In light of the rapidly changing coronavirus (COVID-19) situation, Troutman Sanders and Pepper Hamilton have postponed the effective date of their previously announced merger until July 1, 2020. The new firm – Troutman Pepper – will feature 1,100+ attorneys across 23 U.S. offices. Read more.


Insight Center: Publications

CCPA 2.0 Initiative Signatures Submitted for November 2020 Ballot

Authors: Sharon R. Klein, Alex C. Nisenbaum, Wynter L. Deagle, Ronald I. Raether, Sadia Mirza and Karen H. Shin

CCPA 2.0 Initiative Signatures Submitted for November 2020 Ballot

On May 4, Californians for Consumer Privacy, the organization that sponsored the California Consumer Privacy Act (CCPA) announced that it had submitted enough signatures to put a new privacy law, the California Privacy Rights Act of 2020 (CPRA), before California voters on the November ballot. If approved, the law would establish new consumer privacy rights more stringent than the CCPA.

The initiative to create the CPRA, formerly known as the California Privacy Rights and Enforcement Act of 2020, was filed on September 25, 2019. As originally drafted, the CPRA would (1) create a new right to correct inaccurate personal information, (2) prohibit the sale of “sensitive personal information” without a consumer’s opt-in consent, (3) create a new right for consumers to opt out of the use or disclosure of sensitive personal information for advertising and marketing, (4) establish the California Privacy Protection Agency to enforce the CPRA, and (5) create disclosure obligations for “profiling.” We previously discussed the initial draft of the CPRA here.

The CPRA was renamed and amended in November 2019 to take effect on January 1, 2023 (as opposed to January 1, 2021) and to only apply to personal information collected after January 1, 2022 (as opposed to January 1, 2020). The amended CPRA would also:

  • extend the CCPA’s employee and business-to-business exceptions to January 1, 2023 (as opposed to January 1, 2021)
  • redefine “business” under the CCPA to reduce the scope of covered entities to those that, alone or in combination, annually buy or sell or share the personal information of 100,000 (instead of 50,000) or more consumers or households, or derive 50 percent or more of their annual revenues from selling or sharing consumers’ personal information, in addition to for-profit entities with annual gross revenues of $25 million
  • impose certain obligations directly on service providers (as opposed to under the CCPA and other U.S. privacy laws, where vendor obligations likely flow only through contract)
  • provide that “the implementation and maintenance of reasonable security procedures and practices pursuant to Section 1798.81.5 following a breach does not constitute a cure with respect to that breach”
  • triple regulatory fines for any intentional violation of the CPRA’s requirements with respect to the collection or sale of the personal information of minors without consent
  • provide a right to limit the use of sensitive data for any secondary purpose and require businesses to provide a new, separate link titled “Limit the Use of My Sensitive Personal Information” 
  • clarify that businesses may offer loyalty, rewards, premium features, discounts or club card programs
  • include email account credentials in the categories of personal information potentially subject to the CCPA’s “reasonable security” private right of action
  • require the California Attorney General to adopt regulations requiring businesses whose processing of consumers’ personal information presents significant risk to consumers’ privacy or security to perform annual privacy and data security audits (rather than requiring audits solely based on the volume of records processed)
  • prevent a business from incurring duplicative fines for both an administrative fine and a civil penalty for the same violation.

The amendments to the CPRA would further allow the to-be-created California Privacy Protection Agency to provide businesses with the opportunity to cure any alleged violations of the CCPA rather than pursuing a complaint and penalties. Additionally, the California Privacy Protection Agency would no longer be directly funded by regulatory fines.

While the CPRA may have enough signatures to qualify it for the November ballot, the California Secretary of State and county election officials will need to certify the signatures by June 25, 2020, which is also the deadline by which the initiative may be withdrawn, for its placement on the ballot to be official. Of the 900,000 signatures submitted by Californians for Consumer Privacy, 675,000 must be certified as valid for the CPRA to be included on the November ballot.

In the meantime, businesses should:

  • focus on being compliant with the CCPA and closely monitor all developments relating to the CCPA, including any regulations and guidance from the California Attorney General. As we have previously discussed, CCPA compliance will not only prepare organizations for the CPRA but may also establish a defense to other privacy-based claims that may be asserted today. For more information, see our article published by Law360, “Calif. Privacy Law Takeaways From 9th Cir. Facebook Case.”
  • monitor all developments relating to the CPRA initiative. Troutman Sanders LLP and Pepper Hamilton LLP will be co-hosting a webinar on the CPRA in early June. You can sign up to receive notification of the event by registering here.

The material in this publication was created as of the date set forth above and is based on laws, court decisions, administrative rulings and congressional materials that existed at that time, and should not be construed as legal advice or legal opinions on specific facts. The information in this publication is not intended to create, and the transmission and receipt of it does not constitute, a lawyer-client relationship.

Data protection laws have changed, so we have revised our Privacy Policy.