CCPA may have been just the beginning of California’s privacy framework. On September 25, 2019, Californians for Consumer Privacy, the group behind the California ballot initiative that resulted in California Consumer Privacy Act (CCPA), filed a new initiative intended for California’s November 2020 general election ballot, which they have labeled as the “California Privacy Rights and Enforcement Act” or CPREA.  This time the group is expanding its efforts to implement additional privacy and data protection standards for California citizens, including minors, to create a formal governmental privacy enforcement agency, and to address the use of personal information in political campaigns.
Organizations working on CCPA compliance now need to be aware of the potential effects of CPREA. This article describes the proposed ballot initiative and its potential impacts on businesses that do business with California citizens.
The California Ballot Initiative Process
To understand how CPREA is likely to become law in California, and CCPA became law, it is helpful to understand the availability of the ballot initiative (ballot measure) process. The ballot initiative is one of three forms of direct democracy afforded under the California Constitution. Any California citizen can propose a ballot initiative to change the state constitution or to create or change a statute. After a proposed draft initiative is submitted, it undergoes a process of formalization by the Attorney General, a budget analysis, a period for public comment, and non-partisan legislative analysis including fiscal impact. Once formalized, proponents of a ballot initiative have 180 days to obtain the requisite number of signatures: 8% of registered voters for constitutional amendments and 5% of registered voters to change or create a statute. Proponents who cross the applicable 5% or 8% threshold for signatures must submit them for a formal county-by-county verification process. After being verified, initiatives can be placed on a statewide election ballot that is at least 131 days out for a binary “Yes” or “No” vote by the electorate. If the majority of votes counted are “Yes”, then the initiative is entered into the California constitution or the designated state code, as applicable, with the same legal effect as if it had gone through the full standard legislative and executive process for a bill or constitutional amendment.
The Birth of CCPA
CCPA started as Assembly Bill 375 in the 2016-2017 session of the California legislature. It passed the Assembly (lower house) in May of 2017 by a unanimous vote of 77-0, but it was prevented from reaching the Senate Floor after a strong lobbying effort by several large corporations. Frustrated with the inability of the legislature to pass a bill that had bipartisan support, the Californians for Consumer Privacy, the sponsors of the original bill, turned to the ballot initiative. The initiative obtained nearly double the requisite number of verified signatures shortly before the minimum 131 days prior to the November 2018 general election. Most importantly, the initiative included a private right of action for California citizens to sue businesses that violated their privacy rights under the proposed law, which was seen as enormously troubling for the business community. Polling showed that the initiative was likely to pass with overwhelming support.
Acting in due haste before the printing deadline for the November 2018 ballot, the California legislature and governor made an offer to the Californians for Consumer Privacy: the legislature would agree to immediately pass and the governor sign the initiative, and the legislature would then work with the proponents to strengthen the intent and clean up ambiguous language. As part of the agreement, Californians for Consumer Privacy accepted that the new CCPA would not include the private right of action. With the agreement in place, AB 375 was revived on June 21, 2018 and just one week later, it passed both the Assembly and Senate and was signed by the governor.
While the proponents agreed to accept the carrot of quick passage of CCPA, they carried the unstated stick: if the legislature messed with the law too much after passage and before coming into effect, the proponents would simply go back directly to voters with a cleaner and better-written initiative, which would include the private right of action. This is why the big tech companies were unable to get legislators to massively water down CCPA during the amendment process that ended in September 2019.
According to the Californians for Consumer Privacy, two things have occurred since they made the agreement to withdraw the 2018 ballot initiative and allow subsequent amendments to CCPA: “First, some of the world’s largest companies have actively and explicitly prioritized weakening the CCPA. Second, technological tools have evolved in ways that exploit a consumer’s data with potentially dangerous consequences.” 
To the first point, the proponents clearly were concerned about the impact of lobbying by business interests to weaken CCPA during the 2018-2019 amendment process. The implicit lesson for consumer privacy advocates from the first round of CCPA is that the legislature is incapable of passing substantive privacy legislation that goes against the interests of large corporate donors without the Sword of Damocles hanging over their heads.
The second point stems from the facts uncovered during the investigation into the Russian attempts to interfere with the 2016 Presidential election. The misuse of personal information for social media-based influence campaigns, exemplified by the Facebook-Cambridge Analytica revelations, raised significant new privacy concerns that the Californians for Consumer Privacy seek to address.
The Top 10 Proposals in CPREA
The CPREA is structured in three parts, starting with statements of Findings and Declarations, followed by statements of Intent and Purpose. The main section is drafted in the form of a redline of proposed edits to the current CCPA. The proposed edits to CCPA are numerous, sometimes overly complex, and often challenging to follow as provisions are broken out into multiple sections. Below is a summary of the top 10 proposals contained in the CPREA.
A new statewide agency would relieve the Attorney General’s office of its current primary enforcement responsibilities for the CCPA. Acting under the Administrative Procedure Act, the new California Privacy Protection Agency would have the authority to issue cease and desist orders, and administrative fines of up to $2,500 for each violation and $7,500 for each intentional violation. It could subpoena witnesses, compel attendance and testimony, administer oaths and take evidence. It could also bring civil actions and obtain judgments. A Chief Privacy Auditor would be appointed with the power to conduct audits and ensure compliance. There would also be a self-certification program for businesses monitored by the agency.
In addition to its enforcement powers, the agency would promote awareness of privacy rights, provide guidance to consumers regarding their rights, provide guidance to businesses, provide technical assistance to the legislature on privacy-related legislation, etc.
