CPRA – A.K.A. CCPA 2.0 – Qualifies for 2020 Ballot
The California Privacy Rights Act, a new data privacy effort introduced to narrow the scope of the California Consumer Privacy Act, now has enough support to make it onto the November 2020 ballot.
As many privacy experts in the state predicted, the California Privacy Rights Act – largely viewed as by some as California Consumer Privacy Act (CCPA) 2.0 – has enough support behind it to make the ballot this November.
Californians for Consumer Privacy, the group that sponsored the CCPA, said on Monday that it was submitting over 900,000 signatures in support of CPRA. To compare, the group got 629,000 signatures in 2018 to qualify for the ballot that year.
The group's goal was actually to get 623,000 signatures, five percent of the number of individuals who voted in the most recent state gubernatorial election, in order to get on the ballot but far exceeded the figure.
While privacy advocates and lawyers alike expected the initiative to make the ballot – as one lawyer said at RSA in March, "California never rests"– it was unclear when it was going to happen given the complications introduced by COVID-19. The coronavirus has made it difficult for proponents of the act to get signatures in front of stores, in parks, and at farmer's markets. Now, it’s not too far-fetched to imagine the measure receiving over one million signatures in the next several weeks.
While the CPRA will qualify for the ballot, there’s no lock it passes - but it certainly appears to be on the right track.
Similar to the CCPA, if the CPRA is implemented, it will further reign in how – with who – and when – personal data is shared.
Among the CPRA's goals:
- Create a new category of sensitive personal information (SPI) including information pertaining to finances, biometrics, health status, geolocation, religion, race, union membership and private communications. Californians would have the right to prohibit the use of that data.
- Unlike the CCPA, which is enforced by the California Attorney General’s office, CPRA would establish a new authority to protect and enforce rights outlined by the CPRA, the California Privacy Protection Agency. The group would have the ability to administer fines and theoretically have broader oversight.
- Tighten data protection for children. Triple penalties for improperly collecting and selling data of children under the age of 16.
- Allow consumers to stop businesses from tracking their location for most purposes, like advertising, within 250 acres.
- Add email and password to the list of items covered in a "negligent data breach," meaning if those are mishandled, an individual could sue a business for damages.
- Make it more difficult to weaken privacy in the state in the future by allowing legislation to continually amend the Act but only if it benefits privacy - or is "in furtherance of the purpose and intent" of CPRA.
The founder of Californians for Consumer Privacy (and CCPA co-author) Alastair Mactaggart acknowledged this week that the CPRA needs to evolve alongside technology - and be amendable - in order to work.
“Even as we’ve worked to strengthen privacy laws here in California, we’ve realized that our laws need to keep pace with the ever-changing landscape of constant corporate surveillance, information gathering and distribution,” Mactaggart said, “We think Californians deserve to participate in and shape the conversation about how, when and with whom our most personal information is shared. That’s why we’ve introduced this new ballot measure, signed by nearly one million California voters.”