California Lawmakers Look to Make CCPA Even More Stringent

On December 17, 2019, Attorney General Xavier Becerra released the title and summary for the California Privacy Rights Act (CPRA) – an expansion of CCPA to increase consumer rights, create more transparency and establish an enforcement arm to protect consumers.

The California Consumer Privacy Act (CCPA) has just gone into effect as of January 1, 2020, and the regulation is already fairly stringent. The CCPA applies to certain businesses that conduct business in California and collect the personal data of consumers. The law requires these entities to enact data privacy safeguards and give consumers more control over their own data.

Looking to be added to the November 2020 ballot, the CPRA would further enhance consumer protections. California is aiming to lead the way on consumer data protections so CPRA may very well become a reality. Below is a look at what may be in store for businesses that operate in California.

Who would it affect?

The CPRA would apply to any entity covered by the current CCPA. Companies that must comply with CCPA are any business that collects the personal data of consumers, does business in California and either has annual gross revenue in excess of $25 million; purchases or sells 50,000 or more consumer or household records; or earns more than half of its annual revenue from selling consumer personal information.

What is it?

The California Privacy Rights Act would:

1. Protect Sensitive Personal Information – CPRA would create a new category of Sensitive Personal Information which includes personal finances, race, biometric information, information revealing consumer health status, or the precise location of a person. CPRA would allow consumers to restrict the use of that information, including forbidding its use for any advertising or marketing.
2. Enhance Transparency – Companies would be required to:
   • Say how long they keep personal information (and not keep it longer);
   • Tell consumers why they are collecting personal information (and not use it for other purposes);
   • Tell consumers how much information they are collecting (which can’t be more than necessary to perform the service they say they are doing— e.g. no more flashlight apps stealing the contents of your address book).
3. Safeguard Our Kids – CPRA would increase fines for collecting and selling our children’s private information.
4. Help End Online Discrimination – Consumers would be allowed to know when and how automated decisions significantly affect their lives. If a computer program makes a decision on a person’s life, for example if a person is denied housing or a job opportunity then the consumer is entitled to information about that process.
5. Establish the California Privacy Protection Agency – Even with the enactment of CCPA there is no designated agency for enforcing its provisions. CPRA would establish the California Privacy Protection Agency to police data compliance failures.

What does it mean to me?

• Bigger fines – it is even more costly to not be in compliance.
• New data classification of Sensitive Personal Information – data classification is even more important.
• Dedicated, new authority to protect these right – expect more enforcement.
• Bipartisan support – according to Goodwin Simon Strategic Research, 88% would vote YES to support a ballot measure expanding privacy protections for personal information.