On Monday, Alastair Mactaggart and his group, Californians for Consumer Privacy, announced its collection of over 900,000 signatures in support of its ballot initiative, a number well in excess of the approximately 620,000 required for placement on the November ballot. The initiative, called the “California Privacy Rights Act of 2020,” would amend the 2018 California Consumer Privacy Act. (Alston & Bird has previously covered the California Consumer Privacy Act’s enactment, private right of action, and offered a webinar on operationalizing CCPA requirements.) The initiative clarifies some key issues under the law but is likely to be unwelcome by businesses as creating potentially substantial new compliance costs and obligations. This blog post considers some of the potentially significant legal impacts of the initiative if passed, based on the current draft.
Expanded Initial Notification Obligations. The ballot initiative expands the disclosures required in privacy notices “at or before the point of collection.” Businesses which “control the collection” of consumer information must (a) identify whether collected information may be sold or shared, (b) identify the categories of sensitive personal information collected, and (c) identify retention periods or, “if that is not possible, the criteria used to determine such period.” The initiative clarifies that “third parties” who do not directly collect information from individuals may provide notice via a conspicuous website notice. (See Draft California Privacy Rights Act of 2020 (“CPRA”) § 1798.100.)
Limited Retention. The current law does not expressly address data retention. The ballot initiative amends this approach and expressly limits a business’s ability to retain personal information as “necessary and proportionate” to achieve the purposes of collection or processing, or for other disclosed purposes compatible with the context of collection. (See CPRA § 1798.100.)
Express Information Security Requirements. The initiative clarifies that businesses must “implement reasonable security procedures and practices” to “protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure.” (See CPRA § 1798.100.)
Contracting Obligations. The ballot initiative requires that businesses “shall enter into an agreement” with specific terms with third parties, service providers, or contractors to whom personal information is sold or disclosed. The contract must specify that the personal information is provided for limited purposes and additionally obligate the third party, service provider or contractor to:
- comply with the law and provide privacy protections as required under the law;
- provide the business the right to take “reasonable and appropriate steps to help ensure” information use consistent with the business’s legal obligations;
- notify the business if it cannot comply with the title;
- provide the business with the right to “take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.”
These required terms are likely to prove contentious between commercially sophisticated parties. (See CPRA § 1798.100.)
Other Service Provider Obligations. Consistent with the contractual obligations imposed on service providers, service providers and contractors are independently obligated under the proposed law to assist businesses in response to a consumer’s exercise of his or her right of access and correction (further discussed below).
Expanded Data Deletion Obligations Through Supply Chain. The initiative provides that service providers and contractors must (unless a relevant exception applies) delete personal information in response to a verified consumer request and the direction of the business. In turn, such service providers and contractors must pass the request onward to their own service providers, contractors and third parties. This approach thus aims to expand deletion obligation throughout the supply chain. (CPRA, § 1798.105.)
Consent Standards. Consent is an important concept within the current California Consumer Privacy Act, impacting the sale of children’s information, use of personal information for research purposes, and the offer of financial incentives for the use personal information. The initiative clarifies the meaning of “consent” as a “clear affirmative action” which “signifies agreement.” Consent may not be obtained through a general “terms of use” that contains information unrelated to the use of personal information. Consent may also not be obtained via the use of “dark patterns,” meaning a “user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice.” (CPRA, § 1798.140.)
New Right of Correction. The ballot initiative provides consumers with a new right to request correction of inaccurate personal information maintained by a business. Businesses must provide notice of this right and use “commercially reasonable efforts” to correct inaccurate information in response to a consumer request. (CPRA, § 1798.106.)
Special Right to Limit Use of Sensitive Personal Information. The ballot initiative provides consumers with the right to require a business to limit its use of the consumer’s sensitive personal information as “necessary to perform the service or provide the goods” as “reasonably expected by an average consumer who requests such goods or services,” and for certain limited additional purposes. Businesses must notify consumers of this right, potentially including through a link available on their website home page titled “Limit the Use of My Sensitive Personal Information.” (CPRA, § 1798.121.)
Expanded Definition of Sensitive Personal Information. The ballot initiative defines sensitive personal information to include: social security number, driver’s license, financial account access information, payment information, precise geolocation, racial or ethnic origin, “religious or philosophical beliefs,” union membership, contents of communications (unless the business is the intended recipient), genetic data, biometric data processed for identification purposes, health information, sex life and sexual orientation. (CPRA, § 1798.140.)
Anti-Retaliation Provision for Employees. The initiative expands existing anti-discrimination rights under the law to specifically forbids “retaliating” against an employee, applicant or independent contractor who may exercise their rights under the law. (CPRA, § 1798.125.)
Establishment of California Privacy Protection Agency. The ballot initiative establishes a new California state government agency, the “California Privacy Protection Agency” (CPPA). The CPPA would be empowered to enforce the law and issue rules and regulations, a role it would largely take over from the Attorney General who is the current chief regulator under the current law. (CPRA, § 1798.199.10.)
Tougher Requirements (for Businesses) Regarding Defense of Data Breach Actions. The current law provides a private right of action for certain data breaches. Under the current law, such actions may be pursued only after a consumer has provided the business with 30 days’ notice and an opportunity to cure. The initiative provides, however, that “the implementation and maintenance of reasonable security procedures and practices … following a breach does not constitute a cure with respect to that breach.” This additional language limits the defense that businesses may have to such private actions. (CPRA, § 1798.150.)
Ad Technology Implications. If passed, the initiative promises to have significant impacts on the use of online advertising technology. Key provisions and potential impacts include:
- The initiative proposes an expanded opt-out right which expressly provides consumers the right to opt-out of “sharing” of personal information. “Sharing” is defined as providing information for “cross-context behavioral advertising, whether or not for monetary or other valuable considerations, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.” This definition seems aimed at restricting the ability of online advertising networks to receive and use consumer personal information where a consumer has provided an opt-out. (CPRA, § 1798.120.)
- The initiative modifies the definition of “business purpose” to restrict the marketing uses of personal information by service providers and contractors (acting under a “business purpose”). Such “business purposes” now expressly exclude cross-contextual behavioral advertising and combining certain information received from different sources when a consumer has expressed an opt-out preference. This provision may restrict the ability of advertising networks to position themselves as “service providers” under the law. (CPRA, § 1798.140.)
Additionally, many of the obligations detailed above (such as deletion rights extending throughout a supply chain of third parties, service providers, and contractors) are likely to impact the use of advertising technologies as well.
The ballot initiative is an active measure which aims (but, according to the California Secretary of State’s website, has not yet achieved) official qualification for the November 2020 ballot. The initiative provides that, if passed, most provisions will become operative Jan. 1, 2023, with some provisions having immediate effect after passage, such as provisions governing funding, the issuance of regulations, and establishing the CPPA.