On September 25, Alastair Mactaggart, a real estate developer and founder and chair of Californians for Consumer Privacy, announced that he formally filed an initiative to appear on the November 2020 ballot, titled the California Privacy Rights and Enforcement Act of 2020. The initiative would create new consumer privacy rights and a new enforcement agency and is more stringent than the California Consumer Privacy Act (CCPA), which passed into law on June 28, 2018 and will go into effect on January 1, 2020. Mactaggart’s announcement comes on the heels of the California Legislature’s approval of five amendments to the CCPA, which addressed issues such as the treatment of employee data and business-to-business contact information.
The California Privacy Rights and Enforcement Act of 2020 ballot initiative would require additional transparency on how collected data is used, especially in advertising and marketing; would require consent to collect the personal information of children; and would attempt to more vigorously regulate businesses through audits by a new privacy protection agency.
The proposed California Privacy Rights and Enforcement Act of 2020 would do the following:
prohibit businesses from selling “sensitive personal information” (e.g., financial and health information, racial or ethnic origin, sexual orientation, and precise geolocation) without the California resident’s opt-in consent, and would create a new right for a California resident to opt out of the use or disclosure of sensitive personal information for advertising and marketing at any time
prohibit the collection of personal information for children under the age of 16 unless a child, who is over the age of 13, opts in or parental consent is given for children under the age of 13, and would triple the CCPA’s fines for violating the law governing the collection and sale of children’s private information
create a new right to correct inaccurate personal information (similar to that of the GDPR’s right to rectification)
address “profiling,” requiring businesses to disclose (1) information on the algorithms used to target or profile consumers and (2) whether profiling had or could reasonably be expected to have a significant, adverse effect on consumers with respect to financial lending and loans, insurance, health care services, housing, education admissions or denial of employment
establish the California Privacy Protection Agency, which would implement and enforce the CCPA through administrative action, including audits and fines, while leaving civil enforcement to the Attorney General
require businesses to disclose whether they have used personal information for the businesses’ political purposes, but would exempt businesses that sell voter information or deliver advertisements to consumers on behalf of another person
change notification requirements for employees and provide employees with a deletion right following any statutorily mandated retention periods
change the requirements for contracting with “service providers” and newly defined “contractors,” potentially affecting businesses’ efforts to remove transfers of personal information to these service providers and contractors from the definition of “sell” under the CCPA
bring cyber notices to brick-and-mortar locations by requiring physical postings of privacy notices when personal information is collected on the businesses’ premises (e.g., through CCTV).
Mactaggart, who authored a ballot initiative in 2018 that spurred the California Legislature to pass the CCPA, said that the CCPA is no longer sufficient as technology companies are actively seeking to weaken the CCPA and smarter technological tools are evolving. He stated that the purpose of the California Privacy Rights and Enforcement Act of 2020 is to give consumers “the right to take back control over their information from thousands of giant corporations.” However, it is unclear where the funding to enforce the initiative and its new agency will come from.
California Deputy Attorney General Stacey Schesser revealed at the International Association of Privacy Professionals’ September 25 conference that the Attorney General’s Office did not find out about the initiative, including its new agency, until it was filed, but that the office will continue focusing on implementing the CCPA. She further stated that the office plans to release its formal rulemaking in October, which will be followed by a 45-day period for public comments.
To appear on the ballot in November 2020, the initiative will need 623,212 valid signatures of registered voters in California. The Attorney General’s Office will accept public comment on the California Privacy Rights and Enforcement Act of 2020 until October 25, 2019.
In the meantime, businesses should:
focus on being compliant with the CCPA and closely monitor all developments relating to the CCPA, including any regulations and guidance from the California Attorney General
consider providing insight by submitting comments on the California Privacy Rights and Enforcement Act of 2020 within the applicable time period
monitor all developments relating to the California Privacy Rights and Enforcement Act of 2020.
The material in this publication was created as of the date set forth above and is based on laws, court decisions, administrative rulings and congressional materials that existed at that time, and should not be construed as legal advice or legal opinions on specific facts. The information in this publication is not intended to create, and the transmission and receipt of it does not constitute, a lawyer-client relationship.