The California Consumer Privacy Act (CCPA) just took effect on Jan. 1, 2020, but a movement to amend and strengthen the act is already underway. The California Privacy Rights Act or CPRA seeks to expand CCPA’s current provisions. Led by the CCPA’s original author, Alastair Mactaggart, the ballot initiative would strengthen CCPA with new and expanded data rights for consumers as well as more stringent policies for businesses.
While CCPA has been deemed the country’s most comprehensive privacy law, some groups believe consumers need even more robust privacy rights to combat the use – and misuse – of personal data. CPRA takes CCPA a few steps further in terms of safeguarding consumer privacy. Following are some of the proposed act’s key provisions and updates:
Establishes State Privacy Protection Agency: California would be required to establish a new Privacy Protection Agency, responsible for enforcing the law, issuing any new regulations, and imposing fines. The agency would be separate from the attorney general’s office, which currently enforces CCPA.
- Establishes New Categories of Sensitive Information: CRPA would offer new protections for sensitive personal information, and create the right to opt-out of having such information used for marketing purposes. Sensitive information would include race, ethnicity, exact location, financial data, biometric data, health status, religion, union membership, and more. CCPA does not currently offer protection for sensitive information but the European General Data Protection Regulation does.
- Automated Decision-Making Disclosure: Businesses that use algorithms to support automated decision-making would be required to disclose when and how those decisions would be used. Examples include housing and employment decisions.
- Expansion of Children’s Privacy Rights: CPRA would triple the maximum penalties for the improper collection and/or sale of data for children younger than 16.
- New Rules for Data Retention: Businesses would be required to disclose how much personal information they collect and how long they plan to keep it. Businesses would face penalties for keeping information for a longer period of time than previously disclosed.
If the ballot initiative passes, CRPA would take effect Jan. 1, 2021 and apply to personal data collected on or after Jan. 1, 2020.
Mactaggart and Californians for Consumer Privacy
Real estate developer, Alastair Mactaggart is the founder and chair of Californians for Consumer Privacy, as well as the original architect of the initiative that became CCPA. According to the Californians for Consumer Privacy site, Mactaggart “believes that all Californians, and people worldwide, should have the fundamental right of data privacy and be able to control their own personal information.” He noted that companies continue to work to weaken CCPA while technology has evolved to make it easier and easier to exploit consumer’s data.
Operating under the slogan, “your life is not their business,” the organization is working to gather the 623,000 signatures required for the proposed act to qualify as a bill on the November 2020 ballot. Some California legislators have already shared their support for expanded privacy protections.
Additional Updates on the Horizon
In addition to the proposed CRPA, a recent bill by the Senate Health Committee would expand California Consumer Protection and Privacy Act exceptions related to personal data used for research and safety. While the existing act already includes some exceptions for medical and health information, the new bill is designed to go a step further.
Personal information that is collected and/or used in biomedical research or other healthcare research, and personal data used in accordance with the United States Food and Drug Administration (FDA) regulations would also be exempt as well as information that meets these conditions:
- If information is de-identified according to the HIPAA safe harbor method, as detailed in Title 45 of the Code of Federal Regulations, such that it can’t be connected with a specific consumer;
- If information follows the Federal Policy for the Protection of Human Subjects, a biomedical research ethics rule;
- If neither the entity nor a business associate of the entity try to re-identify the personal information.
This bill would compel businesses to update all online privacy policies to note whether they disclose de-identified health information or not. Further updates and clarifications to CCPA are anticipated.
How to Prepare for 2021
Financial firms should be prepared to expand options for opt-out provisions, including notices of the right to opt-out, as well as the ability to update incorrect information. Going forward, greater transparency around automated decision-making will likely be a hot topic, and organizations will need to clearly explain how they do this and how it may affect consumers. As always, information security should be a top priority for any business in any state or country.