After covering in detail the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), the potential for another far-reaching data protection and privacy law looms on the horizon. It is very likely that voters in California in November will weigh in on passage of one of the world’s most comprehensive laws on data protection and privacy — The California Privacy Rights Act (CPRA) of 2020. Given that California has 1/8th of the US population and is the 5th largest economy in the world, and most businesses would likely not have one policy for California and one policy for the rest of the US, it will have far reaching impact — on par with the impact of the GDPR.
In this blog post I will give an executive overview of the initiative and how the backers of the initiative (Californians for Consumer Privacy aka CCP) are going about getting it on the ballot. In subsequent blogs I will go through in more detail the new rights that consumers get and the new business obligations that will be added if the CRPA initiative passes and becomes law.
Cutting to the Chase … an Executive Summary of the CPRA
The CPRA is a California state ballot initiative that seeks to amend, expand and clarify the existing CCPA law that was passed into law in 2018 and went into effect on January 1, 2020. In other words, the CPRA is an uber/omnibus privacy and data protection law, not a separate law, so it truly represents “Version 2.0” of the CCPA. It provides additional rights to consumers, adds additional obligations to businesses, but probably most significantly it creates a new regulatory agency to enforce data protection and privacy in California — the California Privacy Protection Agency (PPA).
Furthermore, if the ballot initiative passes, it also in effect puts the law in a “lockbox” in that yes, the law could be amended by the legislature (in fact the original CCPA was amended 6 times), but with a key restriction that any amendments must be “consistent with and further the purpose” of this new law — so no watering down by the legislature (but a new initiative could weaken). CPRA won’t take effect until January 1, 2023, so there will be time for businesses to prepare for it, ala the two-year difference that the EU experienced with the GDPR that passed in 2016 and did not take effect until 2018.
Roots of the CRPA
So how did the CRPA come into being as an initiative? It starts with the fact that V1, i.e. the CCPA, itself started off as a ballot initiative. As I wrote in this blog post, back in in 2015 Alastair Mactaggert, a real estate developer and investor based in San Francisco, had a dinner conversation with a Google engineer and the conversation turned to personal data being collected by the Big Tech companies. Alastair was surprised to learn of the massive scale of the data being collected on individuals and the invasive scope of the “corporate surveillance” happening. He thought something should be done ala the EU’s GDPR, and enlisted a friend, Rick Arney, and in November of 2015 the two of them formed the group Californians for Consumer Privacy (CCP) After two years of research and consultation with lawyers as well as privacy and technology experts, the group filed a proposed California ballot initiative in November of 2017.
From January through May 2018 they collected signatures to have the initiative show up on the November 2018 ballot. During that election cycle, approximately 300k certified signatures were required for an initiative to make the ballot, and, in the end, they collected over 600k signatures (which is more registered voters than states such as Vermont and Wyoming have!). The California Secretary of State certified the initiative to appear on the November 2018 ballot.
It turns out that California has a recent law that a ballot initiator aka “proponent” can agree to take their initiative off the ballot within 30 days of the initiative being certified by the Secretary of State. Members of the legislature were interested in passing privacy legislation, and seeing this initiative as an impetus (and maybe not wanting to look bad to voters in California who may think that the legislature should be handling something like this vs. the voters directly), so starting in May through June 2020 Alastair et al negotiated (aka “horse traded”) with the California legislature. In the end literally within hours of the 30 day window closing, a deal was struck and Assembly Bill (AB) 375 passed unanimously in both California houses and it was signed into law by Governor Brown in June of 2018. This became what is known universally as the California Consumer Privacy Act (CCPA) of 2018.
Industry tried to chip away at it via proposed legislation that watered it down, but in the end 6 amendments to the CCPA were passed over the next year that still preserved the main intent of the CCPA (for more information on the main features of the CCPA, please see these prior blog posts).
Round 2 for Californians for Consumer Privacy
Wanting to add more consumer rights and get the CCPA even closer to the GDPR, concerned about the lack of enforcement, and worried that businesses may try yet again to get the legislature to neuter and water down the CCPA, the same group behind CCPA decided to try the ballot initiative process again, this time with California Privacy Right Act of 2020 aka CRPA.
So, throughout 2019 Alastair Mactaggert and his CCP group worked on drafting new legislation, and in November of 2019 the proponents submitted to the California Attorney General their ballot initiative. One month later in December of 2019 the AG office released the official title and summary of the CRPA.
Then it was off to the races to gather signatures to get the CRPA on the ballot. State law requires 5% of the total votes in the last California Gubernatorial race, which happened in the mid-term elections of 2018 in an election that had high turnout, so this time around the bar was 623,212 signatures, double the number that was required when the CCP had gotten the necessary signatures for the version 1 ballot initiative.
On May 4, 2020, CCP was able to (amazingly) submit over 931,000 signatures (which is more than the population of South Dakota, North Dakota, Alaska, District of Columbia, Vermont and Wyoming). As I write this blog, the signatures are now in the process of being certified. See below for the snapshot as of 5/22, with over 70,000 signatures valid and certified (so they are 11% there). So far, the “valid rate” is showing up at 78.05%, so assuming that percentage holds, it means 931,000 x .7805 = 726,645 signatures, more than the 623,212 required. State law requires that the signatures must be certified at least 131 days prior to the general election, or June 25, 2020, so as things stand now, they likely have enough time and “overage” of signatures to meet the deadlines and make the November 3, 2020 ballot. Note if there are enough signatures, but the counties counting the signatures don’t meet the June 25th deadline, the initiative would still make the 2022 election cycle.
If the ballot meets the signature and time deadline for certification, which is likely, we still may see a situation in which the legislature raises their hand after June 25th and says “let’s make a deal” to Alastair and his CCP group ala the original CCPA initiative. So it may be possible that the majority of the initiative could be signed into law this summer. But who really knows, this time around the legislature may be too focused on Covid-related issues to focus on this and/or a deal cannot be struck.
If the CPRA were to appear on the November ballot, as it stands now it appears that the initiative has broad support and would likely pass — a survey done in October 2019 (and sponsored by the CCP) showed almost 90% support. This astoundingly high percentage number of support may motivate legislators to try to forge a deal this summer, or, if it does go on the ballot, may motivate opponents to hold off spending loads of money to defeat given its overwhelming popularity (e.g. they may knock down approval ratings by say 25%, but even then the CPRA still passes).
If approved by voters, the CPRA will kick in on January 1, 2023, but certain aspects, such as the creation of the Privacy Protection Agency aka PPA (which moves the majority of enforcement and rulemaking away from the California Attorney General to the PPA), would start sooner.
I will talk through key highlights of the CRPA in my next few blog posts.