It's Official: V2 of CCPA Makes California November 2020 Ballot

The threshold has been met in the random sampling process of the 930,000 ballot signatures for the California Privacy Rights Act ("CPRA") and the CPRA will in fact be on the ballot in California in November as a statewide initiative measure. There were some twists and turns in the random sampling process for the CPRA — including a court order to ensure that all counties complete their sampling by the June 25th deadline — that had the backers of initiative (Californians for Consumer Privacy) probably a little worried that the initiative may be deferred to the November 2022 election, but in the end with San Diego County (where over 100k signatures had been collected from) reporting their signature verification results this evening, the overall threshold has been met and CPRA will be on the November ballot.

Refresher on CCPA

The CPRA represents "Version 2.0" of the California Consumer Privacy Act (CCPA). As a reminder the CCPA is the United States’ most comprehensive consumer privacy law that gives consumers both the “Right to Know” (i.e. you can find what personal information has collected on you) and the “Right to Say No” (you can say no the sale of your personal data).  It also holds businesses accountable for safeguarding consumers’ personal information.

CCPA Overview

The CPRA is a California state ballot initiative that seeks to amend, expand and clarify the existing CCPA law that was passed into law in 2018 and went into effect on January 1, 2020. In other words, the CPRA is an uber/omnibus privacy and data protection law, not a separate law, so it truly represents “Version 2.0” of the CCPA. It provides additional rights to consumers (e.g. right to correct personal data, limit use of sensitive personal information such as geolocation data, etc.), adds additional obligations to businesses (e.g. data protection impact analyses must be performed, maintenance of records of processing activity, etc.), but probably most significantly it creates a new regulatory agency to enforce data protection and privacy in California — the California Privacy Protection Agency (PPA) — that will also be able to levy greater fines for misuse of children's personal data.

Furthermore, if the ballot initiative passes (which initial polling by the backers showing it viewed favorably by prospective voters), it also in effect puts the law in a “lockbox” in that yes, the law could be amended by the legislature (in fact the original CCPA was amended 6 times), but with a key restriction that any amendments must be “consistent with and further the purpose” of this new law — so no watering down by the legislature (but a new initiative could weaken). CPRA won’t take effect until January 1, 2023, so there will be time for businesses to prepare for it, ala the two-year difference that the EU experienced with the GDPR that passed in 2016 and did not take effect until 2018.

On a side note, one thing that strikes me is that the 900,000+ voters who signed this proposed ballot initiative represents more people than the population of States such as Wyoming, Vermont, etc.

So Why Do We Need V2 of CCPA?

The backers of the initiative (Californians for Consumer Privacy aka CCP) saw the need to "upgrade" CCPA for the following two reasons: "First, some of the world’s largest companies have actively and explicitly prioritized weakening the law. Second, technological tools have evolved in ways that exploit a consumer’s data with potentially dangerous consequences. We believe using a consumer’s data in these ways is not only immoral, but it also threatens our democracy."

Hence to counter the huge resources that tech and advertising companies have, the CPRA will protect the interest of consumers with (a) a well-funded and dedicated regulatory agency (called the Privacy Protection Agency — which moves the majority of enforcement and rulemaking away from the California Attorney General to this new agency) and (b) further backed by a law that cannot be chipped away by those big companies' lobbyists pressuring the legislature to make modifications. That is why I said with the CPRA that the "gloves are off" in allowing consumers to take control over their own personal data. 

The CCP also sees the CPRA as sending a strong message to Congress that a robust federal data protection law is needed, which is a topic I previously covered when I analyzed the evolution and fragmentation in US privacy laws.

Source: CCP Presentation on June 12, 2020 to the California Assembly Hearing on Privacy and Consumer Protection

I will cover the "address workability issues" that the CCP also raises (as you can see in the slide above) in a subsequent blog post.

How Does the CPRA Stack up Versus CCPA and GDPR?

Frankly, the CPRA matches up quite nicely with what people consider the "gold standard" of privacy laws — the European Union's General Data Protection Regulation (aka GDPR). I previously blogged on detail comparisons of GDPR vs. CPRA and CPRA vs. CCPA, but if you look at my executive summary comparison, a strong case could be made that CPRA exceeds the GDPR in certain areas (e.g. mandating that do not sell/share and limit use of sensitive data must be front and center on businesses' home pages).

Net Net

At the end of the day, the CPRA making the ballot is a big deal, as it could usher a "digital bill of rights" that we as consumers are lacking that is backed by an enforcement agency that has some significant resources behind it. And given that California is 1/8th the population of the United States and the 5th largest economy in the world (assuming it was an independent nation-state), the thought process is that the CPRA would effectively set the floor for privacy protection in the US, as many businesses will probably not want to maintain two websites or policies — one for California and one for the rest of the US — and would probably be the impetus for Congress to finally tackle a national privacy and data protection law.