A New Ballot Initiative to Augment California’s Privacy Regime
The activist behind the California Consumer Privacy Act (“CCPA”) is proposing a new ballot initiative to modify the statute and impose additional requirements on businesses. The CCPA was enacted in 2018 to head off a more stringent ballot initiative from Alastair Mactaggart, but the activist has announced that he plans to go directly to the voters for additional changes. His new proposal has a high chance of qualifying for the November 2020 ballot.
If approved by voters, the new ballot initiative would take effect on January 1, 2021, and would apply to all data collected on or after January 1, 2020. It would expand California’s privacy regime in the following ways, among others:
- Establish a new California Privacy Protection Agency to enforce the CCPA, with authority to impose fines of $2,500 per violation and $7,500 for each violation that is intentional or that affects minors. The Attorney General would retain its rulemaking and enforcement authority.
- Prohibit businesses from collecting personal information (“PI”) for purposes “that are incompatible with the disclosed purpose for which the personal information was collected, or other subsequently disclosed purposes.” As a practical matter, this means businesses would need to periodically review their uses of previously collected data, and to make additional disclosures to consumers if uses have changed since the initial time of collection.
- Create a new category of “sensitive personal information” (“SPI”) to include data such as financial, health, racial and precise geolocation information. Consumers will have the right to opt out of businesses’ use of SPI for advertising purposes. Further, businesses must obtain opt-in consent from the consumer to “sell” SPI.
- Impose new restrictions and disclosure requirements with respect to use of data to “profile” consumers for purposes of determining their “eligibility for financial or lending services, housing, insurance, education admission, employment, or health care services.” Disclosure is mandated if data “profiling” is used to take “adverse action” against a consumer.
- Limit “cross-context behavioral advertising,” which is advertising based on data obtained from multiple unrelated sources, where the data is used to predict consumer behavior and/or to determine what advertising to target at the consumer. Businesses may engage in normal, generalized advertising to their existing customer base, so long as the advertising is not targeted to particular customer subgroups based on data profiling.
- Mandate disclosure of how long consumers’ personal information (both ordinary PI and SPI) is maintained, and require businesses to delete data after it is no longer “reasonably necessary” for the originally disclosed purpose of collection. In general, it would be unlawful for a business to collect more PI/SPI than “is reasonably necessary to achieve the purposes for which it is collected.”
- Require more robust disclosures with respect to sale/disclosure of data and more consumer-friendly mechanisms to opt out of such sale/disclosure. If a consumer opts out of sale of his or her data, the business must wait 12 months before requesting new consent to sell data.
- Mandate greater disclosures regarding how PI/SPI is being used to influence consumer opinions in a variety of ways such as in politics and commerce — for example, if requested by a consumer, disclosure of the specific political activities (if any) for which PI/SPI is used.
- Establish a “reasonable security procedures and practices” standard and require businesses that disclose PI/SPI to vendors/service providers to adopt written contractual provisions to protect such data against misuse or loss. Vendors/service providers need not respond to direct data deletion requests from consumers, but must cooperate with such requests, which must be passed along by the businesses that collected the data.
- Create a new “right to accuracy” for consumers to require businesses to correct errors in their records
- Triple fines for violation of children’s privacy and require opt-in consent to collect data from consumers under age 16, with parents or legal guardians providing permission for those under 13.
- Allow businesses to offer consumers financial incentives for the use of their data, if such incentives are “directly related to the value provided to the business by the consumer’s data,” but require businesses to wait at least 12 months before requesting consent again.
- Empower consumers to request disclosures pertaining to data collection, retention and use for all time periods subsequent to enactment of the statute, even if that period exceeds 12 months. Future regulations may impose a time limit.
The ballot initiative would allow the legislature to adopt amendments by majority vote, but only to enhance privacy protections. Given the prospects and timing of the new ballot initiative, businesses will have to continue sprinting for compliance by January 1, 2020, with the amended CCPA requirements (and implementing regulations from the California Attorney General’s office to come at the turn of the year) — but be prepared for imposition of a still stricter framework in the year 2021.
The attorneys of Stroock’s Financial Services Litigation, Regulation and Enforcement Group are well positioned to answer your questions about California’s evolving privacy framework, as well as other privacy and cybersecurity issues.
For More Information:
This article is for general information purposes only. It is not intended as legal advice, and you should not consider it as such.