The California Consumer Privacy Act (CCPA), which took effect at the beginning of this year, protects the privacy of consumers of The Golden State by giving them greater control over businesses’ use of their personal information.
Specifically, the CCPA grants California consumers the rights to:
- Know what personal information businesses are collecting about them, whether the businesses are disclosing that information to third parties, and the businesses’ purposes for collecting and using the information, among other details about the business’ processing activities.
- Opt-out of the sale of their personal information.
- Request the businesses to delete their personal information.
- Not be subject to discrimination by businesses for exercising their privacy rights.
Despite a set of amendments to the CCPA passed in 2019 and the California Attorney General’s Final Regulations, the coalition at Californians for Consumer Privacy placed the California Privacy Rights and Enforcement Act of 2020 (CPRA), commonly referred to as CCPA 2.0, on the November 2020 ballot to give Californians the opportunity to vote on updated privacy law.
In general, CCPA 2.0 amends the CCPA by expanding consumer rights, heightening privacy protections, and establishing an enforcement agency to protect consumers through vigorous enforcement of the law.
CCPA 2.0: Key Differences with the CCPA
CCPA 2.0 sets forth key differences with the current CCPA.
In particular, CCPA 2.0 would:
- Allow consumers to prevent businesses from sharing their personal information.
- Enable consumers to correct inaccurate personal information.
- Create a new category of sensitive personal information, such as race, ethnicity, religion, genetic information, sexual orientation, precise geolocation, and financial information, and give consumers the right to restrict businesses’ use of that information.
- Triple penalties for violating the rights of minors.
- Require businesses to be transparent about their use of automated decision-making and profiling.
- Prohibit businesses from retaining personal information for longer than is reasonably necessary.
- Establish the California Privacy Protection Agency to enforce the law and protect consumers’ privacy rights.
CCPA 2.0: Consumer Rights
CCPA 2.0 grants consumers the following rights:
- The right to delete their personal information
- The right to correct inaccurate personal information
- The right to know what personal information the business is collecting about them
- The right to access their personal information
- The right to know if the business is using their personal information
- The right to know what personal information the business is selling and to whom
- The right to opt-out of the sale or sharing of their personal information
- The right to limit the business’s use of their sensitive personal information
- The right to not be subject to retaliation for exercising their rights
CCPA 2.0: Businesses’ Responsibilities
CCPA 2.0 would place additional obligations on businesses, including setting forth responsibilities that essentially amount to privacy principles, such as transparency, purpose and storage limitations, and data security.
In particular, the law would:
- Impose general duties on businesses that collect consumers’ personal information. This includes informing consumers of the collection of their sensitive personal information. The collection, use, retention, and sharing of this personal information must be “reasonably necessary and proportionate” to the purposes of processing and obligating businesses to implement reasonable security measures to protect the confidentiality, integrity, and availability of personal information.
- Mandate rules for the notice, disclosure, correction, and deletion requirements.
- Specify the methods for limiting the sale, sharing, and use of consumers’ personal and sensitive personal information, such as the provision of a clear and conspicuous link called Limit the Use of My Sensitive Personal Information.
CCPA 2.0: Implementation & Enforcement
The CCPA 2.0 calls for vigorous protection of consumers’ privacy rights.
To that end, it would create the California Privacy Protection Agency to implement and enforce the law. Comprised of appointed experts in privacy, technology, and consumer rights, the agency would provide guidance to businesses and consumers on their responsibilities and rights, respectively.
The agency would also have the authority to investigate alleged violations of the law, bring civil actions against violators, issues injunctions, and levy administrative fines.
In addition, recognizing that CCPA 2.0 must keep pace with changes, the law would require future amendments further the law and privacy protections. Finally, CCPA 2.0 updates the CCPA’s definitions, such as the newly defined “profiling” and “sensitive personal information,” and revises exemptions.
CCPA 2.0: Timeline and Next Steps
The California Attorney General has issued a notice on the proposed CCPA 2.0.
Currently, CCPA 2.0 is on the November 2020 ballot. Californians will have the opportunity to vote this ballot initiative into law, thereby expanding the CCPA’s consumer safeguards and rights. Notably, on the California November 2020 ballot, the CCPA 2.0 is also called Proposition 24.
- OneTrust DataGuidance Blog: The Definitive Guide to California Privacy Laws
- OneTrust Whitepaper: Your Guide to California Privacy Law Compliance (CCPA & CPRA)
- OneTrust Infographic: CDPA vs CCPA: Comparing US Privacy Laws