Sure, the California Consumer Privacy Act only took effect this year, and the enforcement period only began July 1. But yes, California may pass a second privacy law by year’s end. It’s called the California Privacy Rights Act, and it’s basically the CCPA on steroids.
The CPRA is effectively a proposed addendum to the California Consumer Privacy Act, the privacy law that was passed by the state legislature in June 2018. It took effect on January 1 and the California Attorney General’s office began enforcing on July 1. But it’s only a ballot initiative at the moment. California’s Secretary of State announced on June 24 that the CPRA will be put to California residents for a vote on in November. If approved, the CPRA won’t take effect until January 1, 2023, but — similar to how the CCPA covered data collected the year prior to the law taking effect — it will apply to data collected starting January 1, 2022.
WTF is California doing with another privacy law?
The people behind the CPRA — an organization called Californians for Consumer Privacy — don’t think California’s other, just-enacted-this-year privacy law is strong enough. They are also the same group—led by Alastair Mactaggart—that came up with the ballot initiative that formed the basis for and was replaced by the CCPA, so they would know.
How does the CPRA make the CCPA stronger?
For starters, it creates a government agency — called the California Privacy Protection Agency — specifically dedicated to enforcing California’s privacy laws. The CCPA enlisted the state’s AG’s office to enforce the law, but as overseer of the state’s entire legal and law enforcement arm, the AG’s office has a lot on its plate. That could explain why it took until June 2, less than a month before the AG’s office could begin enforcing the CCPA, for the AG’s office to submit the supposedly final draft of the rules it would use to enforce the CCPA. Creating an agency whose sole purpose is to enforce the CCPA and the CPRA would likely lead to more businesses’ compliance practices being scrutinized and companies being potentially penalized.
Additionally, the CPRA makes companies responsible for what other companies do with California residents’ personal information that is collected by the former and shared with the latter. For example, the law would require that a company monitor that service providers — like ad tech firms processing publishers’ data to facilitate ad targeting — don’t add California residents’ data to the service provider’s own database of consumer profiles unless the company and service provider signed a contract agreeing to that use.
It also puts the service providers on the hook for helping the companies that collected a person’s personal information to comply with requests related to that information, such as deleting it. The CPRA will also give people the option to correct the personal information that companies have collected from them, which could be a way to finally tell the ad tech ecosystem that you, in fact, actually bought those shoes three months ago so all the retargeting can stop please.
Wait, go back. The rules stating what companies need to do in order to comply with the CCPA weren’t available until June 2?
Not exactly. The AG’s office sent out the first draft of its proposed regulations back in October. But then there was a public comment period that led to revisions and then more revisions. The final regulations weren’t so different from the previous draft submitted in March, which confirmed Do Not Track signals can double as opt-outs under the CCPA. And anyway, even though the AG’s office is supposed to have been able to enforce the CCPA starting on July 1, it has to wait until the California Office of Administrative Law approves the regulations. As of July 2, the AG’s regulations were still under review.
So the CCPA is still being sorted out and now businesses might have another privacy law they’ll need to comply with?
Yes. But the CPRA could help businesses to figure out how they need to comply with the CCPA by clearing up its murky definition of sale.
How would the CPRA clarify the CCPA’s definition of sale?
The CPRA would set a new category to describe what companies may do with the personal information they collect from California residents. The CCPA defined a sale as exchanging data for some type of financial consideration, a murky definition that probably applies to targeted advertising, but not everyone is convinced. Plus, some companies don’t want to say they’re selling people’s information unless they are directly trading data for dollars. The CPRA settles both issues by splitting sharing people’s personal information into its own category but with the same requirements applied to the data that companies sell. So it’s a semantic issue, but because this is legalese we’re talking about, it was a significant issue.
Does the CPRA introduce any changes to what is considered personal information?
Yes, by creating a new sub-category of personal information: sensitive personal information. Sensitive personal information includes log-in credentials, precise geolocation (like GPS coordinates), race or ethnicity, biometric data and any data related to someone’s “sex life” or sexual orientation.
Why does the CPRA create a sub-category of personal information?
To make California’s privacy laws less onerous on businesses in a way, it seems. The distinction between data types will allow California residents to tell businesses to treat their sensitive personal information, like their religious beliefs, differently than their regular personal information, like unique device identifiers. If California residents only care to regulate companies’ collection and use of their sensitive personal information, companies may not lose out on the, implicitly, non-sensitive personal information they might use for ad targeting purposes.
What if California residents vote against the CPRA?
That’s a possibility. But even more likely, the CPRA may be off the ballot by November. The CCPA was supposed to be a ballot initiative, but state legislators opted instead to pass it into law themselves so they could amend it. They could do the same with the CPRA, even though one of the CPRA’s aims is to prevent California lawmakers from weakening the state’s privacy laws. So hang tight. One of these days, California’s legal privacy picture will come into focus.