The CPRA is expected to make an impact on federal law, but "the delta between complying with the CCPA along with the AG's regulations and the CPRA by January 1, 2023, is not that great," said Dominique Shelton Leipzig, co-chair of Perkins Coie's Ad Tech Privacy & Data Management Practice, in an email. If companies begin their compliance measures now, the deadline is "doable."
- This election, California voters are deciding on the state's Proposition 24, the California Privacy Rights Act (CPRA), determining if the California Consumer Privacy Act (CCPA) needs supplementary functions.
- The ballot initiative would establish the California Privacy Protection Agency. The agency would serve as the law's watchdog alongside the state's Justice Department for privacy enforcement.
- Dubbed "CCPA 2.0," the CPRA is considered a stricter addendum to the state law. A vote "yes" for the ballot initiative confirms voters' wish to expand "existing consumer data privacy laws and rights," according to the ballot.
CCPA enforcement went into effect July 1, but California Attorney General Xavier Becerra submitted proposed rules just one month prior to the enforcement date. While the rules were meant to soothe businesses and provide privacy expectations, they left too many ambiguities. The CPRA adds a level of complexity.
Real estate developer Alistair Mactaggart proposed the CCPRA, just as he did the ballot initiative that led to the CCPA. The new law is "forward-thinking," with enforcement holding off until 2023, Mactaggart said while speaking on a webinar hosted by Perkins Coie in June.
"There are a number of concepts that need to be brought into the national discourse," said Mactaggart. If voters approve CPRA, the law becomes a part of that discourse.
In the last year, 20 states introduced draft privacy bills, something businesses across industries sought to deter. Depending on a company's service, patchwork laws could complicate which state law applies to the sale.
But a federal law passing is not currently on the horizon. The difference between Democrats and Republicans in Congress is "significant and most likely irreconcilable," said Dan Clarke, president at IntraEdge.
"The main points of argument between the Democratic and Republican bills are not the data protection substance but rather the 'meta' points of preemption, the private right of action and who enforces the legislation," said Clarke.
When Mactaggart started his privacy initiative, he thought of personal data as a "red herring," as definitions varied too greatly. Eventually the argument evolved. "While the CCPA gives you the right to stop the sale of information, we should maybe be able to stop the use of information of this specialized category," said Mactaggart. The bill's proponents adopted what the EU defines as personal information.
The overlap of international and national laws "are not helping" in protecting data from breaches, said Chris Kennedy, CISO and VP of customer success at AttackIQ. "Managing cybersecurity should not be as complicated as adhering to the IRS tax code."
Enforcement, and establishing an agency, is one of the main motivating factors of the CPRA. When changes were made to the CCPA in 2019, the bill was weakened, according to Mactaggart. The new legislation and the agency that would come of it, are meant to ensure that can't happen again.
Mactaggart argues California's state Justice Department's privacy oversight at the will of its budget and capability.
The CPRA proposes, if companies don't need certain details about consumers to run their business or provide services, then they don't need to collect the information at all. Voters are likely to agree; "the simplicity of the language makes it an easy 'yes' to protect your privacy from businesses profiting from it," said Clarke.
Because of the general support for data privacy among consumers, challenging the behaviors of companies, the tech industry hasn't said much on the latest initiative. The CCPA's ballot initiatives faced opposition funds from companies including Facebook and Google, in hopes of slowing it down while waiting for a federal law.
The CPRA's opponents say the measure is "premature and ill-timed overhaul of California’s privacy law," according to a statement from opposing organizations, including the Association of National Advertisers and the American Association of Advertising Agencies. The organizations previously asked the California AG for an extension on the CCPA's enforcement given the economic stress of the pandemic.
The opposing organizations want to see the effects of the CCPA before another amendment is made to it, while adding more costs onto businesses that are still trying to comply with the CCPA's requirements.