The group behind the original California Consumer Privacy Act of 2018 have introduced additional privacy legislation in California, via a ballot initiative. On Sept. 25, 2019, California citizen, privacy activist, and cofounder of Californians for Consumer Privacy, Celine Mactaggart, filed a new initiative to appear on California’s November 2020 ballot, known as the California Privacy Rights and Enforcement Act (CPREA).
In press release introducing the CPREA, fellow Californians for Consumer Privacy cofounder Alastair Mactaggart highlighted what his group sees as limitations of the 2018 California Consumer Privacy Act (CCPA), which goes into effect in 2020, noting that the consumer privacy landscape has changed dramatically in the two years since the initial CCPA law passed, warranting this new legislation.
“During this time, two things have happened: First, some of the world’s largest companies have actively and explicitly prioritized weakening the CCPA. Second, technological tools have evolved in ways that exploit a consumer’s data with potentially dangerous consequences. I believe using a consumer’s data in these ways is not only immoral, but it also threatens our democracy.” Alastair Mactaggart, cofounder of Californians for Consumer Privacy
The California Privacy Rights and Enforcement Act (CPREA), colloquially dubbed “CCPA 2.0,” provides even more consumer protections and business obligations than the 2018 California Consumer Privacy Act (CCPA). Some of the most notable new protections in CPREA include:
The creation of a California Privacy Protection Agency, an independent executive agency tasked with protecting consumer privacy. Under current CCPA law, the California Attorney General handles privacy law enforcement.
A new category of protected personal information called, “sensitive information” which includes “a consumer’s social security, driver’s license, state identification card, or passport number; a consumer’s account login, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; a consumer’s precise geolocation; personal information revealing a consumer’s racial or ethnic origin, religion, or union membership; the contents of a consumer’s private communications, unless the business is the intended recipient of the communication; a consumer’s biometric information; data concerning a consumer’s health; data concerning a consumer's sexual orientation; or other data collected and analyzed for the purpose of identifying such information.” - 1798.100 ae.
A consumer's right to access information beyond the currently required 12-month preceding period under CCPA.
Disclosure to a consumer if their data is used to influence the outcome of an election in a business’ favor.
Allow for amendments consistent with the purpose and intent of the act by the California State Legislature after the ballot initiative is passed.
If the ballot initiative, which is open for public comment until Oct. 25, 2019, passes in November 2020, this will afford California consumers further expanded privacy rights. For businesses, many of which have not yet fully complied with the 2018 CCPA regulations set to go into force in January 2020, this will create another set of regulations to adhere to before this would go into force on Jan. 1, 2022. Expect a fight from industry groups in the coming months on this issue. In fact, this ballot initiative may be the precursor to passing an often discussed US federal privacy law.
*Disclaimer: I am not a lawyer and am not offering legal advice. If you have legal questions, consult a licensed attorney.*
Merry Marwig is a market research analyst at G2 focused on the privacy and data security software markets. Using G2’s dynamic research based on unbiased user reviews, Merry helps companies best understand what privacy and security products and services are available to protect their core businesses, their data, their people, and ultimately their customers, brand, and reputation. Merry's coverage areas include: data privacy platforms, data subject access requests (DSAR), identity verification, identity and access management, multi-factor authentication, risk-based authentication, confidentiality software, data security, email security, and more.