After two years of companies doing business in California working to comply with the recently adopted California Consumer Privacy Act ("CCPA"), companies operating in California may once again find themselves needing to revamp data privacy policies and practices after this coming election day. California voters will be voting whether or not to implement the new California Privacy Rights Act("CPRA"), which, although it would become enforceable on January 1, 2023, still amends the CCPA in significant ways to which even CCPA compliant companies will need to adapt.

Changes to existing compliance schemes under the CCPA are varied and sweeping, and include (but are not limited to) the following, all of which potentially impact businesses collecting any consumer data from California residents:

1. In addition to the CCPA's restrictions on the collection, use and disclosure of "personal information" that identifies or is reasonably capable of identifying consumers, the CPRA would create a new category of "sensitive personal information", including information such as social security, license or passport numbers, financial account access information, geolocation information, racial, ethnic or religious information, and genetic data. Businesses collecting this information would need to notify consumers that they do so, and consumers will have the right to opt-out of such information being disclosed or used in certain manners.

2. Collection, use, retention and disclosure of personal and sensitive information will now need to meet a "proportionality test" of being reasonably necessary and proportionate to achieve the purposes for which such information is collected or processed, or for other expressly disclosed purposes.

3. Consumers will, in certain circumstances, be granted opt-out rights to certain automated decision-making practices of companies subject to the CPRA (which could potentially make a major impact within the FinTech community, where such automated decision-making has become popularized).

4. "Contractors" of CPRA compliant businesses will need to agree to meet certain CPRA standards regarding the sale, retention, disclosure or combination of consumer personal data provided to them by such CPRA compliant businesses. These agreements will need to be formalized to meet specific CPRA requirements, not unlike the "Standard Contractual Clauses" ("SCCs") prescribed by the European Union's General Data Protection Regulation ("GDPR").

5. Reasonable safeguards will need to be adopted by CPRA compliant businesses with respect to the protection of personal information and sensitive information.

Obviously, the above is not a comprehensive review of potential regulatory changes under the CPRA, and there is the chance that Californians will reject the implementation of the CPRA in the general election. Nevertheless, given the proven time and effort commitments that are required whenever businesses are forced to meet new regulatory standards, engagement of counsel with experience handling data privacy compliance matters is essential for ensuring that businesses operating in California or serving Californians avoid potentially significant liabilities.