A new California privacy ballot initiative has been introduced by real estate developer and privacy rights advocate, Alastair Mactaggart. This new ballot initiative, titled The California Privacy Rights and Enforcement Act of 2020, would go into effect on January 1, 2021, and would make significant changes to the California Consumer Privacy Act (CCPA), including greater protection for “sensitive personal information” and disclosure of “profiling” activities. The original version was submitted on September 25, and since then, two revised versions have been submitted—on October 2 and October 9. The subsequent versions do not make significant changes to the initiative. Below are notable provisions of the initiative:

1. Greater Protection for “Sensitive Personal Information.” The initiative adds several definitions, perhaps the most significant of which is “sensitive personal information” (sensitive PI). Sensitive PI means and includes the following:

• Social Security, driver’s license, state identification card or passport number
• Account log‐in, financial account, debit card or credit card number in combination with any required security or access code, password or credentials allowing access to an account
• Precise geolocation
• Personal information (PI) revealing a consumer’s racial or ethnic origin, religion or union membership
• The contents of a consumer’s private communications, unless the business is the intended recipient of the communication
• Biometric information
• Data concerning a consumer’s health
• Data concerning a consumer’s sexual orientation
• Other data collected and analyzed for the purpose of identifying the above-listed information [1798.140(ae)] (All references to the Cal. Civ. Code as would be revised by the initiative.)

The initiative provides greater business obligations and new consumer rights with respect to sensitive PI, including the following:

• A business that controls the collection of PI would need to notify consumers as to the categories of sensitive PI to be collected, the specific purposes for which the categories of sensitive PI are collected or used, whether sensitive PI is sold, and the length of time the business intends to retain sensitive PI [1798.100(a)(2)].
• Consumers have the right to opt out of a business’ use or disclosure of their sensitive PI for advertising and marketing [1798.120(c)].
• A business that uses or discloses sensitive PI for advertising and marketing would need to provide notice to consumers of such use or disclosure and of the consumer’s right to opt out of such use or disclosure [1798.120(c)]. If a consumer opts out, the business is prohibited from using or disclosing the consumer’s sensitive PI for advertising or marketing, unless the consumer subsequently provides express authorization [1798.120(g)].
• A business cannot sell sensitive PI of a consumer unless the consumer has affirmatively authorized the business to do so [1798.120(d)(2)]. If a business has not obtained the opt-in consent of a consumer, it is prohibited from selling sensitive PI unless the consumer subsequently provides express authorization for such use or disclosure [1798.120(f)]. A consumer who has opted in for sale of the consumer’s sensitive PI may opt out at any time [Id.].
• In addition to providing a “Do Not Sell My Personal Information” link, a business that uses or discloses sensitive PI for advertising and marketing is required to put a link allowing consumers to opt out of such use or disclosure on its homepage [1798.135(a)(1)]. Alternatively, the business may utilize one link that would allow a consumer to opt out of the sale of PI and of the use or disclosure of sensitive PI for advertising and marketing [Id.].

2. Detailed Disclosures for “Profiling.” Another significant new term and concept is “profiling,” defined as “any form of automated processing of personal information . . . to evaluate or predict certain personal aspects relating to a consumer, and, in particular, to analyze or predict aspects concerning that consumer’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements” [1798.140(z)]. A business is required to disclose whether it is engaged in profiling and is “using [consumers’] personal information to determine eligibility for financial or lending services, housing, insurance, education, admission, employment, or health care services . . .” [1798.110(c)(6)]. It also would need to indicate whether such profiling had, or could reasonably have been expected to have, a “significant, adverse effect on consumers with respect to: (i) financial lending and loans; (ii) insurance; (iii) health care services; (iv) housing; (v) education admissions; or (vi) denial of employment,” and if so, provide “meaningful information about the logic involved in using consumers’ personal information for profiling” [1798.130(a)(5)(C)].

3. New Rules Regarding Third Parties, Service Providers and Contractors. The initiative defines a new type of entity, a “contractor,” and imposes specific contractual obligations with respect to contractors, service providers and third parties. Some key points include:

• A “contractor” is a person to whom a business discloses a consumer’s PI for a business purpose pursuant to a written contract [1798.140(j)(1)].
• Both contractors and service providers are contractually prohibited from:
  • Retaining, using or disclosing the PI for any purpose other than for the specific purpose of performing the services specified in the contract
  • Retaining, using or disclosing the PI outside of their direct relationship with the business
  • Combining the PI that they receive from or on behalf of the business with PI that they receive from other sources or that they collect on their own unless they need to combine the PI to perform a business purpose

     [1798.140(j)(1)(A), 1798.140(ag)(1)]

