For those privacy buffs following the status of the California Privacy Rights Act ballot initiative (CPRA), today is the much-anticipated deadline to officially decide whether the CPRA will qualify for the Fall 2020 ballot in November. The final answer? Yes, it will.
Background
CPRA (which was introduced by the Californians for Consumer Privacy in January 2020) is a ballot initiative that would both expand the scope of the existing California Consumer Privacy Act (CCPA) and delay the effective date for some key CCPA provisions.
At a high-level, the CPRA would most notably give California consumers the right to:
- prevent businesses from sharing (i.e., not only selling) personal information as well as correct inaccurate personal information
- limit businesses’ use of “sensitive personal information” (a newly-defined term that introduces a more expansive definition of this concept and incorporates elements from the European General Data Protection Regulation)
- impose retention requirements for personal information, and establish a California Privacy Protection Agency, and
- delay the expiry of the CCPA’s HR and B2B exceptions until January 1, 2023 (the effective date of the CPRA).
Following the California Secretary of State’s announcement on May 14 that the CPRA had obtained sufficient raw signatures to qualify for the November 2020 ballot, the counties began verification of these signatures. However, according to a lawsuit filed by the Californians for Consumer Privacy on June 8, 2020, the Secretary of State initiated this verification process one day too late, such that it would be completed on June 26, 2020 – one day past the deadline for the November ballot. On June 19, 2020, the Superior Court for Sacramento County, California issued its ruling on this matter, which – at a high level – ensures the CPRA will make it on the November 2020 ballot based on the Secretary of State’s memorandum last night that a sufficient number of valid signatures had been filed in support of the initiative. That memorandum specifically stated that the Secretary of State will certify the initiative today (June 25, 2020) as qualified for the November 3, 2020, General Election ballot.
What does this mean for companies?
It is important to remember that although the CPRA has significant implications with respect to companies’ California privacy efforts, it is only a ballot initiative at this point, which will need to be approved by voters in November. Even if voters approve the CPRA in November, companies should keep a close eye on legislative developments. In particular with respect to the B2B and HR exceptions, it is important to note that the CCPA’s operative date for B2B and HR personal information is still January 1, 2021 and – given the uncertainty of the times – there is a possibility that the CPRA will not in fact become law before January 1, 2021. As such, we encourage companies that have relied on the B2B and HR exceptions to continue their compliance efforts and closely monitor legislative developments on this topic.
