The California Privacy Rights Act (CPRA) is a consumer privacy ballot initiative from Californians for Consumer Privacy, a non-profit which introduced the CPRA ballot initiative in late 2019 based on concerns that the California Consumer Privacy Act (CCPA) did not sufficiently protect consumer privacy.
The final text of the CPRA was published on November 13, 2019. Californians for Consumer Privacy submitted over 900,000 signatures in support of the CPRA on May 4, 2020, and on June 24, 2020, the Secretary of State confirmed that the initiative had enough valid signatures to appear on the November 2020 ballot.
If the CPRA passes, it would significantly expand the CCPA by establishing a new regulatory enforcement body, the California Privacy Protection Agency, which would assume enforcement and rule making authority currently delegated to the Attorney General under the CCPA.
The CPRA will also remove the CCPA’s 30-day cure period, and impose a number of GDPR-styled obligations on businesses, among other requirements, including the following:
- The CPRA will modify existing consumer rights and grant new rights, including a right to correction, a right to limit use and disclosure of sensitive personal information, and a right to opt out of sharing of personal information for cross-context behavioral advertising; and
- The CPRA will require covered businesses to enter into contracts with all entities to which they disclose personal information.
How likely are voters to approve the CPRA?
While it is sometimes difficult to predict the future, preliminary polling conducted in October 2019 indicated that approximately 9 of 10 California voters would vote “yes” to support a ballot measure expanding privacy protections for consumers’ personal information. The CPRA only needs only a majority vote to pass, so if anything close to this level of support exists in November it will pass and eventually become law.
What happens if voters approve the CPRA?
The immediate impacts on businesses will be minimal, at least until the lead up to January 1, 2023, as the CCPA would continue to be the governing California privacy law until then.
The provisions establishing the California Privacy Protection Agency would come into effect five days after the Secretary of State certifies the election results. The Agency would assume enforcement and rule making authority currently delegated to the Attorney General under the CCPA. The CPRA would require final regulations implementing the provisions of the act to be promulgated by July 1, 2022. Enforcement of the provisions added or modified by the CPRA would commence July 1, 2023 and would apply to only violations of the law that occur after that date.