With the regulations for the California Consumer Privacy Act (CaCPA) still yet to be finalized, a new sweeping amendment is likely to be on the November ballot.
Mactaggart Returns
In 2017, San Francisco Bay area housing developer Alastair Mactaggart launched Californians for Consumer Privacy and qualified the CaCPA for the November 2018 ballot. As drafted, CaCPA had a provision that would only permit amendment if approved by 70 percent of each house of the legislature (and only if the amendments were ” consistent with and further the intent of” the CaCPA). Mactaggart forced Sacramento’s hand and the current California Consumer Act was passed and signed by Governor Brown in June 2018 just in time to permit Mactaggart to withdraw his initiative.
Now Mactaggart and the Californians for Consumer Privacy are back, with the “California Privacy Rights and Enforcement Act of 2020.” To qualify for the November ballot, the measure requires 623,212 signatures and last week supporters announced that they were submitting over 900,000 signatures which will be subject to verification prior to being placed on the ballot. It is unclear whether there will be another compromise comprising of further amendments to CaCPA before the measure is certified for the November ballot.
CaCPA 2.0
In brief, the California Privacy Rights and Enforcement Act of 2020 (or CaCPA 2.0) would amend the CaCPA as follows:
- Changes Applicability Threshold
Currently, CaCPA applies to businesses that buy, sell, or share the personal information of 50,000 or more consumers, households, or devices annually. CaCPA 2.0 would increase this threshold to 100,000 or more consumers or households (with devices not counting towards the threshold), but add a provision that applies the law to businesses earning more than 5 percent of their annual revenues from sharing consumer personal information (i.e., providing data for the purpose of targeted advertising based on consumers’ personal information obtained from their activity across multiple businesses or websites).
CaCPA 2.0 specifies that only businesses who control data collection, not their contractors and service providers, are subject to the law.
- Data Correction
Consumers could request businesses to correct inaccurate personal information maintained about them, generally within 45 days of receiving their request.
- Data Minimization
CaCPA 2.0 requires businesses to notify consumers of the length of time they intend to retain the various categories of personal information they collect.
- Expands Protection for Sensitive Personal Information
CaCPA 2.0 measure allows consumers to direct businesses to limit the use of their sensitive personal information only to (1) provide services or goods requested by the consumer and (2) fulfill core business purposes (such as providing customer service). Sensitive personal information includes social security numbers, drivers license numbers, passports, financial account information, precise geolocation, race, ethnicity, religion, union membership, personal communications, genetic data, biometric or health information, information about sex life or sexual orientation
- Consumers May Restrict Geotargetting
CaCPA 2..0 would allow consumers to prohibit businesses from tracking their precise geolocation for most purposes, including advertising, to a location within a radius of 1,850 feet.
- Creates a California Privacy Protection Agency
CaCPA 2.0 would create and provide $10 million in funding a new California Privacy Protection Agency that would be charged with (i) investigating and adjudicating potential violations, (ii) assessing penalties for violations, (iii) developing regulations, (iv) providing guidance to businesses and consumers, and (v) monitoring developments related to the protection of personal information.
- Restricts Amendments
According to Californians for Consumer Privacy, the ballot measure would “[m]ake it almost impossible to weaken privacy in California in the future, absent a new initiative allowing such weakening,” since it would restrict amendments to only those “in furtherance of the purpose and intent” of CaCPA 2.0.
Californians for Consumer Privacy provides a chart comparing CaCPA with CaCPA 2.0.
Cyber Report 
Pingback: ILC Joins Over 50 Privacy Professionals Opposing Flawed Prop 24 (Consumer Personal Information Law and Agency Initiative) | Cyber Report
Pingback: ILC Joins Over 50 Privacy Professionals Opposing Flawed Prop 24 (Consumer Personal Information Law and Agency Initiative) – Cyber Security