California’s data privacy landscape has been evolving in recent times. With the January 1 implementation and July 1 enforcement of the California Consumer Privacy Act (“CCPA”), companies have had their hands full getting compliant with the new regulation. And just as soon as CCPA has been implemented, we’re starting to see the results, as cases are already being filed against companies alleged to be out of compliance with the new regulation.
If that’s not enough, the landscape may get even more complicated before the end of 2020, as California Secretary of State Alex Padilla has recently certified a new data privacy initiative that will be placed on the November 3, 2020 ballot. California voters will be able to determine whether the new and tougher proposed law, the California Privacy Rights Act (“CPRA”) should be implemented.
A quick primer about California’s “direct democracy” system: California uses the initiative process to make fundamental changes in some of its laws, whereas most states rely on their elected legislators to negotiate and vote on proposed legislation. Every California election cycle provides residents the opportunity to weigh in on a number of proposed laws.
CPRA looks a lot like Europe’s General Data Privacy Regulation (“GDPR”), which has a broader application than CCPA. A key difference is that GDPR is also an “opt-in” jurisdiction, meaning that a consumer from Ireland must provide explicit consent for a company to collect that consumer’s data, curbing companies’ usage of such data In the US, and even under CCPA, that consent is implied and a consumer has an opportunity to “opt-out”, a much more business-friendly methodology. CPRA would potentially adopt the European model, which could fundamentally change the way companies manage data.
Among other changes the CPRA would bring are clarifying the definition of “sale” of personal information; the expansion of consumer rights to include the right to correct personal information and limit the use of sensitive personal information; data retention limits; service provider obligations; and the expansion of consumer rights to cover the unwarranted revelation of an email address in combination with a password and security questions and answers permitting access to the email account.
No one knows exactly whether CPRA will pass, however as consumers become increasingly aware of their potential rights under a CPRA regime, support from voters is likely to increase.
Regardless of what happens at the ballot box in November, companies need to increase their focus on data privacy compliance and should look to implement a platform like Clym, which supports CCPA compliance and has been designed with the flexibility to manage CPRA compliance, should it become law in California. Given that already the penalties for noncompliance with CCPA can cripple a business financially, why would you wait to see what happens with CPRA? To learn more about how Clym can help with your CCPA compliance, please register or contact us today.