September 02, 2020
Data Privacy & Cybersecurity Alert
Author(s): Jason P. Gonzalez
What to expect if the CPRA ballot initiative becomes law
This coming November 2020, California voters will be asked to decide whether the “California Privacy Rights Act” ballot initiative should become law. We discuss what businesses need to know to prepare if the CPRA passes.
In 2018, there was a dramatic change in California privacy law: the passage of the California Consumer Privacy Act (CCPA). The law, which took effect on January 1, 2020, brought about a wholesale change to many businesses’ privacy practices, including dramatically increased notice, disclosure, and consent obligations relating to how businesses handled personal data. Complicating matters further was the fact that the regulations interpreting the CCPA were not finalized until August 14, 2020, nearly eight months after the statute’s effective date. Many businesses, therefore, understandably struggled when implementing the statute’s novel provisions, as the legal landscape seemed to be shifting under their feet.
But now that the CCPA’s regulations are final, all that uncertainty is over. Right? Unfortunately, maybe not.
This coming November 2020, voters will be asked to decide whether the “California Privacy Rights Act (CPRA)” ballot initiative should become law. This ballot initiative effectively would amend the CCPA to impose additional privacy-related requirements on California businesses, and also make other substantive changes to the CCPA. While difficult to predict, it appears at this point that the initiative has a good chance of passing.
If the CPRA passes, what does this mean for businesses? Here are a few key points:
A compliance runway
Additional consumer substantive rights
Audits and risk assessments
The good news here is that businesses’ efforts to date to comply with the CCPA will serve them well in the future, should the CPRA become law. The same compliance infrastructure to track data flows, refine privacy practices and policies, establish business-to-business (B2B) security and privacy obligations through contracts, and promptly respond to consumer requests that work for the CCPA can be made to work with the CPRA. And overall, once all the dust settles, businesses’ knowledge and handling of their customers’ private data likely will be more nimble and sophisticated than it was before. Despite the short-term burdens this may entail, the long-term benefits may be worth it.
The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.