California Governor Gavin Newsom recently took action on three important data privacy bills. The most important of which is the California Privacy Rights Act (CPRA). With the CCPA having just recently come into effect on January 1, 2020, a lot of the impacted companies and customers would not have expected California to quickly take more steps to significantly amplify the consumer protections placed in place by the CCPA. Except, Alastair MacTaggart a Calfornian real estate developer who leads the data privacy and rights advocacy group in California.
What is the CPRA?
Most people have heard of the California Consumer Privacy Act, but very few have heard of the California Privacy Rights Act. Alastair MacTaggart and his band of privacy advocates led the effort of the push for the CCPA and are now pushing for the CPRA. MacTaggart and others are looking to capitalize on the success of the CCPA and are now pressuring General Attorney Xavier Becerra to do more. In an interview with the National Law Review, MacTaggart explained what the CPRA will do:
“We’ve laid a historic foundation for consumer rights in California with the passage of the California Consumer Privacy Act, and now it’s time to seize that momentum and take the next step in enforcing and expanding the law to keep pace with an industry that is changing at a break-neck pace…that’s why we’ve introduced a new initiative that will further protect our most personal information, increase fines for violating kids’ privacy, create more transparency and most importantly, establish an enforcement arm that truly looks out for consumers.”
MacTaggart had originally agreed in a sort of verbal deal with the Attorney General back in 2018 that his data privacy advocacy and agenda would be severely lessened from the acceptance and passing of the California Consumer Privacy Act when it was being passed around in ballots. Now, MacTaggart told the LA Times, “I don’t think any substantial gains like this are made in the Legislature. I’m really happy about what I did [in 2018]. It got us a beachhead. But I like the idea of having a new high-water mark that can’t be undone.”
So how does the CPRA plan on improving upon the CCPA?
The CPRA plans to improve and expand the CCPA in five important ways.
- Establish a new enforcement arm called the California Privacy Protection Agency that would, in concert with appropriate authorities, have the mandate of enforcing privacy laws and imposing fines.
- Businesses would be required to disclose the role automated decision-making plays in certain areas, including performance at work, economic situation, health, personal preferences and others, as well as allowing certain opt-out rights with respect to the use of these automated decision-making processes.
- A new category of information called sensitive personal information would be created and would include information regarding sex life and sexual orientation, private communications, health status, geolocation, religion, race, finances, biometrics, and others. California consumers would receive enhanced rights regarding this sensitive information, including the ability to opt out of its use in marketing and advertising.
- Additional protections for the personal information of children would be created, including a fine of $7,500 for violations where the business, service, contractor or other person has actual knowledge that the affected consumer is under 16 years of age.
- Besides mandating further disclosure obligations, it would reinforce the requirement for businesses to follow their own disclosures. Somewhat similar to the EU’s GDPR, businesses would have to disclose their reasons for the types and amount of personal information collected, along with how long this information would be retained. Businesses that used personal information for purposes other than those disclosed, retained it for longer than stated, or collected more information than was needed to offer the relevant service or product would be in violation of the CPRA.