UPDATE: California passed ballot measure Proposition 24, the California Privacy Rights Act, Nov. 3.
Californians will decide tomorrow whether to enact new regulatory rules in a ballot initiative dubbed the California Privacy Rights Act (CPRA).
The CPRA, viewed by supporters as a patch for loopholes in the California Consumer Privacy Act (CCPA), would create several new wrinkles for security and privacy personnel to iron out, said Bret Cohen, partner in the privacy and cybersecurity practice at Hogan Lovells.
The CPRA, which would take effect in 2023, expands the coverage of the CCPA to include companies that make money sharing private data rather than just those selling it. It explicitly expands regulations to cross-context advertisements. It creates rights for consumers to correct information, opt out of automated decision making, and limit the disclosure of "sensitive" data – a new classification of data. The law also creates a California Privacy Protection Agency to oversee privacy regulation.
"The amount that it will force CISOs to change practices depends on how many of the new rights they intersect with. If you don't do many of these things, you won't likely have to change as much," Cohen said.
Also, if passed, an interesting quirk in CPRA will make it more difficult to address problems with the law, should any arise. CPRA explicitly limits the ability of elected officials to narrow the provisions.
"If down the line there's a problem, that's ultimately bad for businesses. And maybe even bad for democracy," he said.
The purpose of the provision reflects a belief in some privacy communities that the state will likely defang the bill to appease corporate interests otherwise.
With the expanded scope of CPRA, experts warn that businesses who had not before needed to comply with other regulatory regimes like CCPA or the General Data Protection Regulation in the European Union may need to make significant changes.
"Many small to midsize organizations that do not already have a robust GDPR compliance regimen in place (and may not have needed one) may need to make more substantial changes to be compliant," said Jeremy Turner, head of threat intelligence at Coalition, an insurance company that offers GDPR and CCPA policies.
Nonetheless, for the benefit of consumers, Turner said he hoped the bill would pass. But he does acknowledge the need for the new agency to offering guidance to businesses in how to avoid fines, and (more importantly) how to avoid breaches.
"While strong measures to mandate data protection standards and protect consumer privacy are welcome initiatives, this proposition may be advancing punitive measures and financial liability in lieu of much needed guidance and industry collaboration," he said.
CPRA is not just the latest privacy standard to be introduced in California, but the latest state privacy standard in a country quickly dividing into a patchwork of 50 separate state privacy policies. States from New York to Hawaii to North Dakota already offer bespoke state laws.
Business groups have argued that consumers and businesses would be better served with one overriding federal privacy standard. States, however, have expressed some concern that a federal law may force them to remove protections they have already put in place.
"Every business, regardless of the state they are located in, deserves clear, national guidelines on how to manage data to best serve the needs of their customers," argued Tom Quaadman, executive vice president of the U.S. Chamber of Commerce. "Congress must pass national data privacy legislation that protects all Americans equally and eliminates a confusing patchwork of state laws."