As if the California Consumer Privacy Act or “CCPA” (one of the world’s most stringent pro-consumer privacy law that makes the EU’s GDPR look like child’s play) did not give businesses enough compliance & risk management headaches, Californians are now pushing for an even tougher version of the CCPA in a new ballot initiative called the “California Privacy Rights Act” or “CPRA”.

Every company that relies upon monetizing data as a business model must know this man’s name: Alastair Mactaggart, a real estate developer, who founded the “Californians for Consumer Privacy” NGO which sponsored the historic California Consumer Privacy Act to qualify for the state-wide ballot back in 2018

Recently on May 4, 2020, the NGO submitted more than 900,000 signatures to qualify the CPRA to be placed on California’s November 2020 voting ballot, regardless of the current virus pandemic.

According to research cited by Mactaggart, a whopping 88% of state residents would vote “Yes” to support a ballot measure calling for even tougher privacy protections for personal information. If this research is accurate, there is a very high chance that the CPRA would be approved by voters and that the California Legislature would be required to enact it into law as it did for the CCPA back in 2018. (Please see my review of the CCPA as it relates to strategic privacy management here.)

In a nutshell, the CCPA which became effective January 2020 is the first law in the USA to empower consumers with the right to find out what data are held by businesses about them. The CCPA allows consumers to request that their data be deleted and “opt out” of the sale of their information to third parties. Most importantly the CCPA expressly allows private lawsuits to be filed against violators.

Not to be outdone by the CCPA now in force, the proposed CPRA (known as “CCPA 2.0”) seeks to form a new regulatory agency called the “California Privacy Protection Agency” to enforce California’s privacy regime (instead of relying on the State Attorney General’s Office under the CCPA). The new initiative also increased the penalties for mishandling the data of children reflecting increasing concerns about the exploitation of minors’ digital rights. The CPRA also "creates new rights to “stop businesses using our sensitive personal information, including about our health or finances, and especially our exact location” without prior consent.

Most foreign businesses may wonder why they should care about the CCPA or the upcoming CPRA and think these are just meaningless letters in an alphabet soup. But California is the biggest economy within the USA and ranks #5 in the global economy ahead of India and behind Germany.

Expect more privacy developments in California and the knock-on effects on the legislative affairs of other state and federal privacy regimes. The future of technology will become increasingly affected by privacy law as society grapples with the pervasive changes caused by emerging data-driven business models.

Stay Tuned!