|A new California ballot initiative is submitted for approval that would revise the CCPA and impose new requirements starting in 2023, if enacted. This new statute could not be amended to weaken it per ballot initiative law in California.|
The organization that forced action on the “California Consumer Protection Act” (CCPA) (AB 375) by getting its proposed measure approved for California’s November 2018 ballot announced that it has the sufficient number of signatures to get its preferred revision of the CCPA on the ballot for this fall’s coming election. If this effort succeeds, and Californians vote for this measure, it would throw the state’s efforts to establish and enforce the new CCPA into doubt as the new regime would commence in 2023 and there would likely again be a rulemaking process to implement the new statute. It is possible that should this initiative be placed on the November ballot, new life could be breathed into Congressional efforts to pass a national privacy and data protection bill.
The Californians for Consumer Privacy claimed in its press release “it is submitting well over 900,000 signatures to qualify the “California Privacy Rights Act” (CPRA) for the November 2020 ballot.” The Californians for Consumer Privacy have been negotiating extensively with stakeholders on the CCPA’s follow on bill and actually released a draft bill last fall. Nonetheless, even though some stakeholders were able to secure desired changes in the base text, others were not. This fact along with the reality that it is next to impossible to weaken or dilute statutes added to the California Code through ballot initiative suggest a serious campaign to defeat this ballot initiative.
In a summary, the Californians for Consumer Privacy claimed the CPRA would:
1) Make it almost impossible to weaken privacy in California in the future, absent a new initiative allowing such weakening. CPRA would give the California Legislature the power to amend the law via a simple majority, but any amendment would have to be “in furtherance of the purpose and intent” of CPRA, which is to enhance consumer privacy. This would protect privacy in California from a business onslaught to weaken it in Sacramento.
2) Establish a new category of sensitive personal information (SPI), and give consumers the power to restrict the use of it. SPI includes: SSN, DL, Passport, financial account info, precise geolocation, race, ethnicity, religion, union membership, personal communications, genetic data, biometric or health information, information about sex life or sexual orientation.
3) Allow consumers to prohibit businesses from tracking their precise geolocation for most purposes, including advertising, to a location within roughly 250 acres.
a. This would mean no more tracking consumers in rehab, a cancer clinic, at the gym (for how long) at a fast food restaurant (how often), sleeping in a separate part of the house from their partner (how recently), etc., all with the intention of monetizing that most intimate data that makes up people’s lives.
4) Add email +password to the list of items covered by the ‘negligent data breach’ section to help curb ID theft. Your sensitive information (i.e. your health or financial data)would now include your email and password; and if mishandled, you would be able to sue the business for damages, without having to prove an actual financial loss (and let’s face it—who can ever link the data breach from one company, to the ID theft six months later. It’s impossible, and this would change that).
5) Establish the California Privacy Protection Agency to protect privacy for Californians, funded with $10M from the State’s General Fund
a. This funding would equate to roughly the same number of privacy enforcement staff as the FTC has to police the entire country (the FTC has 40 privacy professionals).
A predecessor bill, “The California Privacy Rights and Enforcement Act of 2020” (CPREA), was released last fall (See 3 October 2019 Technology Update for write up.) At the time, Californians for Consumer Privacy Chair and Founder Alistair Mactaggart explained his reasoning for a second ballot initiative: “First, some of the world’s largest companies have actively and explicitly prioritized weakening the CCPA…[and] [s]econd, technological tools have evolved in ways that exploit a consumer’s data with potentially dangerous consequences.”
As noted, changes to the California Code made by ballot initiative are much harder to change or modify than the legislative route for enacting statutes. Notably, the CPRA would limit future amendments to only those in furtherance of the act, which would rule out any attempts to weaken or dilute the new regime. Consequently, industry and allied stakeholders can be expected to fight this ballot initiative.
As mentioned, stakeholders in Congress may be motivated by this new effort to resolve differences and reach agreement on a bill to govern privacy and protect data at the federal level, sweeping aside state laws like the CPRA. However, a new, stronger law in California may cause key Democrats to dig in and insist on the policy changes Republicans have been reluctant to give way on such as a federal private right of action. In such a scenario, it is conceivable Democrats would use their leverage to extract even more changes from Republicans. As it stands, Republicans have moved a fair distance from their original positions on privacy and data protection and may be willing to cede more policy ground.
© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.