You may have heard of the California Consumer Protection Act (CCPA) which entered into effect at the beginning of this year. You can find more information here.

In the state ballot in November 2020, Californians will be asked to decide the fate of another new privacy law, the California Privacy Rights Act (CPRA). The proposition was initiated by the organization Californians for Consumer Privacy, who’s founder, Alastair Mactaggert, had also been the driving force behind the CCPA.

On June 24, 2020, it was officially announced that the California Privacy Rights Act (CPRA) has qualified for the November ballot by securing at least 623,212 signatures.

The CPRA was introduced in order to amend the CCPA, which has been widely criticized for its overbroad definitions, ambiguous language, and overall lack of clarity. The CPRA aims to expand consumers’ privacy rights and to increase the companies’ compliance obligations.

Many of the proposed rules in the CPRA bear similarity with those of the EU General Data Protection Regulation (GDPR). The new law would grant consumers in California more rights in comparison with the existing Consumer Protection Act, for instance:

  • Right of correction: consumers shall have the right to request from businesses the correction of any incorrect personal information.
  • Sensitive data: the law will add a new data category called “Sensitive Personal information”, and give consumer the right to decide whether businesses may use their sensitive information. Sensitive Personal Information will include health and financial data as well as geolocation data that was collected without consent.
  • Data breach liability: the new law aims at revising and clarifying the CCPA as it relates to data breach liability. Specifically, it states that any breaches in which a consumer’s e-mail is compromised along with their password or security question and answer can result in liability for the company.
  • Children’s privacy: by tripling the CCPA’s fines for collecting and selling information of minors under 16 years of age, the news law also seeks to enhance the privacy rights of children.

In addition, the CPRA seeks to establish an independent enforcement authority, the California Privacy Protection Agency (CalPPA). Currently, Data protection law is enforced by the Attorney General.

The new law could be another step towards approximation to the GDPR, which might pave the way for a decision of the EU-Commission according to Art. 45 (1) GDPR with California qualifying as such territory.

The act is foreseen to become effective on January 1, 2023, and to apply, with the exception of the right of access, only to personal information collected by a business on or after January 1, 2022.

It remains to be seen how Californians will use their vote, or if the legislature will preempt the proposal by proposing a new privacy bill of their own.