With the majority of people focusing heavily on the US presidential election, Californians voting on ballot proposition 24 has snuck relatively under the radar with significant recent progression towards the inclusion of the CPRA on the November 2020 ballot. This means that businesses may want to begin to consider how their data privacy obligations in California may change if voters enact CPRA.
Polling suggests CPRA is likely to pass, with a significant majority (80%) of those surveyed in favour of its introduction. Even if polling is off by 20 points, CPRA will still go through due to only needing a majority. However, not all consumer advocacy organizations have lined up behind it. For example, CPRA is opposed by the Green Party, ACLU and League of Women Voters.
The current results look like: 6,305,627 (56.1%) votes in favour and 4,932,340 (43.9%) votes against, and with 85.3% of the total votes being counted, it is looking significantly more likely that CPRA is going to pass.
For those interested in the changes that CPRA would have on businesses and the new requirements here is a highlight of the biggest amendments:
· no sharing of consumer’s personal information upon the consumer’s request;
· provide consumers with an opt-out option for having their sensitive personal information, as defined in law, used or disclosed for advertising or marketing;
· obtain permission before collecting data from consumers who are younger than 16;
· obtain permission from a parent or guardian before collecting data from consumers who are younger than 13; and
· correct a consumer’s inaccurate personal information upon the consumer’s request.
Beyond new rights, the CPRA will establish a privacy enforcement agency (the California Privacy Protection Agency) and in turn would be the first agency of its kind to being dedicated to privacy enforcement.
If passed, the CPRA would become operative on 1 January 2023 and would apply only to personal information collected after 1 January 2022.