“CCPA 2.0” Could Significantly Expand the CCPA

Regulation ¦ June 21st, 2020, 10:00 pm

Last fall, Californians for Consumer Privacy, the nonprofit behind the 2018 ballot initiative for the CCPA announced a new ballot measure and subsequent amendments to significantly expand the CCPA.

The minimum amount of 900,000 signatures were gathered by May this year, so that the California Privacy Rights Act of 2020 (CPRA) will make its way to the November 2020 California ballot. As businesses, privacy advocates, and consumers push for various forms of a federal regulation to set a national standard for digital privacy, it’s crucial to monitor California, which has become the major privacy battleground after passing CCPA. The new initiative could radically alter the privacy landscape currently established in California and beyond. 

The CPRA proposes significant amendments to the CCPA, expanding the breadth of notice, access, and deletion rights that are currently set, as well as adding new privacy rights for consumers, and an administrative enforcement regime. The newly formed privacy agency, California Privacy Protection Agency, would have the sole responsibility to provide guidance and regulations on various issues. There has also been a concerted effort to provide organizations with guidance on how to comply with the CPRA prior to the operative date of the new law, which many felt was lacking with the CCPA. As written, the Act only permits amendments that are “consistent with and further the purpose and intent of this Act as set forth in Section 3,” a feature that will likely be met with resistance as it would protect against dilution of the law.

One of the most notable extensions that the CPRA offers over the CCPA is the right to opt-out of sharing of personal information in addition to the sale of it. “Sharing” is defined as the transferral of information to a third-party for cross-context behavioral advertising—the exchange of money is entirely irrelevant. This would solve the uncertainty about the meaning of the word “sale” that the CCPA (AB-375) has created. The ad tech industry is currently still in the dark about whether or not they should allow consumers to opt-out of their data-sharing practices, and the tech-giants Facebook and Google are using this ambiguity to claim that they do not consider themselves data-sellers. The CPRA’s right to opt-out of the “sharing” of personal information would put this question to bed once and for all and severely impact the current business models of “walled garden” companies such as Facebook.

During the push for the CCPA, Californians for Consumer Privacy, obtained twice as many signatures that were needed to put the matter to a referendum― forcing legislators, tech companies, and privacy advocates to act. With the CRPA ballot initiative they have done it again. In an open letter announcing the new initiative, which cites Facebook’s involvement with Cambridge Analytica and the security breach at Equifax, the nonprofit states that the CCPA “now seems insufficient”. Below we summarize the most important provisions the CPRA brings to the table and compare them to the current CCPA.

Here’s a quick summary of the CPRA’s most important provisions:

You can see the full table here.

Now, it’s more important than ever for companies to use compliance solutions that can evolve with the changing privacy landscape. Datawallet’s mission is to enable every organization to become compliant with the CCPA, GDPR and other privacy regulations in the easiest way possible and to empower their consumers to be in charge of their data. Datawallet Consumer First Compliance is an easy-to-install, comprehensive, and flexible platform to manage a businesses’ every data privacy  compliance needs.

Try our Datawallet CCPA Essentials for free today (no credit card required). 

Or contact us via to inquire about our Consent Management Platform (CMP) and custom solutions.

Get the Data Digest in your inbox