The only constant in California privacy law continues to be change, and the month of June was bookended by two major developments in this area. The final draft of the regulations implementing the California Consumer Privacy Act (CCPA) was released on June 1, 2020, and a ballot initiative that would significantly amend the CCPA if approved by Californians this November was certified on June 25, 2020.

The timing of these events only adds to the complexity surrounding businesses' privacy obligations under California law. California Attorney General Xavier Becerra cannot enforce the CCPA regulations until October, 2020, but he can enforce the plain language of the CCPA as of the beginning of July, 2020. The ballot initiative, officially known as the California Privacy Rights Act (CPRA), would impose yet another set of obligations on businesses operating in or providing goods and services to residents of California and would become effective January 1, 2023, if it receives a majority of votes this fall.

Final CCPA Regulations

The final draft of the proposed CCPA regulations does not differ significantly from the previous version released March 11, 2020. Key provisions of the regulations that are not explicitly part of the law itself include:

  • Requirements to offer multiple different privacy notices, including a "notice at collection" to be provided at or before the moment personal information is collected and the scope of which overlaps with the general privacy policy;
  • A requirement to honor Do Not Track settings in consumers' browsers as global opt-outs from the sale of personal information;
  • A reporting requirement for businesses that collect or sell the personal information of more than 10 million Californians in a calendar year to compile and publicly display statistics regarding the number of consumer requests for access, deletion, sales, disclosures, opt-ins, and opt-outs, that they have received and responded to under the law, as well as the average number of days it took the business to respond to such requests.
  • The most important development regarding the regulations, however, is procedural. Because Attorney General Becerra's office did not release the regulations in time for them to become effective July 1, 2020, as expected, they will not be enforceable until October 1, 2020. Until then, the Attorney General can still bring enforcement actions against businesses that violate the plain text of the CCPA, but businesses have three more months to comply with the specific obligations contained in the regulations.

CPRA on the Horizon

The CPRA, meanwhile, has officially qualified to be on the California ballot this November. Perhaps the CPRA's most significant effect would be to create an entirely new "California Privacy Protection Agency" tasked with enforcing the CCPA through administrative actions, issuing privacy regulations, auditing businesses' compliance with the CCPA, providing companies with compliance guidance, and advising the California legislature on future privacy-related legislation.

Beyond the creation of the California Privacy Protection Agency, the CPRA would make a number of substantive changes to the CCPA, such as:

  • Adding a new category of "sensitive personal information" that is subject to a consumer's ability to impose use limitations in certain circumstances;
  • Extending the opt-out right to any activity in disclosing personal information to a third party for the purpose of cross-contextual behavioral advertising;
  • Granting consumers a "right to correct" inaccurate personal information about them;
  • Adding new, affirmative obligations on businesses to include certain provisions in their agreements with service providers, contractors, and third parties; and
  • Mandating that regulations be issued that impose requirements related to data minimization and regular privacy assessments for high-risk processing activities.

The timing for implementation of these changes is complicated. Although most of the CPRA's provisions would not become operative until January 1, 2023, if approved, the initiative would create the California Privacy Protection Agency immediately, and would also make permanent the CCPA's limited exemptions for B2B and employee information, which currently will sunset at the end of 2020.

The final reason to keep a close eye on the CPRA is that the California constitution gives ballot initiatives special legal status. In general, the California legislature can only amend or repeal initiatives with the approval of the voters—though the CPRA would also permit the legislature to amend it unilaterally as long as the changes are "consistent with and further [its] purpose and intent." In other words, if the people of California approve the CPRA, the legislature will have a difficult time weakening it through amendment.