December 20, 2019

CCPA 2.0 Update: Latest Changes to the CPREA

After the Governor approved the final amendment bills of the California Consumer Privacy Act (CCPA) on September 13, 2019, the effective date of this data privacy regulation moved closer to reality.

After the Governor approved the final amendment bills of the California Consumer Privacy Act (CCPA) on September 13, 2019, the effective date of this data privacy regulation moved closer to reality.

With businesses focusing their CCPA compliance efforts on beating the January 1, 2020 deadline, the proponents of the initial CCPA ballot initiative tabled a new initiative, the California Privacy Rights and Enforcement Act (CPREA) of 2020, commonly referred to as CCPA 2.0 on September 25, 2019. 

The proponents of CCPA 2.0 intend to have this regulation voted on in the 2020 General Election.

Initial Improvements to the CCPA Envisioned under CCPA 2.0

If it garners support from Californians, CCPA 2.0 will widen the scope of CCPA protections for consumers as well as obligations on businesses significantly. Some of the notable additions expected to come into effect if CCPA 2.0 is passed include:

  • Introduce GDPR-like principles comprising purpose limitation, storage restrictions, data minimization, and data integrity
  • Establish a new classification of data referred to as ‘Sensitive Personal Information,’ which comprises health and financial data, race or ethnicity, and accurate geolocation. Additionally, this law seeks to give customers the privilege to opt-in before the sale of this data and the right to opt-out of its use for advertising.
  • Create fresh obligations for profiling activities, demanding companies to reveal whether they are utilizing consumer data for profiling in case that characterization could justifiably have a ‘negative’ impact on the consumer. Businesses are also expected to offer meaningful data about the rationale behind the utilization of consumers’ data for profiling.
  • Establish a California Privacy Protection Agency. This body will be charged with the duty of enforcing the law and offering guidance to affected sectors as well as customers.

Latest Revisions to CCPA 2.0

At the start of  December 2019, the proponent of CCPA 2.0, Alistair Mactaggart, submitted a revised version of the proposed California Privacy Rights and Enforcement Rights Act to the Attorney General of California.

The key revisions to the initial CCPA 2.0 draft that businesses need to know focus on:

  • Advertising technologies
  • Service providers
  • Introducing more GDPR principles
  • Transparency

Update: California’s Attorney General published the revisions to CCPA’s proposed regulations on February 7, 2020.

Advertising Technologies

Concerning AdTech, the revised CCPA 2.0 draft seeks to:

  • Classify the utilization of personal information to target persons with ads that track them as they browse the web as an explicit ‘sale’
  • Allow companies to continue offering 'first-party' behaviorally targeted ads, including through third parties, that are restricted to the user’s direct engagement with that specific corporate entity
  • Introduce the concept of ‘non-personalized ads.’
  • Oblige service providers and contractors to separate the information they learn about a user while helping a company with advertising and marketing from other data they gather about the customer from other sources.
  • Establish the concept of ‘dark-pattern’, which is described as a user interface designed or manipulated with the substantial consequence of changing or lowering consumer independence or decision-making as further defined by law.
  • Categorize the provision of advertising or marketing services as a business objective. However, it is important to note that this classification does not incorporate Cross-Context Behavioral Advertising – ads targeted to consumers informed by a profile or forecasts about the user based on their activity patterns across different businesses or uniquely-branded amenities, webpages or apps.

Service Providers

For most companies that handle personal information, service providers are an integral part of their data processing activities. Under the revised CCPA 2.0 terms;

  • Service providers will not be obliged to address a verifiable consumer request lodged directly from a user or an authorized agent
  • 'Business purpose' comprises the service providers’ operational aims as outlined by statutes established according to the law.
  • Additional prescriptive provisions concerning what contracts with service providers should have will be introduced
  •  Service providers are obligated to downstream deletion requests unless it calls for disparate effort

Introducing Additional GDPR Principles

The revised CCPA 2.0 text incorporates GDPR terms that are not part of the CCPA set to come into effect on January 1, 2020. They include:

  • A new description of consent whereby it is identified as “any freely given, particular, knowledgeable, and clear indication of the consumer’s wishes by which he or she, or his or her legal guardian, by a person who has power of attorney or is acting as a conservator for the consumer, such as by a statement or by a clear affirmative action, signifies agreement to the processing of personal information relating to him or her for a narrowly defined particular purpose.”
  • A GDPR-like purpose limitation where businesses will be required to gather and hold personal information that is relevant to the realization of your disclosed purpose or a compatible objective.


When it comes to transparency, the revised CCPA 2.0 text;

  • Provides for the extension of the exemptions covering employee and B2B communications until January 1, 2023
  • Restores the right of access to apply to 12 months only with specific exceptions. However, the extended right of access will be introduced for data gathered after January 1, 2022.
  • Drops the obligations for data used for political objectives
  • Changes the threshold of collecting the data of users, households, or devices from 50,000 to 200, 000
  • Calls for the release of guidelines to clarify issues such as business purpose, prerequisites for cybersecurity audit for specifically risky processing, access and opt-out rights for automated decision-making and profiling, as well as opt-out based on technical predispositions.
  • Sets the enforcement date of the CPREA provisions to January 1, 2023.
  • Seeks to oblige businesses to reveal the duration of data retention or their mechanism of determining the retention period

At Secure Privacy, we will be monitoring CCPA 2.0 closely and keep you updated about the latest developments as they happen.

Meanwhile, in case you have questions about CCPA 1.0, check out our detailed guide on how to become CCPA compliant. If you want to learn more about the upcoming changes after Prop 24 approval, take a look at our article about the difference between CCPA and CCPA 2.0.

Alternatively, get a personalized demo of our solution by data privacy and security expert by scheduling a call with us.