s decision is going to have a profound impact on the way international data transfers are treated for years to come – but the key takeaway is not to panic. In this blog post, we have set out the three potential rulings open to the CJEU and what steps you can take to following such a ruling. READ MORE

Highest Administrative Court in France Upholds Google’s €50 Million Fine

On January 21, 2019, the CNIL (the French data protection authority) issued a fine of €50 million to Google under the General Data Protection Regulation (the “GDPR”) for its failure to (1) provide notice in an easily accessible form, using clear language, when users configured their Android mobile device, and (2) obtain users’ consent to process personal data for ad personalization purposes. The CNIL’s enforcement action and resulting fine arose out of actions filed by two not-for-profit associations, None of Your Business and La Quadrature du Net. The fine was the first significant fine imposed by the CNIL under the GDPR and remains one of the highest fines to date. In determining the amount of the fine, the CNIL considered the fact that the violations related to essential principles under the GDPR (transparency and consent), the violations were continuing, the importance of the Android operating system in France, and the fact that the privacy notice presented to users covered a number of processing operations. Google appealed the decision. READ MORE

French Court Annuls Parts of the CNIL’s Cookie Guidelines

On June 19, 2020, the Conseil d’Etat, the highest administrative court in France, annulled in part the cookie guidelines issued by the CNIL (the French data protection authority). The court ruled that the CNIL did not have the power to prohibit “cookie walls” (i.e., the practice of blocking access to a site or app for users who do not consent to the use of cookies) in the guidelines. READ MORE

Parkview Health Decision Highlights Vicarious Data Breach Liability Risk in the United States

A recent decision in Indiana highlights the data security liability risks facing employers based on the actions of their employees, extending vicarious liability even to cases where the employees were acting wholly for personal purposes. In SoderVick v. Parkview Health Sys., Inc., the Court of Appeals of Indiana reversed summary judgment in favor of the defendant, reviving claims of respondeat superior against Parkview Health Systems, Inc. (“Parkview”) where the hospital’s employee texted personal health information to a third party. No. 19A-CT-2671, 2020 WL 2503923 (Ind. Ct. App. May 15, 2020). We recently noted a decision of the Supreme Court of the United Kingdom in WM Morrison Supermarks plc v. Various Claimants (“Morrison”) where the Court made the contrary determination, ruling that the large supermarket chain Morrison could not be held vicariously liable as a matter of law for the intentional acts of a rogue employee who posted the payroll data of Morrison employees on the Internet. But as we also explained, businesses that collect personal information should be cautious about reading too much into that ruling: while the Court allowed the appeal in favor of Morrison, the decision turned on the particular facts of the case (where the rogue employee actively tried to damage his employer). The Parkview Health decision further underscores this need for caution, especially with increased remote work due to COVID-19 where the risk of employers being sued over security breaches caused by their employees is, unfortunately, ever-increasing. READ MORE

Legislative Update: Privacy Bills Not Immune to COVID-19 As Legislative Efforts Persist and Evolve

Today, we are all facing a public health crisis unlike any other we have seen in our lifetime. In addition to serious consequences to global health, the COVID-19 pandemic has created significant disruption in the legal system and privacy law initiatives have not been immune to the virus’s impact. With many state legislatures nearing or at the end of legislative sessions taken over by pandemic priorities, state privacy bill initiatives across the country are grinding to a halt. However, some lawmakers are pushing forward with targeted proposals to protect individual privacy in the face of COVID-19 and some states, particularly California, continue public and private efforts to bolster privacy in their jurisdiction. Below is a summary of the 2020 privacy legislative efforts to date and the impact COVID-19 has had on their progress. READ MORE

Wait…CCPA 2.0? What Is the California Privacy Rights Act of 2020 and Will It Become Law?

On May 4, 2020, Californians for Consumer Privacy announced that it submitted over 900,000 signatures to qualify the California Privacy Rights Act of 2020 (“CPRA”) for California’s November 2020 ballot. With the California Consumer Privacy Act of 2018 (“CCPA”) set to become enforceable on July 1, 2020, this new ballot initiative has left many wondering what the CPRA is and whether the CPRA will become law. We explore these questions further below.

READ MORE

Two Diverging Federal COVID-19 Privacy Bills Proposed

In recent days, Congress has introduced two divergent “emergency” bills to address privacy issues arising during the COVID-19 crisis. While both bills aim to protect personal data collected for the purposes of contact tracing and containing the spread of the illness, the bills – one led by Republicans, the other by Democrats – offer different approaches in key areas, including the scope of entities covered, preemption of state law, and whether to provide a private right of action. Given these differences, it is unlikely either bill will pass in its current form, barring significant concessions from each side of the aisle. Here is a high-level summary of the key points addressed in each bill: READ MORE

Seventh Circuit Bolsters Article III Standing for Actions Under the Illinois Biometric Information Privacy Act

On May 5, 2020, the Seventh Circuit held in Bryant v. Compass Group USA, Inc. that a plaintiff who asserted a violation of the Illinois Biometric Information Privacy Act’s (“BIPA’s”) notice and consent requirements had Article III standing to pursue her claim in federal court. With respect to BIPA’s retention schedule posting requirement, however, the Seventh Circuit found that allegations of a statutory violation did not, on their own, suffice to confer Article III standing. This decision will make it easier for defendants to keep BIPA claims in federal court, and its standing analysis has significant implications for BIPA cases, as well as other privacy and data security cases more broadly.

READ MORE