The California Consumer Privacy Act (CCPA) is presently the strongest privacy rights act in the United States. Though it was modeled after the EU General Data Protection Regulation (GDPR) , it lacks the full spectrum of consumer protections. A proposed amendment to the 2018 ballot initiative would add some of those protections if it passes in November. Dubbed the California Privacy Rights Act (CPRA), the new bill would expand the scope of sensitive personal information, add new safeguards for minors, and establish a new independent enforcement agency among other terms.
The terms of the new California privacy rights act
The new privacy rights act was drafted by Californians for Consumer Privacy, the same group that rallied to establish the CCPA. Activist Alastair Mactaggart, who spearheaded the campaign for the original legislation, said in an interview with CNN that the new bill was prompted by immediate and significant attacks on the CCPA by businesses in 2019. One of the key provisions of the CPRA is that any future amendment to it would have to be “in furtherance of purpose and intent” of the privacy rights act, something that would curtail most tech industry lobbying attempts to neutralize the bill’s terms through other legislation.
As with the CCPA, the bill was made possible by California’s ballot initiative rules which allow any proposal that gathers enough signatures to be put to a vote — in this case, the proposed privacy rights act collected 900,000 signatures to qualify. It will go before California voters on the November 2020 ballot.
If it passes, the act would expand consumer protections in several key areas. The definition of “sensitive personal information” would be greatly expanded, consumers would be granted a right to correction of personal information, consent requirements and fines would be increased in matters dealing with data subjects under the age of 16, and data breach liability provisions would be tweaked. Additionally, a new enforcement arm would be set up to enforce the terms of both the CCPA and CPRA.
Expanding the scope of sensitive personal information
One common complaint about the CCPA is that, unlike the GDPR, it does not have a special category of particularly sensitive personal information that requires special protections — for example, the sort of items that are key to identity theft or running a confidence scheme.
The CPRA would not only create such a class of data, it would also populate it with nearly every type of personally identifiable information that could potentially be abused: Social Security numbers, financial account information, driver’s license number and passport numbers, geolocation data, all sorts of personal demographic information, and biometric information that would fall outside the scope of current Health Insurance Portability and Accountability Act (HIPAA) requirements.
Consumers would also have new rights in regards to the use of information in this category. These include visibility and control of physical location data that businesses keep, and additional access to health and financial information in cases where businesses are authorized to have these things. Consumers would also have the ability to create a geolocation “barrier” of about 250 acres around them in which they cannot be tracked, which would allow advertisers to see the general area they are in but not the specific businesses and locations that they enter.
Right of correction
Another common complaint about the CCPA is that it does not provide consumers with the ability to correct stored data; they can request deletion of personal data, and can opt out of the sale of it, but cannot access and make corrections to it. The new privacy rights act would allow for correction requests if inaccurate information is stored.
Added protections for minors
California residents under the age of 16 would enjoy added data protections under the CPRA. A new law would be created requiring companies to obtain clear opt-in consent to share or sell data from any platform users in this age group.
The current fines for failure to collect opt-in consent would also be tripled. Children between the age of 13 and 16 are currently able to consent to data collection on their own. Consumers under the age of 13 must provide parental consent, a category of users that also falls under the protections of Children’s Online Privacy Protection Act (COPPA). The CCPA actually strengthens COPPA enforcement in one respect, in that it specifically requires sites and apps to ask the user’s age prior to data collection; sites have some room to dodge COPPA at the federal level by simply never asking the user’s age.
New enforcement agency
At the moment, violations of the CCPA are policed by the California Attorney General’s office. The CPRA would create a new enforcement arm, the California Privacy Protection Agency, to take over this duty.
The new agency would be funded with $10 million from the state’s General Fund, and would tie the number of privacy enforcement staff to the number maintained by the FTC for similar functions (currently about 40).
The CCPA only just went into effect at the beginning of this year. Should the new privacy rights act pass, it would become state law at the start of 2023 and the majority of its terms would become enforceable in July of that year. However, the terms would apply to personal information collected from the beginning of 2022.