Even before the California Consumer Privacy Act (CCPA) goes into effect on January 1, 2020, privacy advocates are already proposing new legislation that will further strengthen California’s already tough stance on consumer privacy. Alastair Mactaggart, who developed the ballot initiative that led to the CCPA, and his organization, Californians for Consumer Privacy, have published a new ballot initiative intended to appear on the 2020 ballot.
Perhaps surprisingly, the initiative contains a few pro-business revisions. But the vast majority of the new initiative would impose additional requirements on companies that want to do business with California consumers.
Below are some of the key provisions of the proposed law.
New or clarified obligations for businesses
The proposed law revises the definition of a “business” as it applies to companies that are covered based on the number of consumers whose information they collect. The current CCPA applies to any company that “buys or receives” the personal information of 50,000 consumers. Under the new initiative, that 50,000 figure would be raised to 100,000, and would be further revised to state that a company will be covered if it “buys or sells” such information. This provision, according to the drafters’ comments, is intended “to mitigate the concern around undue burden on small businesses.”
It also provides that companies will not be required to “maintain information in identifiable, linkable or associable form…in order to be capable of linking or associating with a verified consumer request….” This provision, according to the drafters, is mainly intended to address raw video footage, which may contain images of consumers but is not typically maintained in a way that would allow a business to link the footage to a particular consumer. The language could apply to other types of media as well (audio, photographs, etc.).
Regarding cybersecurity, the proposed law clarifies that a company cannot “cure” a data breach (and thereby avoid potential liability under the CCPA’s private right of action) by implementing reasonable security procedures and practices after-the-fact.
The law also requires companies to disclose personal information beyond the current 12-month statutory period unless doing so would be “unduly burdensome” or would “involve a disproportionate amount of information.”
New or expanded consumer rights
The law adds an additional tier of “sensitive personal information,” which includes precise geolocation information, Social Security numbers, passport numbers, customer’s account login information, financial accounts, personal information revealing a consumer’s racial or ethnic origin, religion, union memberships, or sexual orientation, among other categories. It further grants consumers new rights over “sensitive information,” such as the right to opt-out, at any time, from a business disclosing or using this information for advertising and marketing.
The law also creates a new consumer right to “accuracy” of the personal information that a company collects. It also requires opt-in for collection of any information on children, and triples the penalties for collecting or selling the personal information of minors under 16 year of age without consent.
Companies would also be required to disclose to consumers “meaningful information about the logic involved in using consumers’ personal information” for purposes of “profiling” them. This would ostensibly require businesses to explain their algorithms used to determine eligibility for such things as financial or lending services, housing, insurance, education admission, employment, or health care services.
The law would also require companies to disclose whether, and how, they use consumer information for political purposes. This would require companies to (among other things) disclose the candidates, committees, and ballot measures that specific consumer information was used to oppose or support.
New regulatory agency
The proposed law creates a new agency, the California Privacy Protection Agency (CPPA), to enforce the CCPA and the new requirements of the new ballot initiative as well as to issue guidance relating to these privacy laws. This would shift the main responsibility for enforcement from the Attorney General.
The initiative needs to gather more than 620,000 signatures to appear on the ballot. According to Mactaggart, who spoke about the initiative at a recent IAPP conference, the measure is currently polling at over 90%. Based on those figures, it appears another 2018-style standoff with the legislature is possible next year.
Luke Sosnicki is a Los Angeles partner in Thompson Coburn’s Business Litigation group who has written and spoken extensively about the California Consumer Privacy Act (CCPA). Jim Shreve is the chair of Thompson Coburn's Cybersecurity group and has advised clients on cybersecurity and privacy issues for over 20 years.