The CPREA will create a Consumer Privacy Fund to support the activities of the California Privacy Protection Agency. The Consumer Privacy Fund would start with a $5 million appropriation from the General Fund in the form of a loan, and would then receive all administrative enforcement fines to pay back that loan and make the Agency self-supporting.
After all obligations to the General Fund have been satisfied, including offsetting costs incurred by the Attorney General for its work in privacy enforcement and for a sufficient budget to run the Agency, 91% of the enforcement revenues would be invested by the Treasurer (presumably for later use by the Agency and the AG in privacy enforcement), with interest going to the General Fund. The remaining 9% would be divided equally (3%) for grants to be awarded by the Agency to: 1) non-profits promoting consumer privacy; 2) non-profits educating children on online privacy, and 3) state and local law enforcement for cooperative programs with international law enforcement to combat fraudulent activities relating to consumer data breaches.
The new category of Sensitive Personal Information (“SPI”) is created, and defined as:
[a] consumer’s social security, driver’s license, state identification card, or passport number; a consumer’s account log‐in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; a consumer’s precise geolocation; personal information revealing a consumer’s racial or ethnic origin, religion, or union membership; the contents of a consumer’s private communications, unless the business is the intended recipient of the communication; a consumer’s biometric information; data concerning a consumer’s health; data concerning a consumer's sexual orientation; or other data collected and analyzed for the purpose of identifying such information.
Restrictions and controls are established around the use and retention of SPI, and requirements are included for disclosures to be made to consumers on what SPI a company has, how it is used, how long it is being retained for, and whether it is sold. Additionally, the CPREA says that both PI and SPI should not be retained for longer than reasonably necessary for the specific disclosed purpose limit on how long they retain SPI.
Two other important additions regarding SPI are: 1) Consumers have the right to opt-out of the use of SPI for advertising or marketing, and 2) SPI cannot be sold absent the affirmative opt-in consent of the consumer.
CPREA adds in the important data protection principle of data minimization, under which companies must restrict their use of any collected PI and SPI to the minimum necessary for carrying out the limited purpose for which it was originally collected. This principle is similarly reflected in HIPAA under the Minimum Necessary Standard (45 CFR § 164.502(d)).
Moreover, and any sale or disclosure of PI or SPI (if opt-in consent is obtained) must be for the same limited original purpose, and the data protection requirements passed down with the data to the recipient. That is both the rights, responsibilities and (arguably) liabilities will flow with the data.
In what might become a Federal preemption issue, CPREA ratchets up the protections provided to children under the Children’s Online Privacy Protection Act of 1998 (“COPPA”) and associated FTC COPPA Rule.  COPPA provides requirements for obtaining the consent of a parent of any child under the age of 13 when an online service is directed to children or where the service operators have actual knowledge that they are collecting information from a child under the age of 13.
CPREA expands the protections afforded to some children and their parents. For children between the ages of 13 and 15, businesses are required to obtain the opt-in consent of that child or their parent to collect and use their personal data. For children under the age of 13, CPREA reiterates the COPPA standard, requiring the affirmative opt-in consent of a parent or guardian. In the event a child or their parent or guardian declines an opt-in request, CPREA imposes a 12 month waiting period before a business can ask again for consent. When combined with the CCPA anti-discrimination provisions, this would suggest that companies will still have to provide the services to the child, but without harvesting their PI.
Under CPREA, any required opt-in request that has been declined by a consumer must be honored for a full 12 months before a new request for opt-in can be made. This will apply not only for requests to minors or their parents and guardians as addressed above, but also to the sale of SPI and PI and financial incentive programs for the collection, sale, and disposition of PI.
Businesses will now have an affirmative obligation to make reasonable efforts to not collect, retain, or share inaccurate information, and with that the corollary duties to correct a consumer’s PI upon a consumer’s verifiable request.
While the CCPA focuses on data breach notification, the CRPEA imposes an affirmative duty on businesses that collect consumer PI to “implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access.”
A new provision is added requiring that a business discloses to a consumer if the business uses the consumer’s PI for “political purposes” that advance the interests of the business, including whether that PI was used to support or oppose a candidate, committee, or measure. A note states that the provision is limited to a business’ use of that PI for its own purpose (or interest), and would not apply to businesses that sell voter information.
Under the CPREA, a business would additionally be required to disclose to a consumer if it is “profiling” a consumer by using that consumer’s PI to make decisions that “had, or could have reasonably been expected to have, a significant, adverse effect on consumers with respect to: (i) financial lending and loans; (ii) insurance; (iii) health care services; (iv) housing; (v) education admissions; or (vi) denial of employment.” The disclosure would include “meaningful information about the logic involved in using consumers’ personal information for this purpose.” The CPREA includes a requirement that new regulations would further define “profiling” to reflect the intent that it includes automated decision-making, but would also prohibit the “deliberate insertion of, or reliance on, a minor step involving a natural person, as a reason for not identifying the process as automated.”
Consumer advocates who thought CCPA was a nice start but didn’t go far enough will find much to like about CPREA. On the opposite side of the spectrum, businesses that already feel burdened by CCPA will find CPREA to be even more demanding. For them, the only upshot may be that CPREA does not attempt to reintroduce the feared consumer private right of action. And for those who found CCPA to be well-intentioned but poorly drafted, CPREA will present an entirely new set of frustrations.
 15 U.S.C. §§ 6501-6508; 16 C.F.R. §312