ATP Closely Monitors California Privacy Rights Act



CPRA could serve as model for other U.S. states to follow


The Association of Test Publishers is closely monitoring an initiative on the November 3 ballot in the state of California related to the California Privacy Rights Act (CPRA), also known as Proposition 24.   If approved,  the CPRA would amend the existing California Consumer Privacy Act (CCPA) which just went into effect in January and became enforceable in August.

“This Act, if approved, would also potentially serve as a model for other states in the U.S. to follow European privacy laws, especially the General Data Protection Regulation,” noted ATP General Counsel Alan Thiemann.

Some critics of the law are fearful that many California voters will not truly read or understand the ramifications of Prop 24, which is likely to increase costs for services that rely on data and also lead to the need for consumers to replicate their information for multiple vendors. Thiemann agreed that the 52-page initiative on the Nov. 3 ballot is so complicated that he fears few people will read it and he went to note that,  “This ballot is a big deal in terms of any potential federal privacy legislation.  If (Prop 24) passes, it will make it even more difficult for Congress to adopt a law that preempts individual state laws.”

ATP’s International Privacy Subcommittee Co-Chair, Gary Behrens, of Fifth Theory, predicts that the CPRA will be approved, “It seems likely to me that Prop. 24 will pass.  Many people want more privacy and protection of their personal information. I think Californians are likely to embrace this perceived opportunity to send a strong message to business and legislators.  Later on, they may find that their service options are severely constrained, cost more, or entail much duplication of effort to obtain services from a network of vendors and their partners/processors.”

Some key provisions of the CPRA include:

Establishment of the California Privacy Protection Agency (“CPPA”):  The CPRA would establish the first agency of its kind in the United States, which will have full administrative power, authority and jurisdiction to implement and enforce the CCPA, instead of the California Attorney General.

“Sensitive Personal Information” vs. “Personal Information”:  The CPRA creates a new subcategory of personal information for “sensitive personal information” and provides consumers with additional rights to limit the use and disclosure of this type of personal information. The definition is broad and it includes government-issued identifiers (i.e. SSN, Driver’s License, Passport), account credentials, financial information, precise geolocation coordinates, race or ethnic origin data, religious beliefs, contents of certain types of messages (i.e. mail, e-mail, text), genetic data, biometric information, plus other personal details.

Additional Consumer Rights:  In addition to the rights under CCPA, consumers would have additional rights under the CPRA, including, a) right to correct personal information held by a business, b) right to know length of data retention, c) right to opt-out of advertisers using precise geolocation, and d) right to restrict usage of sensitive personal information.

Expanded Rights to Opt-Out of the Sale of PI:  The CPRA would  restrict the “sharing” of personal information, potentially jeopardizing the  current regulations that allow a business to share PI to complete a contract for goods or services.

Contracts with Service Providers: The CPRA expands on the requirements in the CCPA regarding required contract provisions with service providers. The CCPA required only a provision that prohibited retaining, using, or disclosing a consumer’s personal information other than for the specific purposes of performing the services or as otherwise permitted under the CCPA. In contrast, the CPRA requires contracts with service providers to prohibit (a) the selling or sharing of personal information; (b) retaining, using, or disclosing the information outside the purposes specified in the contract or as otherwise permitted under the CPRA; (c) retaining, using, or disclosing outside the direct business relationship with the business; and (d) combining data it receives from the business from information it collects from another person, including the consumer.

Employee Data and Business Contact Information: The CPRA would extend the exemptions for business contact and employee/applicant data. : In general, most of the provisions of the CCPA did not apply to employee data or business contact information until January 1, 2021. A recently enacted amendment to the CCPA (SB1281) extended the date of full employer compliance until January 1, 2022.  However, if the CPRA (Prop. 24) passes,  that moratorium would be extended until at least January 1, 2023.

Expanded Breach Liability: In addition to the CCPA’s private right of action for breaches of nonencrypted, nonredacted personal information, the CPRA would expand that right to sue the a business to include the unauthorized access or disclosure of an email address and password or security question if the business failed to maintain reasonable security.

Enforcement Date: The Act if passed would be enforceable on January 2, 2023, so there would be time for businesses to scale-up to meet these requirements.

A Full text of the CPRA can be accessed at this link: