Still getting your arms around CCPA? Get ready for CPRA, on the November California ballot

The California Consumer Privacy Act, CCPA, is due to go into full effect on June 30. There is already a replacement making its way to the California ballot in November.

The legislature-passed CCPA was a response to a pending ballot initiative. The organization behind the original ballot initiative, Californians for Consumer Privacy, is putting a new, more comprehensive ballot measure up for voter approval this November. It will provide further regulation for companies who deal with Californians personal data. With an operative date of Jan 1, 2023, it will apply to all data collected on or after Jan 1, 2022.

1. New definition for sensitive data: with restrictive limits on its use and sharing, and mandated links for opt-out of sale or sharing.

2. Creation of a new enforcement agency: the California Privacy Protection Agency, replacing the authority of the Attorney General's office.

3. Expanded breach liability: in addition to the right of action for nonencrypted, nonredacted personal information under the CCPA, CPRA adds a private right of action for breach of email address and password/security question.

4. Annual cybersecurity audits and risk assessments: details to follow, but one goal of such risk assessments is to restrict processing of consumer data if the risks to the consumer outweigh the benefits to all stakeholders.

5. Automated decision-making and profiling: new access and opt-out rights related to automated decision-making, mirroring GDPR provisions

6. New consumer rights for data correction: consumers would be able to request and require businesses to carry out correction of inaccurate personal information, subject to reasonableness standards.

7. Strengthened opt-in rights and enhanced penalties for mishandling children's data: with fines of $7500 per violation, and potential fines of 3x when the business has actual knowledge that the consumer is under 16 years old.

8. Necessity-based limitations for data retention: businesses must inform consumers of retention time for each category of personal and/or sensitive personal information, and prohibit businesses from retaining for longer than the disclosed purpose of collection.

9. Expanded employee data moratorium until Jan 1, 2023: this clearly separates consumer information from that of job applicants, employees, and contractors, etc.

10. Contractual and direct obligations on service providers, contractors, and third parties: these requirements are reminiscent of GDPR and international dat transfer mechanisms.

IAPP has a detailed write-up:

https://bit.ly/360t6Hk