• A contractor also is prohibited from selling the PI it receives from a business [1798.140(j)(1)(A)(i)] and is required to provide a certification that it will comply with all of the above prohibitions [1798.140(j)(1)(B)].
• Service providers and contractors are not required to respond to deletion requests to the extent that they collected, used, processed or retained the consumer’s PI in their role as service providers or contractors [1798.105(c)(3)]. To the extent that they collected PI about a consumer in their role as service providers or contractors, they also are not required to comply with consumer requests to exercise their right to correct PI, right to know PI that is being collected, and right to know PI that is being sold [1798.130(a)(3)(A)].
• They are required to assist businesses in complying with verifiable consumer requests, including deleting PI at the direction of the business, providing to the business the consumer’s PI that is in their possession, and correcting inaccurate information [1798.130(a)(3)(A)].
• A business that collects a consumer’s PI and sells that PI to a third party or discloses it to a service provider or contractor for a business purpose, would need to have a contract with the third party, service provider, or contractor. This contract would need to, among other things, limit the sale or disclosure of the PI to specified purposes and obligate the entity to provide the level of privacy protection required by the initiative [1798.100(d)].

4. New Definitions and Rules around Advertising. The initiative introduces three new advertising related concepts:

• “Advertising and marketing” is a communication by an entity acting on a business’s behalf in any medium intended to “induce a consumer to buy, rent, lease, join, use, subscribe to, apply for, provide, or exchange products, goods, property, information, services, or employment” [1798.140(a)]. The initiative provides consumers opt-out rights and imposes business obligations with respect to the use of sensitive PI for advertising and marketing. (See paragraph 1 above.) In addition, for purpose of advertising and marketing, a service provider or contractor may not combine PI of opted-out consumers that it receives from or on behalf of a business with PI it receives from or on behalf of another entity or that it collects on its own [1798.140(e)(5)].
• “Cross-context behavioral advertising” is defined as “targeting of advertising to a consumer based on a profile of the consumer including predictions derived from the consumer’s personal information, where such profile is related to the consumer’s activity over time and across multiple businesses or across multiple, distinctly‐branded websites, application, or services” [1798.140(f)]. This type of advertising is excluded from being a “business purpose” [1798.140(e)(5)], meaning that when a consumer opts out of sale of PI, the PI can no longer be used to target the consumer with cross-context behavioral advertising even though other types of advertising and marketing is allowed [Annotation to [1798.140(f)].
• “Non-personalized advertising,” defined as “advertising and marketing that is not based on a consumer’s past behavior,” is included as a “business purpose” if it is “shown as part of the consumer’s same interaction with the business” [1798.140(t)]. Non-personalized advertising is “not based on a profile or predictions based on a consumer’s past behavior” and is “always permitted as a business purpose” [Annotation to 1798.140(e)(4)].

5. New Right to Know a Business’s Use of Personal Information for Political Purposes. When a business uses a consumer’s PI for its own political purposes, consumers have the right to request the disclosure of the name of the candidate, the committee, or the title of the ballot measure for which the PI was used, and whether the information was used for or against the candidate, committee, or measure. The business also is required to disclose this information annually under the penalty of perjury [1798.110(a)(5), (c)(5)].

6. New Right to Correct Inaccurate Information. A consumer has the right to require a business to correct inaccurate PI [1798.105.5(a)]. A business that collects PI would need to disclose this right [1798.105.5(b)] and to use commercially reasonable efforts to correct inaccurate information upon a verifiable consumer request [1798.105.5(c)].

7. New Opt-In Requirement for Collection of Data Concerning Minors and Stiffer Fines for Violations. A business not only would need to obtain opt-in consent from minors over 13 and under 16 years old—or consent from the parent or guardian of minors under 13—before selling the minors’ PI (as currently required by the CCPA), but also would need to obtain such opt-in consent before collecting such information [1798.100(g)(1)]. If such opt-in consent is declined, then the business would be prohibited from collecting the minors’ PI and would need to wait at least 12 months before again requesting such consent [1798.100(g)(2)]. The administrative fine for violations involving minor consumers is the same as an intentional violation—$7,500 for each violation [1798.155(a)].

8. Revised Definition of “Business” (for Small Businesses). The CCPA was not intended to sweep in small mom-and-pop businesses unless they sold data. This latest revision addresses that issue by modifying the second definitional prong of a “business” as reflected in this chart [1798.140(d)(1)(B)]:

Note that the two other definitional hooks—$25M annual revenues and 50% or more of revenues from selling of PI—remain the same.

9. Creation of New Agency. The initiative establishes the California Privacy Protection Agency, and gives that agency, as opposed to the attorney general’s office, full power, authority and jurisdiction over CCPA implementation and enforcement. The initiative sets forth in detail the qualifications of agency members, the agency’s structure and functions, and the agency’s investigation and/or enforcement process, including the agency’s subpoena powers and other available remedies.

Representatives of companies that wish to submit comments to the attorney general regarding the latest version of the initiative may do so by the deadline of November 8, 2019.

Please contact the Perkins Coie attorneys with whom you work if you would like advice on how to address this development.

© 2019 Perkins Coie LLP