SAN FRANCISCO - Despite going into effect two months ago, much of the conversation revolving around the California Consumer Privacy Act here at RSA Conference 2020 continues to be steered by uncertainty.

While much of the trepidation stems from the fact that enforcement hasn’t set in yet – it’s slated to in July, later this year - a chunk of it connects back to the fact that a new, refined version of the legislation could find its way back on the ballot in November.

The next version CCPA, called CCPA 2.0 in some circles, is technically CRPA, or the California Privacy Rights Act of 2020. Momentum has been building around the ballot initiative, post-CCPA, since it was released by a group dubbed the Californians for Consumer Privacy, last November.

In a session here on Tuesday, “It's All about the States: Navigating the Privacy Thicket,” Behnam Dayanim, a partner at Paul Hastings LLP, suggested that since it’s an election year, turnout at the polls could be higher, something that could lead to the initiative getting passed. There’s also a good chance that someone launches a competing version of the legislation that’s less draconian but still largely privacy-focused that could steal its thunder, Dayanim said.

“California never rests,” Dayanim said at the session, adding that Alastair Mactaggart, the driving force behind CCPA, has been vocal about how the CCPA has been watered down and that it wouldn’t be a surprise to see it on the November 2020 ballot pending it receives the appropriate number of signatures.

Much of the session, one of the first following the day’s keynotes, served as a mini crash course on CCPA and the resulting legislation that’s been launched in its wake. Dayanim discussed Nevada’s narrower “Act relating to Internet privacy,” New Jersey’s SB 269, which lacks what he called a description for what a legal basis for data processing is, the New York Privacy Act - which could compel businesses to as a "data fiduciary," and the Washington Privacy Act – legislation he believes is the farthest along and closest to becoming law.

Legislation has been enacted in at least 15 states post-CCPA, not to mention efforts taken on the federal level, including a bipartisan bill circulated by the House Energy & Commerce staff in December and the Consumer Online Privacy Rights Act introduced in the Senate in November.

The confusion around CCPA came as a result of its quick passage.

“CCPA was an earthquake of data privacy legislation in a matter of weeks,” Dayanim said, highlighting just how frantic things were when it came down to the wire.

Several questions, like what exactly defines a sale, how to treat non-Californians, and how to treat publicly available information – like information from federal, state, or local government records, remain.

Despite the lack of clarity around the law, Dayanim said it should still be the guiding light for companies when it comes to handling personal data. It doesn’t seem like we’re going to see a federal data privacy law any time soon. Instead, companies should take a risk-based approach to advertising and other forms of “sale” and decide whether they want to extend CCPA rights.

That starts with knowing your data – taking stock of what personal data you collect and why, mapping that data, knowing your third parties and what data they may access, and being aware of any compliance measures that may be in place and how contemporaries may be interpreting them, Dayanim said.