Watch out CCPA: California Privacy Rights Act Seeks to Strengthen California Privacy Laws
May 7, 2020
On June 28, 2018, the California legislature passed the California Consumer Privacy Act (“CCPA”), which went into effect on January 1, 2020. Enforcement of the CCPA will begin on July 1, 2020, which gives companies a grace period to ensure compliance with the new law, a task that has caused concern with these companies. However, compliance with the CCPA may look different in the near future. Earlier this week, Californians for Consumer Privacy announced they garnered enough signatures to get the California Privacy Rights Act (“CPRA”) on the November 2020 ballot.
The CPRA will amend the CCPA and strengthen the current standard of privacy in California. If adopted, the CPRA will add additional privacy considerations for companies who interact with California consumers by expanding on current rights and obligations or creating news ones, such as:
- Enhancing Children’s Data Privacy;
- Creation of a New Agency;
- Expanding the Private Right of Action; and
- A New Definition of Sensitive Personal Information.
One of the CPRA’s attempts to enhance privacy for children by tripling the current fines under the CCPA for violations of the opt-in to sale provision. In addition, CPRA creates a new provision which will require a company to obtain opt-in consent to sell or share data from consumers under the age of 16.
Creation of a New Agency
The CPRA also focuses heavily on enforcement of privacy laws and seeks to create the California Privacy Protection Agency (“CPPA”). The CPPA would enforce privacy actions against companies who violate the law. This differs from the CCPA, which gave the power of enforcement to the California Attorney General. The CPRA’s approach is similar to that of the General Data Protection Regulation (“GDPR”), which is enforced by Data Protection Authorities.
Private Right of Action
The CCPA contains a provision that allows for a private right of action by a California consumer. Under the CCPA, a consumer can bring an action when their personal data was compromised due to a company’s failure to implement reasonable security measures. Under the CPRA, the CCPA’s liability for a data breach is expanded. Under the proposed CPRA language, a company could be liable to a consumer if a security breach occurs that compromises that consumer’s email address in combination with a password or security question and answer, provided that company fails to implement reasonable security procedures.
Sensitive Personal Information
The CPRA would expand the information that is protected under the CCPA by adding a new category of “Sensitive Personal Information.” This new category would include social security numbers, driver’s license numbers, financial account information, passport numbers, geolocations, race, ethnicity, religion, personal communications, biometric and health data, sexual orientation, union membership, genetic data, and information about a consumer’s sex life.
Companies that are not in compliance with the CCPA, but interact with California residents should still analyze their risks under the CCPA. However, all companies whether compliant with the CCPA already or not should begin to think about the CPRA and how that would alter their compliance under the CCPA. If any business needs further guidance about the CPRA, the CCPA, or other consumer privacy laws, the experienced attorneys in our Pittsburgh office are available by phone and email to assist, even while we as a firm comply with the current restrictions. Please feel free to reach out with any questions or concerns.