The California Consumer Privacy Act hasn’t even gone into effect yet, nor has the state’s governor, Gavin Newsom, signed off on amendments expected to further shape the legislation, but that isn’t stopping privacy advocates in the state for backing additional legislation designed to bolster data privacy in the state.
A new ballot initiative filed last week, the California Privacy Rights and Enforcement Act of 2020, would tamp down data privacy in the state even further than the CCPA.
The proposal, linked here (.PDF) with annotations, would go into effect Jan. 1, 2021 and change rights around the use of "sensitive" personal data – like a person’s race, health, Social Security number and locations received via GPS technology - improve protections for minors, and make it so future changes to the CCPA would be easier to pass.
Specifically, the CPEA would increase penalties for companies who violate children’s privacy by tripling the amount companies are currently fined for collecting or selling the personal information of minors under 16 years of age without their consent.
The act would also require companies to disclose more detail around profiling algorithms that pertain to personal information relative to employment, housing and credit, and whether and how they use personal information to influence elections.
The initiative would also form a new entity, the California Privacy Protection Agency, to carry out CCPA enforcements and provide guidance to the industry and consumers. Currently, the Attorney General’s office is scheduled to handle that role, starting no later than July 1, 2020. Xavier Becerra, the state’s AG, began hiring lawyers to implement and enforce the CCPA in August but did say earlier this year he was concerned his office may not have enough staff to carry out enforcement. The new agency would be comprised of five staff members, including members appointed by appointed by the Governor, the Attorney General, Senate President and Speaker of the Assembly.
While the act may sound a bit redundant, especially with CCPA so imminently on the horizon, there is some credence to the proposal. The group behind the proposal, Californians for Consumers Privacy, led by real estate developer Alastair Mactaggart, is the same group that helped the CCPA gain steam in the state two years ago.
“I am convinced that without regulation, this encroachment into people’s lives will distort the balance of power in society,” Mactaggart wrote last week, “In a very fundamental way, democracy depends on privacy. We are engaged in a new experiment now, where a handful of giant corporations know almost everything about us, chronicling everything we’ve searched for, following every one of our digital footprints, and analyzing that to control what we see every day. These are perhaps the most powerful tools for influence in human history… shouldn’t consumers have a choice about how their own data is used?”
Mactaggart famously got interested in data privacy several years ago after having a discussion with a Google engineer.
"These giant corporations know absolutely everything about you, and you have no rights," Mactaggart told NPR, "I thought, oh, I'd like to find out about what these companies know about me. Then I thought, well, someone should do something about that."
Next on the docket for the act is a 30 day review and public comment period. Following that, proponents of the initiative can amend the proposal and collect the required signatures to get it on the November 2020 ballot.
While the CPEA is nowhere close to being enacted – it’s still only a ballot initiative – it could add fuel to the fire around CCPA compliance. The act – and uncertainty around the final iteration of the CCPA - are a good reason for companies to stay aware of changing laws and let it inform how they build their compliance programs.
Speaking of the CCPA, it isn't set in stone yet but it's close. The legislation's final amendments made their way to the governor's desk last month where Newsom has until Oct. 13, 2019, to sign or veto the legislation. Following this, the Attorney General will release regulations around the data privacy regulation.
