For those privacy buffs following the status of the California Privacy Rights Act ballot initiative (CPRA), today is the much-anticipated deadline to officially decide whether the CPRA will qualify for the Fall 2020 ballot in November. The final answer? Yes, it will.

Background

CPRA (which was introduced by the Californians for Consumer Privacy in January 2020) is a ballot initiative that would both expand the scope of the existing California Consumer Privacy Act (CCPA) and delay the effective date for some key CCPA provisions.

At a high-level, the CPRA would most notably give California consumers the right to:

  • prevent businesses from sharing (i.e., not only selling) personal information as well as correct inaccurate personal information
  • limit businesses’ use of “sensitive personal information” (a newly-defined term that introduces a more expansive definition of this concept and incorporates elements from the European General Data Protection Regulation)
  • impose retention requirements for personal information, and establish a California Privacy Protection Agency, and
  • delay the expiry of the CCPA’s HR and B2B exceptions until January 1, 2023 (the effective date of the CPRA).

Following the California Secretary of State’s announcement on May 14 that the CPRA had obtained sufficient raw signatures to qualify for the November 2020 ballot, the counties began verification of these signatures. However, according to a lawsuit filed by the Californians for Consumer Privacy on June 8, 2020, the Secretary of State initiated this verification process one day too late, such that it would be completed on June 26, 2020 – one day past the deadline for the November ballot. On June 19, 2020, the Superior Court for Sacramento County, California issued its ruling on this matter, which – at a high level – ensures the CPRA will make it on the November 2020 ballot based on the Secretary of State’s memorandum last night that a sufficient number of valid signatures had been filed in support of the initiative. That memorandum specifically stated that the Secretary of State will certify the initiative today (June 25, 2020) as qualified for the November 3, 2020, General Election ballot.

What does this mean for companies?

It is important to remember that although the CPRA has significant implications with respect to companies’ California privacy efforts, it is only a ballot initiative at this point, which will need to be approved by voters in November. Even if voters approve the CPRA in November, companies should keep a close eye on legislative developments. In particular with respect to the B2B and HR exceptions, it is important to note that the CCPA’s operative date for B2B and HR personal information is still January 1, 2021 and – given the uncertainty of the times – there is a possibility that the CPRA will not in fact become law before January 1, 2021.  As such, we encourage companies that have relied on the B2B and HR exceptions to continue their compliance efforts and closely monitor legislative developments on this topic.  

Author

Brian provides advice on global data privacy, data protection, cybersecurity, digital media, direct marketing information management, and other legal and regulatory issues. He is Chair of Baker McKenzie's Global Data Privacy and Security group.

Author

Michael advises clients across various industries, including global online businesses, pharmaceutical companies, healthcare providers, manufacturers, financial institutions, sourcing providers, retail companies, and other organizations regarding the legal aspects of global privacy and data protection, data security, information technology, and related restrictions on data collection and transfer.

Author

Amy de La Lama has assisted a wide array of companies in addressing legal issues related to global privacy and data collection, data security, information technology and related restrictions on data collection and movement.

Author

Harry is a partner based in New York. He advises global organizations on privacy and data security compliance requirements. His practice is focused on delivering commercially practical advice on designing security, privacy, and technologically compliant solutions.

Author

Cristina focuses her practice on regulatory and transactional issues in global privacy and data protection, including data security, data breach notification, global privacy, website privacy policies, behavioral advertising, cross-border data transfers, and comprehensive compliance programs.

Author

Brandon Moseberry advises global consumer, information technology, manufacturing, medical device, and financial institutions, among other clients, on a wide range of global data privacy, cybersecurity, direct marketing, social media, behavioral advertising, and related matters.

Author

Lothar has been helping companies in Silicon Valley and around the world take products, business models, intellectual property and contracts global for nearly 20 years. He advises on data privacy law compliance, information technology commercialization, interactive entertainment, media, copyrights, open source licensing, electronic commerce, technology transactions, sourcing and international distribution at Baker McKenzie in San Francisco & Palo Alto.