If you’ve been feeling encouraged about your company’s preparation for the California Consumer Privacy Act’s (CCPA) launch on January 1, 2020, you may not want to breathe a sigh of relief just yet. Alastair Mactaggart, the founder and board chair of Californians for Consumer Privacy (one of the coauthors of the CCPA), is hoping that a new initiative that he announced is put on the November 2020 ballot in California. Mactaggart filed the 51-page ballot initiative with the California Attorney General on Sept. 25, 2019, with minor modifications made in an updated filing on Oct. 2, 2019.
Officially titled the California Privacy Rights and Enforcement Act (CPREA), the initiative has gained the moniker “CCPA 2.0” because it would make significant changes to the original version of the CCPA enacted last year. Californians for Consumer Privacy has published an annotated version of the CPREA on its website, explaining many of the proposed changes. By June 2020, 623,212 signatures are needed in order for the initiative to qualify for the ballot. By comparison, the CCPA garnered 629,000 signatures in June of 2018.
One of the most material changes to the CCPA are provisions that would significantly affect the advertising industry, making CCPA compliance far more difficult for the digital advertising ecosystem in particular. The Findings and Declaration section of the measure takes the position that the current CCPA is intended to restrict what it calls “cross-contextual behavioral advertising,” but goes on that clarifications are need to confront potential ambiguity and industry interpretations. Specifically, the CPREA would:
- Expand the term “sale” even further to include disclosures, even absent any consideration whatsoever, if the disclosure is “for a commercial purpose, including cross-context behavioral advertising,” which is defined as “targeting of advertising to a consumer based on a profile of the consumer, including predictions derived from the consumer’s personal information, where such profile is related to the consumer’s activity over time and across time and multiple businesses or across multiple, distinctively branded websites, applications, or services.”
- Narrow the definition of “business purposes” in ways that will make digital advertising more difficult to achieve. Cross context behavioral advertising would explicitly not be a business purpose. While “non-personalized advertising” (a new term) would be a business purpose, the CPREA would remove the language in the definition that permits service providers to use their client’s PI for their own business purposes, which will impact the ability to pool client data for ad viewability and other purposes. The recently proposed regulations present similar challenges in proposing to limit service providers’ use of client PI for other client’s benefits, but do not go as far as the CPREA.
- Add a new category of “sensitive personal information,” which carries with it a number of new use limitations, including that it could not be “sold” (i.e., used for cross-context behavioral advertising) and would create an opt-out not only disclosure but also use of sensitive personal information for any advertising or marketing purpose. Yet another opt-out button would be required for this new right. “Sensitive personal information includes a consumer’s Social Security number, driver’s license number, state identification card or passport number; a consumer’s account log‐in, financial account, or debit card or credit card number in combination with any required security or access code, password or credentials allowing access to an account; a consumer’s precise geolocation; personal information revealing a consumer’s racial or ethnic origin, religion, or union membership; the contents of a consumer’s private communications, unless the business is the intended recipient of the communication; a consumer’s biometric information; data concerning a consumer’s health; data concerning a consumer’s sexual orientation; or other data collected and analyzed for the purpose of identifying such information
Some other noteworthy changes would include:
- Creating a California Privacy Protection Agency, tasked with enforcement of the CPREA and other state privacy regulations. This would include appointment of a “Chief Privacy Auditor” to proactively conduct audits of businesses to ensure that they are in full compliance.
- Prohibiting businesses from collecting the personal information of children under 16 unless the child (if 13 or older) or parent has affirmatively consented to the collection (the CCPA currently restricts the sale, not the collection, of personal information from minors); penalties for any violations of the CCPA involving minors’ personal information would also be tripled, to $7,500.
- Granting consumers a right to correct inaccurate personal information.
- Amending the definition of a “business” as having 100,000 or more consumers or households, rather than the CCPA’s 50,000 or more consumers, households or devices.
- Defining a “household” as “a group, however identified, of consumers who cohabitate with one another at the same residential address and share access to common device(s) or service(s) provided by a business.” Household data would, however, be excluded from most consumer rights requests, presumably to protect the privacy of household members.
- Amending the definition of “business purpose” to include new elements such as “non-personalized advertising,” provided the information is not disclosed to a third party, used to build a profile of the consumer or alter the consumer’s experience with the business.
- Amending the definition of “deidentified” to “information that cannot reasonably be used to infer information about, or otherwise be linked to, an identifiable consumer,” if the business meets certain requirements.
- Imposing a duty to notify both consumers and the California Privacy Protection Agency of political purposes for which consumers’ personal information is used, e.g., the candidate involved, and whether the personal information was used to support or oppose the candidate.
- Making the limited employee-data and business-to-business exemptions permanent, instead of sunsetting after one year.
- Imposing a duty to notify consumers about profiling when done to determine eligibility for financial services, housing, insurance, education admission, employment or healthcare services, along with “meaningful information about the logic involved.”
- Extending the right of access to require businesses to disclose a consumer’s personal information collected more than 12 months before the request, with certain exceptions.
- Broadening the definition of “publicly available” beyond data “lawfully available” from government records to include information a business reasonably believes to be lawfully available to the general public.
- Imposing a duty for businesses that collect a consumer’s personal information to implement reasonable security procedures and practices appropriate to the nature of the personal information to protect it from unauthorized or illegal access.
- Limiting a business’s collection of a consumer’s personal information to personal information that is reasonably necessary to achieve the purposes for which it is collected.
- Creating a category of “large data processors” (businesses that collect more than 5 million consumers’ personal information annually) that every year are required to conduct cybersecurity audits and publish risk assessments pursuant to regulations to be issued by the California Privacy Protection Agency.
- Extending the statute of limitations for the California Privacy Protection Agency to enforce the CCPA, giving it five years after a violation to bring an administrative action.
Despite the number of provisions that the CPREA contains that are designed to clarify ambiguities in the CCPA, it mostly does so in ways that increase, rather than solves for, the very real challenges the privacy regime creates for businesses, particularly in the digital realm. Mr. Mactaggart has publicly stated that this time he will not accept a legislative alternative. If that is the case, this time industry is going to need to win over the California electorate or be forced to make even more material changes to the way they use consumer data, at least online. For more information about the CCPA, and the potential of CCPA 2.0, contact the authors or visit our Consumer Privacy Resource Center.