California Privacy Rights Act makes November ballot, spurring questions for businesses

The first stand-alone privacy enforcement agency in the US could be established in California, if voters approve one of the most sweeping privacy proposals in US history in November.

Backers of the California Privacy Rights Act have gathered enough valid signatures to get their initiative on the ballot, the California Secretary of State announced last night. The campaign submitted 931,000 signatures for verification, which were validated by the secretary of state.

Now, businesses are wondering not only how the proposed new privacy regulator would operate in practice. They’re also concerned about how to comply with California’s existing privacy law, the California Consumer Privacy Act, if it’s going to change soon. There are no clear answers.

The proposal would strengthen the CCPA by creating the California Privacy Protection Agency, which would be dedicated to protecting online consumer privacy. It would have investigative and subpoena powers, as well as the authority to fine, and would be funded by the fines it collects.

• The CPRA would also modify the CCPA by:
  - Giving consumers more control over their data, such as the ability to correct their personal information;
  - limiting automated decision-making and profiling by allowing residents to opt-out of letting advertisers use their geolocation information;
  - restricting the use of sensitive personal information, including sexual orientation, Social Security numbers, and union memberships;
  - limiting the retention of personal or sensitive personal information for only as long as "reasonably necessary;"
  - Increasing fines for violations involving children under the age of 16, up to $7,500 per violation;
  - clarifying the definition of "sale" as related to consumer data.

Californians for Consumer Privacy, the group behind the proposal, has spent more than $4.5 million already to get the proposal on the ballot, with the large proportion donated by the measure’s chief proponent, San Francisco Bay Area real estate developer Alastair Mactaggart.

Mactaggart also spent about $3 million of his own money to help Californians for Consumer Privacy qualify the CCPA as a ballot initiative in 2018. Mactaggart agreed to withdraw the ballot proposal as part of a deal in which the state legislature passed essentially the same law.

McTaggart's group says it’s money well spent because they have strong support in California, where recent polling by Goodwin Simon Strategic Research found that 88 percent would support a ballot measure expanding privacy protections for personal information.

The campaign to gather signatures for CPRA, however, was short-circuited this spring by the Covid-19 pandemic and California’s stay-at-home order, leaving Californians for Consumer Privacy about 70,000 signatures short of their goal of gathering 1 million signatures.

As a result, the measure was at risk of being delayed until November 2022, and the race to tally enough valid signatures came down to the last day. Californians for Consumer Privacy sued California Secretary of State Alex Padilla, seeking to force him to accelerate the process of validating signatures. A California Superior Court judge agreed and ordered Padilla to work with the group to speed up the process.

All of this is happening, however, just days before enforcement of the CCPA is slated to begin, adding to the regulatory uncertainty already facing businesses struggling to comply.

California Attorney General Xavier Becerra submitted the final CCPA draft regulations for approval to the California Office of Administrative Law on June 2. He asked for an expedited review so they could be approved by July 1, when the statute requires that the implementing regulations take effect.

Now, the AG is likely to face a barrage of questions from businesses anxious about what the CPRA could mean for them and how they should prepare if the ballot initiative passes.

At a July 12 hearing in the California legislature on the CPRA, Assemblymember Ed Chau, chairman of the Assembly’s Privacy and Consumer Protection Committee, asked if it would be better to build on the CCPA after consumers and businesses have more time to understand and utilize the CCPA.

"Why is now the time?” Chau said.

Officials from the California Retailers Association and the National Federation of Independent Business testified that the proposal was adding unnecessary confusion for companies already struggling to comply with the CCPA.

But Mactaggart said he’s convinced the CPRA gives Californians what they want and need: even stronger privacy protections.

“My profound conviction is this is not overriding CCPA,” Mactaggart said. “This is enhancing CCPA.”

If approved by voters in November, the CPRA will take effect Jan. 1, 2023.