On June 25, 2020, Californians for Consumer Privacy announced the California Privacy Rights Act of 2020 (“CPRA”) officially qualified for California’s November 2020 ballot. We previously provided guidance here about what the CPRA is and whether the CPRA will become law, but we have been receiving a lot of questions about the timeline associated with the recently qualified ballot initiative. If the CPRA becomes law, most of its provisions will become effective on January 1, 2023, but certain provisions would go into effect as soon as late this year. Below is a summary of the key dates to keep in mind for the CPRA:
|
June 25, 2020 CPRA Qualification & No Possibility for Withdrawal |
On June 25, 2020, one day after the California Secretary of State confirmed the CPRA received enough valid signatures, the CPRA was certified for the November 3, 2020 Statewide General Election Ballot as Proposition 24.
As outlined in guidance by the California Secretary of State, the Californians for Consumer Privacy no longer have the right to withdraw the CPRA. This means the California Legislature will not be able to negotiate amendments to the California Consumer Privacy Act of 2018 (“CCPA”) in exchange for withdrawal of the initiative (which is what occurred to make the CCPA law). In fact, a proposed bill that would amend the CCPA to extend the employee and B2B exceptions to January 1, 2022, now includes language that it shall only become operative if voters do not approve the CPRA. |
|
|
|
||
| On July 1, 2020, the California Attorney General was statutorily permitted to begin enforcing the CCPA. The CCPA requirements remain in flux in part because the CCPA regulations have yet to be approved and finalized. |
July 1, 2020 CCPA Enforcement Date |
|
|
|
||
|
November 3, 2020 California Statewide General Election |
The CPRA will be set to become law if it is approved by a majority vote at the Statewide General Election on November 3, 2020.
The Californians for Consumer Privacy currently predict 88 percent of California voters would vote YES to support a ballot measure expanding privacy protections for personal information, like the CPRA. As a result, there appears to be sufficient support for the CPRA to become law. |
|
|
|
||
| In accordance with Article II, § 10(a) of the California Constitution, a ballot initiative that is approved by a majority vote at the statewide general election takes effect the fifth day after the Secretary of State certifies the election results, unless the initiative measure provides otherwise.
On the fifth day after certification, the following provisions of the CPRA become law in accordance with Section 31(b) of the CPRA:
|
Likely Mid-December 2020 Preliminary CPRA Effective Date |
|
|
|
||
|
July 1, 2021 Transfer of Regulatory Authority to New Privacy Agency |
In accordance with Section 21 of the CPRA, beginning the later of July 1, 2021, or six months after the new agency provides notice to the California Attorney General that it is prepared to begin rulemaking activity, the authority assigned to the California Attorney General to adopt regulations under the CPRA shall be exercised by the new California Privacy Protection Agency. | |
|
|
||
| In accordance with Section 31(a) of the CPRA, the obligations under the CPRA, with the exception of the right of access, will only apply to personal information collected by the business on or after January 1, 2022. |
January 1, 2022 Look-Back Period
|
|
|
|
||
|
July 1, 2022 Deadline for Adopting Final Regulations
|
In accordance with Section 21 of the CPRA, the final regulations under the CPRA must be adopted by July 1, 2022. | |
|
|
||
In accordance with Section 31(a) of the CPRA, the remainder of the CPRA becomes operative on January 1, 2023, including the highlights from the CPRA we describe in more detail here:
|
January 1, 2023 Full Operative Date |
|
|
|
||
|
July 1, 2023 Enforcement Date |
In accordance with Section 21 of the CPRA, civil and administrative enforcement of the obligations added by the CPRA cannot begin until July 1, 2023, and can only apply to violations occurring on or after that date. | |
Conclusion
The CPRA will be on the ballot for the November 3 California Statewide General Election, and it appears to have garnered sufficient statewide support to become law. However, the CPRA includes a fairly reasonable two-year ramp-up period for businesses to adjust their practices to comply with the new and revised obligations. As a result, companies do not need to panic and scramble to address CPRA obligations immediately. Instead, we recommend a measured approach to assess the gap between a business’s current CCPA compliance program and develop a roadmap for addressing the obligations in a way that minimizes the strain on organizational resources and friction with other business objectives.
